Storing Braintree API keys in SAAS application database

StackOverflow https://stackoverflow.com/questions/16601146

Question

We're building a multi-tenant SAAS web-application. Our tenants want the option to accept credit card payments for the various products that we allow them to market through our application. To support this we will require that the tenant has their own Braintree account. The tenant provides us with their Braintree API keys through our app. We then use those API keys to interact with their Braintree account on their behalf (card storage, card verification and basic transactions).

This model is the same as the model used by the existing Braintree customers WooThemes, Goodsie, TutorTrove and many more.

We need to record the tenant's API info (merchant ID, public API key and private API key) for this all to work.

My questions are:

  1. Can we simply store this information in our application database?
  2. Does storing this information affect the PCI/DSS scope of us or our tenants?
  3. If we can't store the information in raw form, what is an appropriate storage form?

Note: we have contacted Braintree directly with this same question, but we didn't think it would hurt to get other opinions as well :).

Cheers, Sam

Was it helpful?

Solution 2

So Braintree responded to this question with:

So long as your system is PCI compliant, and your merchants are aware that their API keys are stored on your server, then you should be fine. How you store the integration API keys is completely up to you, and [we] don’t really have any best practices to offer.

So, it doesn't seem like this case affects the PCI/DSS scope of our product, and it seems we are free to choose an appropriate way to store the private API keys that we obtain (saravanan's suggestion is one possible option).

OTHER TIPS

IMHO, Please note that you will be [if not, should be] having tenant based crypt keys [each tenant can configure their own crytographic algorithm and the keys => SAAS Cusomization], Please do encrypt the AuthorizationId using the tenant specific keys and then persist in the database. These kind of sensitive data should be secured and you should have a note stating that you are maintaining these keys in the database so that the tenant's can opt out if not required and manually enter the key whenever required. This will ensure safety. By the way is your application using SSL.

Please do share your thoughts on this suggestion

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top