Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Matt Taylor 873 posts 2086 karma points
    Nov 03, 2016 @ 13:09
    Matt Taylor
    1

    Braintree PCI compliance

    I'm looking at the information from Braintree about PCI compliance.

    We will need to fill out the self assessment questionnaire and depending on how Braintree has been integrated depends on whether it is SAQ A eligible or not.

    What is the situation with the Merchello Braintree integration, does it use the Drop-in UI or Hosted Fields which are eligible SAQ A for or is it a custom integration which means SAQ A EP?

    Kind regards,

    Matt

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Nov 04, 2016 @ 13:53
    Rusty Swayne
    100

    Hi Matt,

    At the point of concern is really just the view and the underlying JS to implement. The FastTrack implementation should meet the requirements as there is CC information is never passed back to the server (just the "nonce" from Braintree).

    Here is the JS model built from the view:

    https://github.com/Merchello/Merchello/blob/merchello-dev/src/Merchello.Mui.Client/src/jquery/mui/modules/checkout/components/payment.js#L184

    Here is where it is tokenized (via BT client API) https://github.com/Merchello/Merchello/blob/merchello-dev/src/Merchello.Mui.Client/src/jquery/mui/modules/checkout/components/payment.js#L60

    The provider iteself only ever uses the "nonce" when interacting with Braintree.

    I'd think it would be eligible (and if there are tweaks that need to happen I'd love to know) ... BUT in any case, the only reason the Hosted Fields were not used was more of a syndrome of having to provide the view in the context of a starter kit where things are resolved rather than statically set. The view and JS could pretty quickly be reworked for the Hosted Fields option. e.g. There should be no required changes to the actual provider logic - it would be more straight Umbraco content / UI tweeks

  • Matt 91 posts 237 karma points
    Nov 04, 2016 @ 14:46
    Matt
    1

    Hey Rusty,

    I'm also looking into this. As far as I understand SAQ-A only applies if you are using Braintree's Drop-in UI or Hosted Fields, as stated here.

    When filling in SecurityMetrics intial questionnaire it allocates SAQ-A and not SAQ-EP as the site does not fill this criteria:

    SAQ A: All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)

  • Matt Taylor 873 posts 2086 karma points
    Nov 04, 2016 @ 17:51
    Matt Taylor
    0

    I think Matt meant

    When filling in SecurityMetrics intial questionnaire it allocates SAQ-EP and not SAQ-A as the site does not fill this criteria:

  • Matt Taylor 873 posts 2086 karma points
    Nov 04, 2016 @ 17:50
    Matt Taylor
    1

    I think this chart is quite difficult to interpret with the ambiguity of what constitutes a website, merchant website, browser or payment page.

    It would seem though that if card detail html input boxes are served up by the merchant website then it means it's an SAQ A EP implementation.

  • Matt Taylor 873 posts 2086 karma points
    Jan 26, 2017 @ 12:27
    Matt Taylor
    0

    This was solved using the Hosted Forms solution from Braintree.

    Replacing the code in \App_Plugins\FastTrack\Views\BraintreeStandardCc\PaymentForm.cshtml with some from a Braintree example and customising it a bit.

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Jan 26, 2017 @ 16:15
    Rusty Swayne
    0

    Awesome - the merchello-dev branch (upcoming version 2.4.0) has already been updated to use the hosted fields and the new JS files out of the box. Also, if you're using it, the PayPal via Braintree has been updated.

  • Matt Taylor 873 posts 2086 karma points
    Jan 26, 2017 @ 16:43
    Matt Taylor
    0

    Oh that's good. We might be looking to upgrade soon because our project is using v2.1.0 and there's a Braintree refund issue we're hoping has been fixed in v2.2.0.

  • Rusty Swayne 1655 posts 4993 karma points c-trib
    Jan 26, 2017 @ 16:49
    Rusty Swayne
    0

    The refund works in the back office on my build (but only after the payment is actually captured on the braintree end ... so say after 12 hours - whenever the bank does the batch).

Please Sign in or register to post replies

Write your reply to:

Draft