Pci Compliance For Online Merchant Accounts

By Author: Bryan Johnson 1
Total Articles: 19
Comment this article

Since the PCI Compliance standard was introduced, online merchants have been dealing with three realities:

First, both business and IT professionals are experiencing the Iceberg effect. Achieving AND maintaining compliance is more complicated, more costly and more resource intensive than anticipated.

Second, compliance does not equal security. As a number of recent breaches have demonstrated, online merchant accounts that spent a significant amount of time and money to achieve compliance are still getting breached and suffering the financial and public relations consequences.

Third, compliance today does not equal compliance tomorrow. Achieving and Maintaining compliance internally is a constant battle. With new threats always emerging and the PCI standard continually evolving, internal resources will always be required to combat these changes.

For these reasons, online merchants are turning to Braintree Payment Solutions for our innovative solutions that address both the compliance and security challenges. Not surprisingly, with these realities the majority of our new business is coming from merchants ...
... that previously achieved compliance internally and became all too familiar with the challenges and short comings with that approach. With our approach, we don't just solve the problems, we make them go away.

Our solutions entirely eliminate credit card data from ever even entering a merchant environment. Merchants can achieve compliance in as few as 90 days by meeting less than 20 controls, and without credit card data in a merchant environment, nothing is present to be stolen if breached. Your organization then has the freedom to operate in the optimal environment by reducing the amount of PCI-related policies, controls and procedures that must be followed and documented. Finally, merchants are realizing all these benefits while dramatically reducing their overall PCI compliance costs.

Best of all, with Braintree, there is no change to the user experience and merchants don't lose any control or functionality of the credit card data. And with our solutions being platform agnostic, merchants can seamlessly integrate into their existing IT environment with minimal disruption to process or work flow.

Let's look at the payment process most merchants use today. Cardholders enter their payment details on the merchant's webpage and clicks the submit button. The credit card data passes through the merchants server and then does an https server to server call to a online payment gateway. The online payment gateway obtains the credit card authorization from the issuing financial institution, and then returns the authorization approval to the merchant. The merchant then displays the appropriate page to the customer.

The issue with this approach is that the merchant handles, transmits, and potentially stores the credit card information in their environment, expanding PCI scope and increasing vulnerabilities for potential breaches by malicious hackers or rogue employee. Our solutions entirely eliminate credit card data from ever even entering a merchant environment. Transparent Redirect API eliminates the handling of credit card data for payments taken via website, phone, fax or mail and SecureVault which remotely stores it for later use.

Now, let's look at the Braintree's online payment gateway process using Transparent Redirect. After the cardholder enters their credit card details and clicks the submit button, the information is posted directly to Braintree's payment gateway for authorization, instead of passing through the merchant's server. Braintree then requests the authorization from the financial institution and returns the response to the merchant securely redirected through the customer's browser. The merchant then displays the appropriate page to the customer. Note, in this scenario, no credit card data ever entered the merchants environment and the experience was entirely transparent to the user. The transaction was initiated and completed entirely on the merchant's URL and webpage.

Braintree's approach is more secure and reduces PCI scope because the merchant does not handle the sensitive data. There are other solutions in the marketplace that also eliminate the handling of credit card data by completing transactions on a third party hosted page. Using this method, merchants lose control over the customer experience.

The second component of our solution is SecureVault. It remotely stores credit card information and is ideal for recurring billing and repeat purchases. SecureVault replaces credit card data with unique tokens, and can be done with or without doing a transaction. Tokens allow for the same functionality and control as though credit card data were present.

Secure vault is not limited to credit cards. Merchants can remotely store and access social security and drivers license numbers, bank account details and more. Tokens can be up to 32 alphanumeric characters and merchants can choose to match an existing numbering system or have them randomly generated. And can be used to initiate subsequent transactions.With the SecureVault, merchants can create a customer payment portal allowing cardholders to add, update and delete the payment instruments on file while showing recent transaction history - all without actually handling any credit card data.

Braintree's innovative solutions are being used today by merchants processing billions annually and our unique approach is regularly identified by industry experts as one of the best solutions for PCI Compliance.

Bryan Johnson is the author of this article on PCI Compliance. Find more information relating to online merchant account, and online payment gateway here.