Braintree Payments is absolutely amazing.

They❤ developers, and it's true. Not only that, they have a neat transparent redirect system that allows your clients to POST form data directly to braintree, bypassing your servers entirely. You can get PCI compliant quite easily.

Transparent redirect secures card data completely

This is a huge benefit.

Braintree has a standard Server to Server (S2S) API with client libraries in major application environments (Python, Ruby, PHP, Java, Perl, .NET, even Node!) which stand out from ease of use already, but they offer even more: the transparent redirect system.

With TR, your HTML form elements literally point to Braintree. Clients send absolutely no data to your servers, and your PCI Compliance requirements are drastically reduced. You can qualify for a self assessment questionnaire (if you don’t enter any CC data over the phone for example) rather painlessly.

How does TR work?

There are two components to TR. One is data encrypted from the server in a hidden tr_data field. The other is the user-fillable input boxes.

When you initialize the tr_data generating function, you’ll give it a callback url for braintree to redirect to. It not only serves to direct users back to your site, but the query string contains data that you can pass to your client library to get a Transaction object exactly as if you’d done the S2S implementation. Seamless!

Step 1: post the form to braintree

Fill in the tr_data, fill in the minimum required CC fields, and post away to your merchant TR URL.

If you’re worried about your users manually submitting data, you can enforce data submission by the server by using the tr_data field.

For example, you might force the billing country to be from the US.

Step 2: handle the query string at your callback url

At the callback url you supplied the client library to generate your tr_data, pass the query string into the braintree client library. It will return a Transaction object just as if you’d done it through S2S.

Here, I check to make sure it’s not an Error response (at which point I have to put in some special logic to display the error at the submitting form view) and redirect to a success view if the transaction is successful.

Step 3: do what you will with a securely created Transaction object

The amazing thing is that the result is the same object you’d deal with if you had used the S2S API.

Clear pricing

I don’t even want to look into the 40 or 60 different rates we have for our credit cards. It’s utterly complicated and confusing. Hidden fees seem everywhere.

Not so here.

What is that, 3 numbers? All of which amount to less right off the bat than what I’ve been quoted.

I think this transparency is a trend among emerging tech companies. There’s no reason why payments have to be difficult.

Clean and clear monthly reports

Finally, a company that gives us great monthly reports. The payments industry is amazingly behind the times (everything is paper based) but at the very least this is the best experience I’ve had with clearly itemized monthly reports.

Even chargebacks are on this report. With several other payment company combinations I’ve used, all we’d get is a piece of paper in the mail and no other record.

Amazing support.

Helpful people pick up the phone in 15 seconds.

I got great support the first time I called about a decently technical question.

Amazing amazing support

This support is unreal. Our shopping cart: Shopify had some interesting error messages for cards declined due to AVS. It was unhelpful and confusing customers.

When I brought the issue up with Braintree rather casually (3 sentence email?) their support staff responded telling me it wasn’t their fault – it was Shopify’s ActiveMerchant.

Guess what they did without any further contact? They decided to submit a patch to ActiveMerchant on Github to fix detection of AVS mismatches with better error messages.

Let’s see, what happened for 3 sentences?

  1. they read it.
  2. they responded / it wasn’t their fault.
  3. they looked into ActiveMerchant and found the problem with the braintree code.
  4. they actually fixed it and submitted the patch.

I think that’s pretty amazing.

Conclusion: amazing.

7 thoughts on “Braintree Payment Solutions Review: It’s Amazing!

  1. It seems very mis-leading to rank TR or ‘silent post’ methods equal to a hosted order form service where all capture and processing is done in a PCI compliant environment and on PCI compliant hosts communicating directly with a consumer through a secure session. This TR solution may achieve ease of implementation but has no benefit to security or compliance.I cannot see how this solution reduces any scope for PCI compliance for the merchants ecommerce server. the merchant server is still in scope because they are establishing the payment session with the customer, presenting the payment form and defining the posting logic from the customer to the TR. If I have a compromised merchant ecommerce server there is no expectation of secure payment or PCI compliance. With a hosted order page method you can have a compromised server and the consumer will have an opportunity to abort a fraudulent transaction if presented with another payment form or redirected to another site.

    In the TR solution the customer is presented that they are always communicating credit card data securely. However the context of the security is completely controlled by the merchant’s server. A compromised merchant server with a couple of lines of code would mean that any consumer data entered through this method would be compromised. The customer would have no way of knowing.

    With any PCI compliant hosted order page, the method allows the merchant to remove their servers from scope because they are no longer controlling the payment transaction. The payment transaction is set-up from start to finish between the consumer and the PCI compliant service provider. The consumer has a way to validate this through their browser to confirm certificate and transmission security. The TR method does not provide this protection to consumers and can present a false sense of security and compliance to both merchant and consumer.

    1. Hi Greg,

      I completely appreciate your concerns. I’m just not sure why it’s directed at me, and why you think I’ve mis-represented something.

      I call Braintree’s TR a “neat” feature, and in my bit about security, plainly state what TR does: absolutely no credit card data is sent to your server.

      I’m not sure where I’m being misleading, or suggesting TR being equal to a fully hosted PCI compliant order form.

      I’d take this concern up with Braintree Payment Solutions and the PCI Security Standards Council if you believe this type of transaction doesn’t qualify for lesser standards.

      In alternative scenarios, we’re talking about untold numbers of small merchants who not only process credit card transactions on their server but store credit card.

      In my opinion, TR is a great step towards security.

    2. Your failure to disclose your relationship feels like a lack of integrity to me. I ran across this article while researching choices, including CRE, and you’ve just put another mark in the ‘against’ column…

  2. As a industry advocate for securing credit card data, I just find the suggestion that TR is the end all falls short. Absolutely, your technical statement about what TR does is correct. But what it doesn’t do is deliver 100% PCI compliance to a merchant.

    But if it doesn’t eliminate the scope of PCI for the merchant than isn’t the value diminished? I bring this up because I hear from QSAs all the time on how the TR or silent post method is highly overstated from a PCI compliance standpoint. In fact, many gateways offer TR/Silent post (, Litle, TNS, Samurai, & others) but it’s their merchants that still have to answer to their QSA and banks about compliance.

    Unfortunately, small merchants tend to migrate towards the best marketing message that says that can be compliant without actually confirming that they truly are. And sure, anything that segments out sensitive credit card data is good but it’s like baking a birthday cake and not having any icing or candles. It’s just not the same.

    1. Ah, roger that. I see it’s not the best, but I’m just ecstatic about the improvement in security it provides over handling data myself.

      “But if it doesn’t eliminate the scope of PCI for the merchant than isn’t the value diminished?”

      It does reduces the scope of PCI compliance – and there lies the value. Or so I thought?

      As for ease of compliance being overstated, I will report back to you as soon as we get our certificate from our QSA (we’re not going to need it for at least another half year though).

      To me it seems more like a birthday cake without candles. It probably has the icing. Maybe like 90% of the icing, and no candles.

    2. PS: I notice you’ve founded CRE Secure Payments / involved with Payleap and have posted simliar posts all over the web. It’s good to disclose this information.

  3. Joe–I’m not quite sure what your point is. I am not failing to disclose a key point. I am a technologist that feels passionate about helping online merchants protect their customers’ PFI and PII. I have not been associated with CRE for nearly a year but do often provide payment security advice to merchants. I think any process that removes payment acceptance from the merchant environment is the set practice. Every gateway has a hosted payment page and is the most secure method. The problem though, is that many larger merchants and developers want to control more of the customer experience. I do take exception to certain provider’s marketing messages that suggest a solution that I believe is not 100% PCI compliant. And I will comment accordingly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s