Our company uses e-commerce sites to sell products. They include sites like Kalio, Magento, and Amazon. As we have an ERP backend system, we have the e-commerce site run the initial CC validation through auth.net and we then receive a token, using that token back with Auth.net to do a value authorization and a capture.
Sometimes the card is declined after we receive a token from Auth.net. As the order has been processed into the system we had created a webpage that would allow a customer to change their CC for that order. They type in CC data (it is shttp) and on button click it runs the Auth.net API to valid the card then we update the order with the token. In this way, we never save CC data, but according to PCI standards, hosting that page on our servers is a threat vector.
What I am trying to see is if there is a way, or if anyone has used a process to validate the CC data without hosting a page. Amazon allows you to change payment methods on their site, but as we treat them as pre-pay, that is moot. Is there a mechanism on Auth.net, Magento (or Kalio) that would allow a customer to change a card and signal that the card changed and get the new Auth.net token?
PCI can be a tricky thing. Anyone processing credit card transactions is required to be PCI compliant, but there are several different levels. The lowest recommended level is SAQ-A-EP which can be meet with just a simple self-attestation. You can stay in this level using a page that you host, but the key is that you must not pass the values to your server. If Auth.Net has a way for you to make a client-side call, then you are passing the information directly to them and the data is not passing through your servers. We work with USIO and they have a product called Checkout which is designed with this process in mind to keep integrators out of the higher PCI compliance