Most of the bigger providers care more about their own interests than those of their customers.
I've heard nothing but good things about them ... except that their minimum transaction level is high enough many/most/all??? startups can't meet it. So the latter obviously go to Paypal and when/if larger Auth.net.
Braintree is asking those companies to make it easier to "graduate" to Braintree. Since Braintree provides one of the highest quality services in this field, they're obviously not worried about too many customers defecting, or at least not until they get so big they bring it in house.
Which in the current startup capital climate is going to be very rare, I suspect.
I'm glad to see them trying to make moves like this. It's one of the reasons that our business is with them.
I've heard great things about their service, but I found CDGCommerce to have much better terms.
My customer service rep at Braintree handles regular billing inquiries and has also helped me with some coding issues - that speaks volumes in my book.
When I actual Read the F----ing Manual about this ...., actually read that what was required was peanuts compared to the thousands of posts and comments I've read here pontificating on how to safely store a freaking password to a dating site, I am perplexed. How can a group of people who can talk your arm off for two hours about salts, rainbow tables, hashes, and password entropy, be frightened of PCI? https://www.pcisecuritystandards.org/security_standards/pci_...
I store my own credit card info. Exactly how I do it is none of your business, as, while I don't rely on obscurity for my security, I'd be foolish to deny myself it's added protection. I don't just meet PCI standards, which are easy, I greatly, greatly, exceed them. Why anybody would use a third party billing company is not mysterious, but why somebody who reads HN would do so, is strange to me.
I already know the comments I'll get for uttering such blasphemy. I would respectfully request that you actually spend 10 minutes reading actual PCI DSS guidelines before doing so, however.
The spec was about 400 pages, it took weeks to read it and digest it to find out that it was relatively simple to implement.
This work gave me some insight in what goes on behind the scenes to get those deceptively simple rules from that page that you link put in to practice.
On paper, it's very easy to be PCI compliant. The problem is that in practice it really isn't all that easy. The auditing firms that will verify that you are indeed PCI compliant (you did request an audit?) are not going to sign off on this on a lark, they want really hard proof.
The nasty ones are requirement '9', anything short of a cage at a provider with biometric access protection and a whole host of other measure simply isn't going to do. That alone will outweigh the costs for most small time merchants of doing this by themselves.
Requirement '6', '7', '10', '11' and '12' are beyond the capabilities of most small business to implement anyway.
A guy like cperciva (and you, by your moniker) could probably do it in their sleep but I think you're the exception, not the rule.
It's fairly easy to miss a trick or two, the consequences would be pretty grave, the cost of outsourcing it is actually not that bad so that's the way most people will choose to go.
I'm not saying that a lot of consultants aren't out there, making a crap load of money. Hmmmmm.
The amount of legal and policy documentation you are required to have is by itself a massive undertaking. The 3rd party audit will cost $150,000-$300,000 and a huge amount of man hours.
If he did get an audit and passed I'll eat my proverbial hat.
They need angry former customers to do the talking. Maybe this raises awareness a bit, but what really resonates is horror stories. A few high profile former Authorize.net/PayPal customers that are angry and willing to tell people about it would probably go much further.
The sweet begging approach isn't likely to work.
Honestly, I think there needs to be some regulation here, since there's just no incentive for the large incumbents to change.
From a security perspective, it's a huge disservice to the consumer. It's a great thing to not worry about storing card details in your application. The auth.net/paypal policies incent anyone using those providers to store those details anyway to ensure portability.
http://www.braintreepaymentsolutions.com/blog/credit-cards-a...
I used to work in politics. This is the sort of poke-the-giant thing that longshot candidates do, and it actually ends up reflecting more negatively on Braintree than anyone else. It's a tone-deaf PR move from a great company.
EDIT: Looks like Chargify sends the CC details to the gateway and they don't have their own vault: http://chargify.com/features/pci-compliant-security/
I'm really happy that Braintree is pushing this forward. I've seen it hurt several companies when they need to switch gateways or merchant accounts.
Isaac Recurly, CEO
(My startup.)
Seriously, the industry has no incentive to change. They make a killing. Merchant contracts are strict and likely forbid alternative standards such as the one being proposed here.
How about a flat $0.25 per transaction?
"Dear guys who are bigger than me: please make it easier for me to steal your customers."
They say it is, but I don't think it is up to braintree to say that it is, it would be up to the issuers to say that it is, and as long as they don't come out on the subject nobody is going to risk getting fined 10 million bucks or so by VISA or MC (or worse, to get shut down) to find out.
Braintree should probably do it's best to lower the barrier to entry to their services rather than to try to create a portability layer with competitors that don't care. And then braintree could give the right example by allowing merchants to take their data with them to other providers of payment services.
Note that just as you can't 'export' from Paypal or authorize.net you also can't simply 'import', the reason for that is that bulk import with random 3rd parties is extremely risky, it bypasses all the safeguards that have been installed to prevent all kinds of fraud.
I could see data portability being an issue in the long run, but for now, with Auth.net being basically one of two gateways, not enough moving around happens for their to be a "call for portability" (that will actually be heard).
I do, though, applaud a forward-thinking move like this. It may be looked back on as the small spark that got the fire going.
