Braintree’s Fix For PCI 3.0 Headaches


It’s fair to say that hacking into systems of any kind (payments included) has directly gotten progressively harder over the last several years – a fact that has not, unfortunately, dissuaded cybercriminals so much as prompted them to look for the peripheral access points to the data they wish to compromise.

Given the wider net that the criminal community has cast in the last 18 months, and the havoc that their reach has created for the payments industry, it’s unsurprising that the Payment Card Industry Data Security Standards (PCI DSS) have evolved, too. PCI 3.0, the latest release, will provide a more cautious approach in evaluating merchants that handle card payments.

New requirements for merchants will go into effect by July 2015. And for some merchants, it has the potential to change the user experience that they have worked so hard to perfect, despite the goodness that it will deliver in the form of increased compliance with cardholder data protection requirements.

“PCI 3.0 is getting savvy to the fact that there are attack vectors in the space, so even if your webpage doesn’t store the data back on your servers, if that webpage is compromised there could still be risks,” Braintree’s General Manager Juan Benitez explained to MPD CEO Karen Webster in a recent interview.

And while that may be a sound response to an escalating problem – it does have a potential to make life more difficult for any merchant who accepts cards online or in-app, because it changes the requirements for self assessment questionnaire (SAQ) compliance.

Previously, PCI held that merchants that did not store their data on their own servers – instead outsourcing to PCI compliant firms like Braintree –  had a narrow enough scope that their only requirement was having non-technical staff fill out a SAQ. Going forward, if a merchant or retailer “touches” the data at all — even if it is only long enough for it to be entered into a website and transmitted to a Braintree-like partner — they are looking at a much more involved process.

“That alternative is a new thing in PCI 3.0 called SAQ A-EP and it’s basically like a night and day thing,” Benitez told Webster. “SAQ means your non-technical people in your company go fill out a form on your policies and procedures. It’s a task, it’s a matter of a couple of hours or maybe a day to go fill out. SAQ A-EP is a project and it’s a project that involves their entire technology team. It requires that a business assess and possibly implement controls, because under SAQ A-EP they’re deemed to have impact on the security of the transaction,  which means their technical infrastructure is in scope.”

Obviously devoting a tremendous amount of technical staff time to comply with changes is not ideal, for merchants of any size. And, in response, solutions providers have developed a work around for merchant partners who do business on the Web or mobile. Embedded within the merchant site is an IFrame that is actually attached to a PCI compliant solution provider – not the merchant’s site. And since the customer does not actually then transact on the merchant’s site, but the solution provider’s PCI compliant site, the merchant’s PCI scope shrinks and they are able to avoid the SAQ A-EP requirement.

The flip side to that solution is that it changes the user experience, something that Benitez compares to installing black iron bars over one’s windows and doors to keep out thieves. It solves the problem, but it sure makes going through the front door unpleasant, even if it does deter crooks from getting in and robbing the house.

And, Benitez noted, that’s actually not OK for the bulk of the merchants that Braintree serves – who have spent hours and untold sums of money perfecting a user experience that is elegant and frictionless. For customers like Uber and Airbnb (two of Braintree’s clients), the user experience matters a ton.

“If you look at the customer base we serve, these are companies that have built their businesses and reputations globally on bespoke [customer] experiences,” Benitez told Webster. “They don’t want someone else’s form on their website collecting payments information because it wrecks the whole experience.”

That’s when Braintree got busy, Benitez told Webster, telling her that “we’re a company that’s all about simplifying the payments experience for our merchant partners,” so it was time to walk the talk.

What resulted was something Benitez calls “hosted fields” and it’s a solution designed to both keep PCI scope narrow, and UX control still in the hand of the merchants.

“We’ve broken it down so each individual field that would collect the credit card data — each of those individual’s fields are actually individual IFrames,” Benitez said. That means that instead of one big IFrame, hosted by Braintree, each individual field is hosted by Braintree. That, he said, means only the data in those IFrames is hosted by Braintree, and that everything else that surrounds it is still completely controlled by the merchant and preserves the user experience.

Benitez noted that since developing their original large IFrame solution, Braintree has been thinking about how to develop an even more merchant friendly variation, but that when push came to shove and they actually got down to business, it was a six-week effort from beginning to end.

Fast, Benitez said, but thorough and put through its paces by independent, qualified security assessors to assure that this solution would be consider SAQ compliant.

“If you are going to accept credit cards you have an obligation to adhere to PCI standards, full stop,” Benitez told Webster. “The experts have weighed in and said that if a merchant properly implements our hosted field solution, it will be SAQ scope compliant under PCI 3.0.”

Now “proper implementation” is always a sticky concept, noted Webster, who asked what level of difficulty would be faced by merchants who wish to tap into this solution.

“It is actually very simple – it doesn’t even require a tie-in with anyone’s backend,” Benitez responded. “This is a small piece of HTML that any Web developer or engineer should be able to insert in a very short amount of time.” Benitez further noted that users who run into trouble can also access live and direct technical support over the phone.

“There is so much happening around PCI now and it’s a bit of a wake-up call for the merchants,” Benitez told Webster. “Most people are savvy and understand there is such a thing as PCI but they aren’t terribly aware of it or knowledgeable [that] such a big change is coming to PCI 3.0 – and so soon.”

And, it’s sort of no wonder. Merchants are drinking through a fire hose these days with all of the coming rules, standards and security requirements coming their way. And while all merchants want to abide by the rules and protect consumer data, at the end of the day, they just want their customers to buy stuff from them.

An underlying driver of the individual IFrame solution.

“We hope to see lots of folks integrate this in the spirit of preserving or designing a great user experience and allowing us to worry about the complexities of the payment industry standards,” Benitez said.