We don't store raw magnetic stripe, card validation code (CAV2, CID, CVC2, CVV2), or PIN block data. Storage of this data is prohibited by the PCI DSS.
Cardholder data is managed in the Braintree Vault using established data security and encryption methods. For example, we use multiple encryption keys with split knowledge and dual control. A data thief would not be able to make use of information stolen from a database without also having the key. The data store where cardholder data is kept cannot be connected to via the internet.
We require users to authenticate each time they use the application. Passwords are never stored directly in the database, and in addition, all API and control panel communication between merchants and Braintree is conducted using TLS (Transport Layer Security).
We develop our code with the security of our systems and your data in mind -- reviewing and monitoring employee, customer, and vendor activity along with system access to guard against suspicious or unauthorized activities.
At least quarterly, we conduct automated vulnerability scans. In addition, at least once a year we have extended penetration testing conducted by outside sources.
Our network is secured with minimal and audited access to and from outside networks, and we take additional steps to protect our internal networks.
The Basics: Secure Payments
The Basics: PCI Compliance