Oftentimes, companies using Payment Center go through audits, whether internal or external, to assess their PCI compliance. This article aims to help our customers with their audits or assessments by describing how credit card data is handled within Payment Center.

Background

First off, let's look at the design and underlying architecture.

Payment Center is designed to be installed in our customers' Salesforce organization (ORG). This means that it runs entirely on top of the Salesforce platform. In Salesforce's parlance, they call our app a "native" app because it coexists with Salesforce's own apps and all the other apps developed by other vendors. Kulturra does not maintain or have access to the platform the app runs on.

The Payment Process

So how is credit card transaction performed in Payment Center? Or more specifically, who (or what?) "touches" the credit card data during a transaction?

Where is credit card entered?

It starts at the payer's browser. The payer may have received an invoice with a link to pay online. This link will open up a browser and direct them to a payment page where they enter their credit card information. This page is part of Payment Center and is hosted in our customer's Salesforce ORG.

Does this mean then that the Salesforce ORG "touches" the credit card data? The answer is "it depends".

How is credit card passed from the browser to the gateway?

There are two ways credit card data is passed from the browser to the payment gateway. One is the JavaScript method and the other is the Sever-side method.

JavaScript method

With this method, credit card data is passed from the payer's browser directly to the payment gateway. Credit card data does not pass through Salesforce in this method.

In general, this is the preferred method. However not all gateways offer this. Payment Center implements this method if the gateway offers it.

Server-side method

With this method, credit card data is passed from the payer's browser to Salesforce then to the payment gateway. Salesforce servers "touch" the credit card data in this case, but they are not saved at this point, they are simply "passing through".

Most processors offer this method. Payment Center implements this if the JavaScript method is not available.

What happens to the result of the transaction?

After the credit card is successfully processed by the gateway, the result is recorded as a payment in Salesforce. A payment profile will also be created if the setting is enabled.

The payment and the payment profile may or may not store the credit card number depending on the tokenization setting in Payment Center.

Tokenization

If tokenization is enabled, credit card numbers won't be stored in the payment and profile records in Salesforce. Instead, a token that represents the credit card is stored. This token is generated by the gateway and can be re-used in the future.

If this is not enabled, credit card numbers are stored in encrypted fields.

How about credit card data in transit?

So far we've talked about how credit card data is stored, but how about while they are passed from the browser to Salesforce to the gateway, are they protected?

The answer is yes.

With the JavaScript method, the gateways usually provide a JavaScript library that is served over Transport Layer Security (TLS).  Each gateway would have their own documentation, but here's an example from Stripe: https://stripe.com/docs/security

With the server-side method, Salesforce sends this data over TLS as well. Here are documentations indicating the use of TLS when sending data (or Apex Callouts):

Conclusion

In summary, Payment Center has implemented all the appropriate security measures in handling credit card data whether our customers want to store credit cards or not.

For PCI compliance, it is advisable to enable tokenization so credit cards won't be stored in Salesforce.