node.js express payment authorize.net pci-compliance

Sending PCI data through Node.js (authorize.net)

A client has asked me to set-up card payments through authorize.net. However, I've noticed the node SDK hasn't been updated in a year and their Node SDK is only mentioned on some of their doc pages (so I get the impression it's not a primary focus for them).

I have many years of experience using Braintree Payments and Stripe. They both have great support for Node, plus drop-in/hosted fields for React (frontend). This approach removed much of the PCI compliance requirements from my server.

However, my client cannot use Braintree or Stripe because they are selling restricted items which are not allowed by Braintree's and Stripe's ToS. They currently use Authorize.net and would like me to continue to support that on their new website.

It seems my only option is to directly send card details from my React frontend to my Node API server. Which makes me uncomfortable. As Stripe's PCI guide says there are 300+ security controls in PCI DSS which need to be met if send PCI data on servers.

Here is an example of their creditCard inputs on Node, taken from their examples GitHub repo.

    var creditCard = new ApiContracts.CreditCardType();
    creditCard.setCardNumber('4242424242424242');
    creditCard.setExpirationDate('0822');
    creditCard.setCardCode('999');

    var paymentType = new ApiContracts.PaymentType();
    paymentType.setCreditCard(creditCard);

My question is:

It doesn't seem the best practice in 2020 to send card details through my server anymore with so many providers out there offering hosted fields. Is this a valid concern?
Would I need to get my Node.js code and PCI compliance validated by QSA?

more link:

Node.js SDK: https://github.com/AuthorizeNet/sdk-node
Their PCI compliance list (last updated three years ago?):

Solution

While writing this question I found out that someone had the same concern as me in PHP/Magento in another Stack Overflow post.

Using Authorize.net's Accept.js you can send payment details directly to their servers and use a payment nonce (like Braintree/Stripe) in place of the card details.

Accept.js is a JavaScript library for sending secure payment data directly to Authorize.Net. Accept.js captures the payment data and submits it directly to us, in exchange for a one-time-use token, or payment nonce. You can use this payment nonce in the place of payment data in a follow-on createTransactionRequest API call.

Our JavaScript library offers developers two workflow options for accepting payment:

Option 1: Host your own payment form for a PCI-DSS SAQ A-EP solution that gives you complete control of the customer payment experience.

Option 2: Embed our hosted, mobile-optimized payment information form in your page to collect the card information in a PCI-DSS SAQ A compliant way. For a fully hosted payment solution that you can redirect your customers to or embed as an iFrame within your page, see our documentation for Accept Hosted.