Introducing Hosted Fields: a PCI Solution that Doesn’t Compromise Your Control

Last year, the PCI Council released new requirements regarding browser-based checkouts. Now, to meet the simplest set of requirements (called SAQ A), you must delegate "all cardholder data functions to PCI DSS validated third-party service providers." In effect, this means that if the fields in your checkout are not hosted on a domain controlled by a payments provider, like Braintree, you may be responsible for a much larger assessment than you would have otherwise completed.

Today, we’re releasing Hosted Fields, a solution that creates the required iframes, yet gives merchants complete control over the style and layout of their checkout experience. Think of these fields as directly connected to Braintree, but invisible to your customer; they live seamlessly within your existing HTML, and they securely transmit the data directly to Braintree’s servers. Everything around these fields is styled to your specifications.

By evaluating some of the constraints with traditional iframe-based integrations, we found that we could provide a solution that is minimally invasive for both the merchant and the end user alike.

How do I know if I might be affected?

As before, individual requirements are determined by how your systems handle any credit card data provided by your customers, but that determination has been segmented a bit further:

Do I need to take action?

If you’ve integrated the SDK and you use our Drop-in UI, your work here is done; that method continues to meet the compliance requirements of SAQ A. But, if you’re a current merchant using another Braintree integration, this is where Hosted Fields comes into play:

You can integrate quickly, maintain control, and keep doing what you do best—all while we help keep your sensitive data secure.

If you are interested in learning more about Hosted Fields, check out our docs or contact us at

We're always looking for ways to improve our products and to that point, the next step for Hosted Fields is building in resistance to iframe tampering. Stay tuned as we continue to iterate.

John Downey John Downey is the Security Lead at Braintree. In his free time he contributes to open source projects and mentors high school students in the FIRST Robotics Competition. More posts by this author

You Might Also Like