I'm looking at the information from Braintree about PCI compliance.
We will need to fill out the self assessment questionnaire and depending on how Braintree has been integrated depends on whether it is SAQ A eligible or not.
What is the situation with the Merchello Braintree integration, does it use the Drop-in UI or Hosted Fields which are eligible SAQ A for or is it a custom integration which means SAQ A EP?
At the point of concern is really just the view and the underlying JS to implement. The FastTrack implementation should meet the requirements as there is CC information is never passed back to the server (just the "nonce" from Braintree).
The provider iteself only ever uses the "nonce" when interacting with Braintree.
I'd think it would be eligible (and if there are tweaks that need to happen I'd love to know) ... BUT in any case, the only reason the Hosted Fields were not used was more of a syndrome of having to provide the view in the context of a starter kit where things are resolved rather than statically set. The view and JS could pretty quickly be reworked for the Hosted Fields option. e.g. There should be no required changes to the actual provider logic - it would be more straight Umbraco content / UI tweeks
I'm also looking into this. As far as I understand SAQ-A only applies if you are using Braintree's Drop-in UI or Hosted Fields, as stated here.
When filling in SecurityMetrics intial questionnaire it allocates SAQ-A and not SAQ-EP as the site does not fill this criteria:
SAQ A: All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)
Awesome - the merchello-dev branch (upcoming version 2.4.0) has already been updated to use the hosted fields and the new JS files out of the box. Also, if you're using it, the PayPal via Braintree has been updated.
Oh that's good.
We might be looking to upgrade soon because our project is using v2.1.0 and there's a Braintree refund issue we're hoping has been fixed in v2.2.0.
The refund works in the back office on my build (but only after the payment is actually captured on the braintree end ... so say after 12 hours - whenever the bank does the batch).
Braintree PCI compliance
I'm looking at the information from Braintree about PCI compliance.
We will need to fill out the self assessment questionnaire and depending on how Braintree has been integrated depends on whether it is SAQ A eligible or not.
What is the situation with the Merchello Braintree integration, does it use the Drop-in UI or Hosted Fields which are eligible SAQ A for or is it a custom integration which means SAQ A EP?
Kind regards,
Matt
Hi Matt,
At the point of concern is really just the view and the underlying JS to implement. The FastTrack implementation should meet the requirements as there is CC information is never passed back to the server (just the "nonce" from Braintree).
Here is the JS model built from the view:
https://github.com/Merchello/Merchello/blob/merchello-dev/src/Merchello.Mui.Client/src/jquery/mui/modules/checkout/components/payment.js#L184
Here is where it is tokenized (via BT client API) https://github.com/Merchello/Merchello/blob/merchello-dev/src/Merchello.Mui.Client/src/jquery/mui/modules/checkout/components/payment.js#L60
The provider iteself only ever uses the "nonce" when interacting with Braintree.
I'd think it would be eligible (and if there are tweaks that need to happen I'd love to know) ... BUT in any case, the only reason the Hosted Fields were not used was more of a syndrome of having to provide the view in the context of a starter kit where things are resolved rather than statically set. The view and JS could pretty quickly be reworked for the Hosted Fields option. e.g. There should be no required changes to the actual provider logic - it would be more straight Umbraco content / UI tweeks
Hey Rusty,
I'm also looking into this. As far as I understand SAQ-A only applies if you are using Braintree's Drop-in UI or Hosted Fields, as stated here.
When filling in SecurityMetrics intial questionnaire it allocates SAQ-A and not SAQ-EP as the site does not fill this criteria:
SAQ A: All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)
I think Matt meant
When filling in SecurityMetrics intial questionnaire it allocates SAQ-EP and not SAQ-A as the site does not fill this criteria:
I think this chart is quite difficult to interpret with the ambiguity of what constitutes a website, merchant website, browser or payment page.
It would seem though that if card detail html input boxes are served up by the merchant website then it means it's an SAQ A EP implementation.
This was solved using the Hosted Forms solution from Braintree.
Replacing the code in \App_Plugins\FastTrack\Views\BraintreeStandardCc\PaymentForm.cshtml with some from a Braintree example and customising it a bit.
Awesome - the merchello-dev branch (upcoming version 2.4.0) has already been updated to use the hosted fields and the new JS files out of the box. Also, if you're using it, the PayPal via Braintree has been updated.
Oh that's good. We might be looking to upgrade soon because our project is using v2.1.0 and there's a Braintree refund issue we're hoping has been fixed in v2.2.0.
The refund works in the back office on my build (but only after the payment is actually captured on the braintree end ... so say after 12 hours - whenever the bank does the batch).
is working on a reply...
This forum is in read-only mode while we transition to the new forum.
You can continue this topic on the new forum by tapping the "Continue discussion" link below.