That's the reason we avoid needing PCI compliance by not accepting or storing cardholder data ourselves. Using a third-party processor makes life many, many times easier. I've had recent experience with 4 and would recommend Braintree and PaySimple. Superb support, reasonable rates, good, documented APIs (especially Braintree), and are generally thoughtful companies.
Authorize.net's pre-sales staff is really disorganized, but once you're signed up, it works okay. Trust Commerce's email response time is sluggish, though their Citadel product does fine. All 4 have an API for client-initiated recurring billing (where your Web server receives the card number, sends it synchronously to the processor, receives a token/GUID for that card, and stores only the GUID). I've also encountered e-xact.com, which seems to do this (from their web site). Braintree goes further by letting you avoid even the PCI Self-Assessment Questionnaire (SAQ) with their transparent redirect service. While you still serve the shopping card page, the form posts directly to Braintree, then you receive a token back (without ever seeing/transiting the card number). http://braintreepaymentsolutions.com/pci-dss-compliance Those are all geared for recurring transactions or for letting users keep their card numbers on file for repeat purchases. Make sure you're ready to integrate with the API yourself, or find a shopping cart which has support for card tokenization (like ActiveMerchant). Doing onetime transactions where users always enter their card number is much easier. Hope this helps, Troy _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
