1

We're building a multi-tenant SAAS web-application. Our tenants want the option to accept credit card payments for the various products that we allow them to market through our application. To support this we will require that the tenant has their own Braintree account. The tenant provides us with their Braintree API keys through our app. We then use those API keys to interact with their Braintree account on their behalf (card storage, card verification and basic transactions).

This model is the same as the model used by the existing Braintree customers WooThemes, Goodsie, TutorTrove and many more.

We need to record the tenant's API info (merchant ID, public API key and private API key) for this all to work.

My questions are:

  1. Can we simply store this information in our application database?
  2. Does storing this information affect the PCI/DSS scope of us or our tenants?
  3. If we can't store the information in raw form, what is an appropriate storage form?

Note: we have contacted Braintree directly with this same question, but we didn't think it would hurt to get other opinions as well :).

Cheers, Sam

sammy34
  • 5,312
  • 5
  • 29
  • 42

2 Answers2

1

IMHO, Please note that you will be [if not, should be] having tenant based crypt keys [each tenant can configure their own crytographic algorithm and the keys => SAAS Cusomization], Please do encrypt the AuthorizationId using the tenant specific keys and then persist in the database. These kind of sensitive data should be secured and you should have a note stating that you are maintaining these keys in the database so that the tenant's can opt out if not required and manually enter the key whenever required. This will ensure safety. By the way is your application using SSL.

Please do share your thoughts on this suggestion

Saravanan
  • 7,637
  • 5
  • 41
  • 72
  • Thanks for your answer. SSL is used. Opt-out is offered (explained in our docs). I'm a little confused about your tenant-based crypt keys suggestion. WooThemes, Goodsie and TutorTrove (linked above) don't seem to use such an approach. It seems somewhat overkill. We would have to store the cryptographic config information as well, because we need to be able to decrypt on demand to process payments. We're now thinking down this path: http://stackoverflow.com/questions/165808/simple-2-way-encryption-for-c-sharp ...this way our DB would be useless without our crypt key (stored in our assembly). – sammy34 May 18 '13 at 02:46
  • In any case, we're going to see what Braintree suggests before we go implementing anything...they're probably in a good position to make a recommendation. – sammy34 May 18 '13 at 03:30
  • @sammy34: Hi Sam, Thanks for sharing your insights. I came across an implementation that had used the option of handling tenant crypt keys even for the password encryption and validation, hence i suggested that approach. In that case, the tenant's that use the application will set up their own cryptkey. If a tenant does not have one, then they have a failsafe default key that will be used. I did not hear about performance penalty in that case. For your information. – Saravanan May 18 '13 at 17:00
1

So Braintree responded to this question with:

So long as your system is PCI compliant, and your merchants are aware that their API keys are stored on your server, then you should be fine. How you store the integration API keys is completely up to you, and [we] don’t really have any best practices to offer.

So, it doesn't seem like this case affects the PCI/DSS scope of our product, and it seems we are free to choose an appropriate way to store the private API keys that we obtain (saravanan's suggestion is one possible option).

sammy34
  • 5,312
  • 5
  • 29
  • 42