Last year, the PCI Council released new requirements regarding browser-based checkouts. Now, to meet the simplest set of requirements (called SAQ A), you must delegate "all cardholder data functions to PCI DSS validated third-party service providers." In effect, this means that if the fields in your checkout are not hosted on a domain controlled by a payments provider, like Braintree, you may be responsible for a much larger assessment than you would have otherwise completed.
Today, we’re releasing Hosted Fields, a solution that creates the required iframes, yet gives merchants complete control over the style and layout of their checkout experience. Think of these fields as directly connected to Braintree, but invisible to your customer; they live seamlessly within your existing HTML, and they securely transmit the data directly to Braintree’s servers. Everything around these fields is styled to your specifications.
By evaluating some of the constraints with traditional iframe-based integrations, we found that we could provide a solution that is minimally invasive for both the merchant and the end user alike.
How do I know if I might be affected?
As before, individual requirements are determined by how your systems handle any credit card data provided by your customers, but that determination has been segmented a bit further:
Do I need to take action?
If you’ve integrated the v.zero SDK and you use our Drop-in UI, your work here is done; that method continues to meet the compliance requirements of SAQ A. But, if you’re a current merchant using another Braintree integration, this is where Hosted Fields comes into play:
You can integrate quickly, maintain control, and keep doing what you do best—all while we help keep your sensitive data secure.
We're always looking for ways to improve our products and to that point, the next step for Hosted Fields is building in resistance to iframe tampering. Stay tuned as we continue to iterate.