Yes, Authorize.net is PCI compliant as a service provider.
However, merchant PCI compliance is a shared responsibility, and using Authorize.net does not automatically make a business fully compliant. The specific tools and integration methods a merchant chooses, and how they handle cardholder data, determine their individual compliance requirements.
Authorize.net's role in PCI compliance
As a payment gateway, Authorize.net handles the secure transmission of credit card data from a merchant to the payment processor. Authorize.net is responsible for its own internal compliance, which includes:
- Annual Attestation of Compliance (AoC): Authorize.net confirms its own compliance with the Payment Card Industry Data Security Standard (PCI DSS) on an annual basis.
- Secure infrastructure: The company maintains a robust, secure infrastructure, using technologies like encryption and tokenization to protect sensitive data.
- Official validation: You can verify Authorize.net's status as a compliant service provider on the Visa Global Registry of Service Providers.
- Partnership with security experts: Authorize.net partners with companies like SecurityMetrics to help merchants validate and simplify their own compliance efforts.
The merchant's ongoing responsibility
A merchant's level of PCI compliance depends on how they interact with customer cardholder data. Using Authorize.net can significantly reduce a merchant's scope of compliance, but it does not eliminate it.
How integration method affects compliance
The way a merchant integrates with the payment gateway is a major factor in their compliance obligations.
Lowest PCI burden (SAQ A or SAQ A-EP):
- Accept.js: This method uses a JavaScript library to transmit card details directly from the customer's browser to Authorize.net. The sensitive data never touches the merchant's servers, which dramatically reduces the merchant's PCI burden.
- Hosted Payment Form: Authorize.net's pre-built payment form handles all the cardholder data entry and submission. Like Accept.js, this keeps sensitive data off the merchant's servers.
- Self-Assessment Questionnaire (SAQ): These integration methods often allow a merchant to fill out the simplest compliance form, SAQ A or SAQ A-EP.
Higher PCI burden (SAQ C or SAQ D):
- Advanced Integration Method (AIM) / Server Integration Method (SIM): Legacy integration methods may require a merchant to collect card data on their own servers before sending it to Authorize.net.
- Expanded scope: If card data passes through or is stored on a merchant's servers, their PCI scope broadens considerably. This includes additional requirements for network security, data protection, and regular vulnerability scanning.
Key merchant responsibilities
Regardless of the integration method, merchants must take several steps to maintain compliance:
- Conduct annual validation: Merchants must complete an annual Self-Assessment Questionnaire (SAQ) and, depending on their transaction volume and processing method, may also need to conduct quarterly network scans.
- Protect card data: This includes both physical and digital security. Measures like firewalls, strong passwords, and restricted access to cardholder data are essential.
- Train employees: Employees who handle payment information must be trained on how to securely manage it.
- Maintain an information security policy: All personnel should be familiar with the company's security policies and procedures.
The bottom line for merchants
A merchant using Authorize.net is never fully "PCI compliant" simply by being a customer. While Authorize.net ensures that its products and infrastructure are compliant, merchants must use these tools correctly and manage their own payment environments securely. Relying on methods like Accept.js or the Hosted Payment Form can significantly reduce the complexity of the merchant's PCI obligations, but it does not eliminate them. Merchants should work with a PCI expert, such as Authorize.net's partner SecurityMetrics, to accurately determine and validate their compliance status.