Version 1.0 

 


This document contains the latest update on the Braintree Payments Cardholder data flow. It is reviewed every 6 months, with the latest Version number and Date reviewed above. 


Braintree Payments (a PayPal service) is integrated as a third party-hosted payment partner on Commerce Vision's eCommerce platform (Customer Self Service). Our integration uses Braintree Payments' drop-in UI. This means payments through the Braintree Payments gateway on our merchant websites are redirected to a payment page completely generated (HTML included), hosted and secured by Braintree Payments. As such, customer sensitive card data are never exposed to or handled by Commerce Vision servers. Our merchant websites do not receive, process, store or transmit cardholder data. 


Commerce Vision conducts checks the data security solutions of its third party partners, to ensure compliance with current industry standards and government requirements. 

  • Braintree Payments is a validated Level 1 PCI DSS (highest level) compliant provider.
  • Braintree Payments is card brand security compliant, e.g., it is a Visa Global Compliant Provider and is on Mastercard's SDP List
  • Braintree Payments does not store raw magnetic stripe, card validation code or PiN block data. 
  • Braintree Payments vaulting (storing of credit cards for future use) uses multiple encryption keys with split knowledge and dual control. A data thief would not be able to make use of information stolen from a database without also having the key. This data store cannot be connected to via the internet. 
  • Users are authenticated every time they log into their Control Panel. Passwords are never stored directly in the database, and all API and Control Panel communication between merchants and Braintree is conducted using TLS (Transport Layer Security).


For more information, refer to Braintree Payment's Data Security statement and supporting documents: https://www.braintreepayments.com/au/features/data-security;

Braintree Payments' region-specific Data Protection Addendum for Card Processing Products (Australia): https://www.braintreepayments.com/au/legal/data-protection-addendum




Braintree Payments Integration to Commerce Vision


Figure 1: Braintree Payments page drop-in UI on a Commerce Vision merchant site

NOTE - The entire Braintree Payments-hosted payment page is a drop-in from Braintree Payments.


Figure 2: Commerce Vision Merchant ↔ Braintree Payments Credit Card Data Flow

NOTE - Commerce Vision servers and merchant websites do not receive, process, store or transmit cardholder data.



Third-party payment hosted solutions will normally reduce the scope of Payment Card Industry compliance for the merchant as the cardholder data entered by customers are transmitted directly from their browsers to the third-party hosted payment page.


Related Resources