3

I am evaluating some Payment Gateway options and am looking at PayPal's vault option (similar to Braintree's vault).

What I found is that in the case of Braintree's vault storage, I can send credit card info securely (encrypted) to be stored on their servers, thus obviating the necessity of PCI compliancy issues.

Does PayPal's vault storage API have a similar way of sending the encrypted credit card info? I am looking at their documentation and it seems as though I need to send un-encrypted data to their vault.

Am I wrong in making this assumption? I would be very much interested as this will make me discard Paypal and go with Braintree as our Payment Gateway Service.

Thanks in advance.

agf
  • 171,228
  • 44
  • 289
  • 238
lzp
  • 33
  • 1
  • 5

1 Answers1

7

Depending on which PayPal service you specifically are wanting to use, both PayPal and Payflow have a similar service. You can find information on PayPal's Vault on PayPal's Developer site. If you are wanting to use Payflow, you can have Payflow store the customers credit card information. Have a look at the Payflow Gateway Developers Guide. Page 76 has information on the Data Upload feature.

PP_MTS_Chad
  • 7,311
  • 1
  • 15
  • 20
  • 1
    @Chad,thanks for the reply.looked at the page you pointed out but the request doesn't seem to have been encrypted...This is an example upload transaction request: TRXTYPE=L&TENDER=C&ACCT=5105105105105100&EXPDATE=1215&BILLTOFIRSTNAME=Ted&B ILLTOLASTNAME=Smith&BILLTOSTREET=123&BILLTOCITY=SanJose&BILLTOSTATE=CA&BILL TOZIP=12345&BILLTOPHONENUM=123-123-1234 – lzp Apr 18 '13 at 19:09
  • 3
    The string that you are providing is the NVP string, this is readable on your side. The SSL encrypts the data when it is sent over to PayPal/Payflow. A secure certificate is technically not required to use Website Payments Pro or Payflow Pro, but we highly recommend using SSL, as Pro encrypts only the connection between the Pro client located on the merchant's web server and the PayPal processing servers. It does not encrypt the connection between the merchant's web server and the customer's computer. – PP_MTS_Chad Apr 18 '13 at 19:41
  • Thanks for the update Chad. Really appreciate it. Another question::) Does the customer gets redirected to the PayPal website to complete the checkout? Or is there a way to keep the customer within our website? If so can I use vault for this API as well? – lzp Apr 24 '13 at 12:57
  • You can use the API's and keep the user on your site without sending them over to PayPal. – PP_MTS_Chad Apr 24 '13 at 19:25
  • @Chad..Thanks for the update...just to confirm..i have the following two requirements 1) store the credit card information on PayPal's servers so that we don't have to worry about the PCI compliancy 2) Customer should be able to complete the transaction so I should be able to achieve these two requirements, right? – lzp Apr 24 '13 at 21:02
  • @chad I meant to say 2) Customer should be able to complete the transaction without leaving the website...could you please suggest the right PayPal product that would satisfy these two requirements so that I can start looking at their API – lzp Apr 25 '13 at 12:36
  • Either one of the services would work that I previously listed, so it would be up to you as to which one you want to use. However, the REST API's are fairly new and are only available currently in the US. Eventually they will be rolled out and made available in other countries but currently they are only available in the US. – PP_MTS_Chad Apr 25 '13 at 12:57
  • @Chad..couple of more questions...1) so PayPal Vault is a separate product then? Or could it be used in conjunction with PayPal Advanced, one which I am trying to use...2) with PayPal Adavnced , how can I retrieve a stored Credit card info? Say for example, user enters all the credit card details the first time. For all the subsequent user visits, I want to present the user with the credit card details( all the credit cards if the user has stored more than one) she has stored. So does the PayPal server return a transaction id that I can use for subsequent visits? – lzp Jul 12 '13 at 14:51
  • 1
    I don't believe the upload data option presented here removes any PCI compliance issues. This still requires the server to obtain the credit card information from the client and transfer it to PayPal, just as you would have to with a normal transaction. The only difference is that you now have to do two API calls, one upload transaction (TRXTYPE=L) and one sale transaction (TRXTYPE=S) instead of just one. – user1978317 Apr 15 '14 at 21:57
  • @user1978317 As long as you transmit the credit card data directly to PayPal Vault using SSL it is PCI compliant. – Matt K Oct 17 '16 at 19:18