Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Are any of the solutions out there comparable to BrainTree? It's easy to process CC's, even recurring, but it's a pain to do PCI compliance. If the CC info hits your server, you're in PCI scope. BrainTree has the browser send the info direct to them, then redirects with a token you can use to check information and perform charges.

Anything else out there like that? That is, all the flexibility of being able to run charges programmatically, without the overhead of being PCI compliant?



I believe Spreedly's new http://spreedlycore.com is supposed to do this.


I am no expert on this, but from what I gathered of previous discussions of this topic, is that if you are serving the form HTML, you need some form of PCI compliance, even though the CC never hits your server. This makes sense as any XSS attack would allow an attacker to lift the CC straight from the page.


Some processors ofter an option that allows you to redirect to a page that they host for the cc information, and then back to your page for checkout.


As I mentioned above, Authorize.Net's CIM (Customer Information Manager) works in a similar way -- you send the credit card info from your website to Authorize.net (and never store it in between) and you get a token back which you can store, and which you can use to make charges later.


But if the CC info ever hits your server, your server, apps, etc. fall into scope. Not storing it just gets you out of a small part of PCI.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: