[drndown2007]

They also have CIM, Customer Information Manager, where you send the credit card info (thus never storing it yourself) and you get back a token. Anytime you need to charge that card, you charge the token instead. PCI compliance is then on Authorize.net

[guac]

Even if you aren't storing card information you still are subject to PCI compliance if the card information passes through your application/server. In the case where you are processing but not storing you would need to complete the SAQ-C questionnaire and still probably be subject to quarterly scans (the self-assessment where are you storing data is SAQ-D)

https://www.pcisecuritystandards.org/merchants/self_assessme...

[seanharper]

Pretty much every gateway has some kind of tokenization solution (or reference transaction solution) that accomplishes the same thing. They all call it something different and try to make it seem like it is unique, which can be confusing.

[dangrossman]

Unless you're also using one of those subscription-as-a-service startups to host the payment forms, no, PCI compliance is on you with CIM. The payment information passes through your server, so you're 100% required to meet all 200+ of the requirements of the standard, quarterly scans of your servers, etc. Secure storage is only one small subset of the requirements.