This document contains the latest update on the Braintree Payments Cardholder data flow. It is reviewed every 6 months, with the latest Version number and Date reviewed above.
Braintree Payments (a PayPal service) is integrated as a third party-hosted payment partner on Commerce Vision's eCommerce platform (Customer Self Service). Our integration uses Braintree Payments' drop-in UI. This means payments through the Braintree Payments gateway on our merchant websites are redirected to a payment page completely generated (HTML included), hosted and secured by Braintree Payments. As such, customer sensitive card data are never exposed to or handled by Commerce Vision servers. Our merchant websites do not receive, process, store or transmit cardholder data.
Commerce Vision conducts checks the data security solutions of its third party partners, to ensure compliance with current industry standards and government requirements.
Braintree Payments is a validated Level 1 PCI DSS (highest level) compliant provider.
Braintree Payments does not store raw magnetic stripe, card validation code or PiN block data.
Braintree Payments vaulting (storing of credit cards for future use) uses multiple encryption keys with split knowledge and dual control. A data thief would not be able to make use of information stolen from a database without also having the key. This data store cannot be connected to via the internet.
Users are authenticated every time they log into their Control Panel. Passwords are never stored directly in the database, and all API and Control Panel communication between merchants and Braintree is conducted using TLS (Transport Layer Security).
NOTE - Commerce Vision servers and merchant websites do not receive, process, store or transmit cardholder data.
Third-party payment hosted solutions will normally reduce the scope of Payment Card Industry compliance for the merchant as the cardholder data entered by customers are transmitted directly from their browsers to the third-party hosted payment page.
