> Braintree retains the private key of the key pair so that merchants are unable to decrypt the encrypted fields server-side.
This sounds cool, but at risk of being slightly off-topic, IIRC, this is still in scope of PCI. Storing encrypted data (even if you don't have the ability to decrypt it) falls under some rules in PCI compliance.
This is all hand-wavy of course. I had to comb through so many pages of PCI compliance documentation, rules, definitions, etc when working as a sys admin to create actionable plans on getting PCI compliant before we'd actually be audited. I remember this because I found it absolutely inane that it required storage of encrypted materials be stored as if they were sensitive but was fine with transmitting credit card #s over untrusted networks and the internet as long as they were "strongly" encrypted (this wasn't qualified, either).
Im really thankful we have people trying to simplify this headache for people, but why are we content letting this be our problem? It can easily cost hundreds of thousands of $$ PER SITE to become PCI compliant (which has, from what I've seen, been insufficient to protect the information anyway). Is there any proposed legislation that would force these companies (VISA, MC, Discover, etc) to adopt a fundamentally secure transaction system? Right now they're content with shoving all costs to third parties and ignoring theft because everyone has to be insured.. why isn't there severe outcry over this? It's wasteful on the magnitude of billions a year, I'm sure, and despite its brokenness, they STILL charge for every transaction. Sure, engineering around the problem creates a niche for companies like Braintree and other payment gateways to fill, but that's really just shifting a cost that shouldn't exist from one place to another. Why?
It's all so terrible. I'd rather just use bitcoins or something.
Braintree.js cuts down PCI scope as much as tokenization. We've worked with banks and auditors to make sure that this doesn't add any headaches for our merchants.
What canadian merchant does stripe use? I was very close to using Stripe, but active merchant didn't provide what we needed through your API (pre-auth/settlement). I hope to use Stripe for other things down the road though.
This sounds cool, but at risk of being slightly off-topic, IIRC, this is still in scope of PCI. Storing encrypted data (even if you don't have the ability to decrypt it) falls under some rules in PCI compliance.
This is all hand-wavy of course. I had to comb through so many pages of PCI compliance documentation, rules, definitions, etc when working as a sys admin to create actionable plans on getting PCI compliant before we'd actually be audited. I remember this because I found it absolutely inane that it required storage of encrypted materials be stored as if they were sensitive but was fine with transmitting credit card #s over untrusted networks and the internet as long as they were "strongly" encrypted (this wasn't qualified, either).
Im really thankful we have people trying to simplify this headache for people, but why are we content letting this be our problem? It can easily cost hundreds of thousands of $$ PER SITE to become PCI compliant (which has, from what I've seen, been insufficient to protect the information anyway). Is there any proposed legislation that would force these companies (VISA, MC, Discover, etc) to adopt a fundamentally secure transaction system? Right now they're content with shoving all costs to third parties and ignoring theft because everyone has to be insured.. why isn't there severe outcry over this? It's wasteful on the magnitude of billions a year, I'm sure, and despite its brokenness, they STILL charge for every transaction. Sure, engineering around the problem creates a niche for companies like Braintree and other payment gateways to fill, but that's really just shifting a cost that shouldn't exist from one place to another. Why?
It's all so terrible. I'd rather just use bitcoins or something.