My merchant account provider has starting pushing PCI compliance requirements. I was assigned a Level 4 SAQ D profile - because of using Zen Cart Authorize.net AIM module which means the customer enters the information on my website and it is then transmitted (encrypted via SSL) to Authorize.net for processing. The "transmission" of data is what is making me fall under SAQ D, even though no card holder data is stored they are still saying I am SAQ D since the info is still entered on my website for transmission.
Which to me seems ridiculous when you look at the requirements of SAQ D and a list of nearly 300 questions to complete, being a very small business owner it is just a nightmare. And yet this seems very common for online businesses to accept payment directly on the website... it's how most e-commerce shops operate! it's so confusing.
I feel like I am being forced toward using offsite payment methods like PayPal, which defeats the purpose of having a merchant account in the first place for a smooth shopping experience for the customer. I mean, obviously I want my website to be secure and follow standard procedures for accepting credit cards - but it just seems like this is extreme.
Is this really true that using the Authorize.Net AIM payment module makes you fall under SAQ D? (or any similar method where the customer enters the information on a form on your website and is transmitted to a payment gateway via your shopping cart software). My merchant account provider kept insisting it is. How are other small businesses using this payment method and Zen Cart (or similar) handling this issue?
I have been exploitation WPP on a few websites for a while, I have not been asked to achieve PCI Compliance DSS as of so far and have been acceptive payments for about 3 months, my host is PCI Compliance DSS Amenable, if you want the host name send me a pm and I will let you knowing, I would not worry too much though as it is unlikely a CC industry will require to PCI Compliance scrutiny you.
You want to look for a payment interface that qualifies for PCI SAQ-A. I know we have one but I'm all but certain there are others (http://www.shift4.com/pr_20110913_Zen_Cart_Payments.cfm). The key point to qualify for SAQ-A is that card information cannot touch the zen-cart server and instead must only go to a PCI certified third-party gateway. Hope this helps.