Businesses today, particularly those that deal in card-not-present sales, face increased data security challenges. The primary data security framework, PCI Compliance, can be expensive, time consuming and difficult. Moreover, for many, it seems to be leaving businesses complacent, believing the relatively static PCI Data Security Standard (DSS) is an all-encompassing and sufficient approach to attaining comprehensive data security; all the while, those who threaten data security are constantly evolving their tactics. In truth, most threats can only be countered by real-time security measures that go beyond the Data Security Standard.
The simple solution would be for merchants to offload the responsibility of credit card data security altogether by adopting a Software-as-a-Service (SaaS) approach to card processing. Braintree Payment Solutions, for example, completely eliminates the handling, processing and storage of credit card data from a merchant environment, without changing the user experience, and provides the same payment processing capabilities as though the data were present. So even if a merchant’s database were to be breached, no credit card data would be present to be stolen. By using such a solution, merchants can reduce their PCI Compliance scope by as much as 90%.
Ecommerce
The most common method of processing credit cards today requires sensitive data to pass through the merchant’s environment after the cardholder initiates the transaction via the web. This method places the compliance burden and risk upon the merchant as it is handling, processing and potentially storing the credit card data.
Braintree eliminates a merchant’s need to handle, process or store credit card data by receiving and processing the authorization request directly. This approach does not change the user experience as it’s done behind the scenes and is entirely transparent to the user.
With this approach, merchants do not need to use a hosted payments page which can increase shopping cart abandonment. The merchant still appears front-and-center to the cardholder and controls every aspect of the checkout process including the checkout URL, the webpage and the response page.
Subsequent or recurring payments
If merchants wish to utilize the credit card data for subsequent or recurring payments, they can simultaneously request a “token” at the time of the authorization. The token can then be used in place of the actual credit card information and stored locally for subsequent or recurring payments, removing the security risk of storing the actual data.
Phone, Fax & Email Payments
For credit cards taken over the phone, by fax or through the mail, merchants can take one of two approaches to increase credit card data security and minimize PCI scope:
With either approach, merchants are able to replace credit card numbers with tokens that can then be run through internal applications without exposing them to threats or incurring storage responsibilities.
Payments portal
Using Braintree’s API, merchants can maintain a customer payments portal whereby consumers can add, update and delete payment types as well as maintain shipping and billing addresses. No credit card data ever passes through the merchant environment when doing this.
Summary
Merchants have their hands full running their businesses – staying ahead of the competition, remaining viable in their industry and attracting customers – but because the stakes are so high, credit card data security and PCI Compliance can gobble up a disproportionate amount of resources. Solutions that can eliminate the handling, processing and storage of credit card data without changing the user experience present a highly compelling value proposition…especially if they are able to work transparently in an existing environment with little to no disruption.
© 2007-2012 Braintree, Inc. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA
