Without a safe, reliable means of processing payments, there would be no ecommerce. So it is not a surprise that managing payments and securing credit card and customer information is a major concern for online retailers.
Braintree Payment Solutions offers merchants a complete electronic payment service that quickly processes payments and keeps customer data secure, in most cases slashing a merchant’s payment card industry (PCI) compliance costs by 90 percent or more, according to the company.
I was a little skeptical when I was first introduced to the Braintree solution, but after reviewing its products, asking about IP spoofing (a hacking tactic wherein the hacker pretends to be a server it is not), and consulting with an experienced developer friend, I find myself awarding Braintree Payment Solutions, four and a half out of a possible five stars in this, “The PeC Review,” my weekly attempt to introduce you to products or services that have the potential to improve your ecommerce business.
The PCI Security Standards Council sets requirements which retail merchants must adhere to in order to process credit card payments. The PCI Data Security Standard (DSS) has 12 requirements that are designed to protect cardholder data.
It goes without saying that the PCI DSS represents the best practices for ensuring safe, online, card-not-present transactions, and to date no merchant in compliance with the PCI DSS has lost customer data that I am aware of.
But compliance with PCI DSS is not a one-time certification; rather it is an ongoing process that must be maintained. In fact, many online or multi-channel merchants that have lost customer data were, at one-time, PCI compliant, but for a variety of reasons, something changed and what was a secure network became vulnerable.
What If You Never Saw The Customer Data
Braintree specializes in maintaining its own PCI compliance, and simply protects merchants by ensuring that credit card data never enters a merchant’s possession. Rather, the solution transfers payment data directly from the customer’s Internet browser to secure Braintree servers.
In the Braintree model the merchant is, effectively, no longer responsible for credit card data from online orders, since that data was never in the merchant’s possession.
By contrast most gateways pass customer credit card data through the merchant’s servers, even if those gateways mask the data from the merchant. While there are some services that offer a hosted option that masks customer data completely, these can change the user experience or usability.
No Change in Customer Experience
As mentioned above, other services mask or take customer data directly, but those other services rarely achieve the feat without changing the customer experience or limiting merchant controls.
But the Braintree solution works directly on the merchant’s checkout page, and lets the merchant retain control over how the user interacts with the shopping cart. There is no iFrame, no redirects.
Remote Credit Card Storage and Recurring Payments
When a merchant avoids handling a customer’s credit card data, that merchant avoids the risk associated with processing credit cards online, but what does the merchant give up?
A feature important to many merchants is the ability to store customer data, so that when a customer returns to the site, that customer does not have to reenter all of her payment information. Rather she can just use the same card she did during her last visit. But, can this feature work for the merchant if he or she doesn’t store credit card information?
Well, in Braintree’s case, the answer is yes. Braintree uses tokens to pass information back and forth between a merchant and its secure “vault,” so that merchants can “store” a customer profile without actually handling the credit card number. When the customer returns to make another purchase, the merchant’s server sends the token to the Braintree vault and the transaction is handled like any other. Once the payment is approved, Braintree sends back the approval and all is well.
In fact, Braintree can even support recurring or subscription billing, so that a merchant can offer flexible payment options without having to store credit card data.
What If The Phone Rings
Unfortunately, no similar payment solution that I am aware of currently extends to your phone. So if you are accepting phone orders, you will still have to manage and handle customer data.
In my opinion, Braintree is a no-brainer for merchants processing more than 10,000 transactions per year (which are more likely targets for hackers). For smaller merchants, processing fewer transactions, it becomes a question of risk. If the total number of transactions you process annually is low, there are likely other, less expensive solutions that will make it easy to be PCI compliant and provide good customer experiences.
But for larger sellers, Braintree takes the headache out of securing credit card data.