dan, because you are holding the CC information on your site and POST'ing it out to external services at authorize.net, did you have to do any work for the "PCI" compliant/privacy stuff I see?
I read a few posts on forums that if the customer financial data is ever on a page you wrote, you come under the realm of at least some PCI compliance because of a possible XSS attack getting that information out of your forms.
That made the hosted "checkout" pages seem a lot more attractive to me... curious how you handled this.
You're right, doing it yourself requires PCI compliance. I've done all that work and my servers get a compliance scan every quarter. That's just tangential to patio's argument (that it's technically difficult to offer a better billing experience than an outsourced service).
Thing is, everything PCIDSS says you have to do when payment data passes through your servers is security 101. If you're not already doing 90% of these things, you're just waiting to be hacked anyway. Instead of thinking of it as a burden for payment processing, think of it as something every professional online business should have been doing anyway.
"PCI Compliance" is like keeping a drivers education book in your glove compartment. It's good because every once in a while you find it and it makes you think about safety. Unfortunately it does absolutely nothing to actually make you safer.
Lots of bark, absolutely no bite. There is not a single case where a bank will shut you off and stop getting your processing fees.
I read a few posts on forums that if the customer financial data is ever on a page you wrote, you come under the realm of at least some PCI compliance because of a possible XSS attack getting that information out of your forms.
That made the hosted "checkout" pages seem a lot more attractive to me... curious how you handled this.