Clearly Payments Security and Reliability

Please report any security issues to security@braintreepayments.com and we will respond within 24 hours.


Security is of paramount importance to us. To that end, we’ve focused on providing a secured environment that goes above and beyond industry security standards and guidelines. The following is a overview of the steps we have taken to secure our customers’ most sensitive information.


Validated PCI DSS Compliance

Braintree is a validated Level 1 PCI DSS Compliant Service Provider. We’re on Visa’s Global Compliant Provider List and MasterCard’s SDP List.

Prohibited Data Storage

We never store raw magnetic stripe, card validation code (CAV2, CID, CVC2, CVV2), or PIN block data. Storage of this data is prohibited by the PCI DSS.

Data Encryption

Cardholder data is stored using one of the most advanced encryption methods available. A data thief would not be able to make use of information stolen from a database without also having the key, which is changed on a yearly basis. The data store where cardholder data is kept cannot be connected to via the internet.

Authentication and Session Management

We require all users to authenticate each time they use the application and inactive sessions time out after 15 minutes. Passwords are never stored directly in the database, but are salted and hashed to increase security. In addition, all communication between merchants and us is conducted in a secure fashion using SSL.

Reliability

We have high redundancy onsite and offsite. Onsite data is mirrored on individual servers RAID and is also hot synced between servers. Data is also encrypted and backed up off site with an undisclosed third party.

Disaster Recovery

We have geographically disperse data centers.

Uptime

We maintain 99.99% uptime and guarantee 99.5%.

Activity Observation

All activity is extensively logged by us, and those logs are reviewed to look for patterns of fraud and hacking. We employ a variety of intrusion detection and log file integrity management solutions to ensure that no activity goes unnoticed by our users or internally by our employees.

In addition to having a Web Application Firewall, we engage in the practice of extensive external and internal code reviews of all the software we develop.

At least quarterly we conduct automated vulnerability scans internally and externally. In addition, at least once a year we have extended internal and external penetration testing conducted by outside sources.

Securing Access

Our network has been set up in a secure fashion with minimal access to outside networks. All communication that we have with upstream vendors is done via secured VPN. In addition, our internal setup runs on its own VPN which means that even within our environment, all communication is encrypted and locked down via IP whitelists.

We facilitate secured patching and software updates of all our systems, including watching numerous online resources for the latest vulnerabilities.

We strive to provide the best possible support for our customers because it helps merchants and also helps us maintain a more secure environment. All of our employees undergo background checks as well as extensive training on relevant security matters that pertain to their job. We also provide guidance to merchants on how to securely interact with our services.