Jump to content
GetSirius

PCI Compliance?

Recommended Posts

Hello,

 

Can anyone tell me if I will have PCI compliance problems using the Braintree Add-on for osC 2.3.4? I notice it does not use Braintree's iframes solution. I would rather not have any card data touch my website. -Thank you!

Share this post


Link to post
Share on other sites

I'm not familiar with Braintree, only having briefly looked at its website. There wasn't anything that jumped out at me saying that they handled credit card data entirely on their site (like most of the PayPal models), nor did they say that you would be handling such data (and thus require PCI compliance). I think that if you've already dug through their literature, and haven't found such information, that you're going to have to ask them. Specifically, does credit card information ever touch your site, requiring PCI compliance? Or is the customer taken to their site to make the payment?

 

My understanding of PCI is that if credit card numbers, CVV, etc. even pass through your site on the way to the payment service, that you have to meet certain security requirements (not just SSL usage). It's even worse if you are going to store any of this data, even briefly. Updates and corrections are welcome.

Share this post


Link to post
Share on other sites

A little more detail. The add-on: http://addons.oscommerce.com/info/9080

Add-on calls https://js.braintreegateway.com/v1/braintree.js
Add-on uses "data-encrypted-name" on the CVV and Card Number input fields only. All others are "name."
I do have SSL on my website.

 

Does anyone know if not using 'name' in a form field can stop that data from touching my server?

Would doing so only on the card number and CVV fields be enough for PCI?

 

I did just send this question in to Braintree, but would I like to know what other people might know about it.

Share this post


Link to post
Share on other sites

The module is PCI compliant (both older module version and newer App versions). The card data never touches your server - Braintree process it directly via javascript and return a token which the module uses. The same goes for stored/vaulted cards - this is safe to enable for your customers.

Edited by Harald Ponce de Leon

:heart:, osCommerce

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×