Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

PCI Compliance?


Recommended Posts



Can anyone tell me if I will have PCI compliance problems using the Braintree Add-on for osC 2.3.4? I notice it does not use Braintree's iframes solution. I would rather not have any card data touch my website. -Thank you!

Link to comment
Share on other sites

I'm not familiar with Braintree, only having briefly looked at its website. There wasn't anything that jumped out at me saying that they handled credit card data entirely on their site (like most of the PayPal models), nor did they say that you would be handling such data (and thus require PCI compliance). I think that if you've already dug through their literature, and haven't found such information, that you're going to have to ask them. Specifically, does credit card information ever touch your site, requiring PCI compliance? Or is the customer taken to their site to make the payment?


My understanding of PCI is that if credit card numbers, CVV, etc. even pass through your site on the way to the payment service, that you have to meet certain security requirements (not just SSL usage). It's even worse if you are going to store any of this data, even briefly. Updates and corrections are welcome.

Link to comment
Share on other sites

A little more detail. The add-on: http://addons.oscommerce.com/info/9080

Add-on calls https://js.braintreegateway.com/v1/braintree.js
Add-on uses "data-encrypted-name" on the CVV and Card Number input fields only. All others are "name."
I do have SSL on my website.


Does anyone know if not using 'name' in a form field can stop that data from touching my server?

Would doing so only on the card number and CVV fields be enough for PCI?


I did just send this question in to Braintree, but would I like to know what other people might know about it.

Link to comment
Share on other sites

  • 3 weeks later...

The module is PCI compliant (both older module version and newer App versions). The card data never touches your server - Braintree process it directly via javascript and return a token which the module uses. The same goes for stored/vaulted cards - this is safe to enable for your customers.

Edited by Harald Ponce de Leon

:heart:, osCommerce

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...