Broadleaf Commerce Discussion Forums

Is there any guideline to use Broadleaf Commerce that can be PCI compliant? We plan not to store customer credit cards in our own system, but store it in a third-party system, for instance, a payment gateway provider. What security measure do we need to follow if we build a commerce platform based on Broadleaf Commerce framework?

Thank you!

While we understand the software requirements of PCI, the team at Broadleaf does not have expertise in the operational and infrastructure processes required to be compliant.

Broadleaf Commerce can be configured to store credit cards in a PCI compatible way. We've designed the system to store credit cards in a completely different schema than the rest of the application per PCI guidelines. The data can be encrypted using a number of approved formats.

We recommend that you do just as you have described and not store the credit card in your own DB. Going even further, we recommend using a payment gateway that does not require the credit card to even go through your network. Most gateways support this idea and essentially issue you an approved token that you will use to charge the customer instead of the actual card.

- Brian

Thank you, Brian. Does Broadleaf Commerce have APIs/sample code for calling payment gateway and persist payment token without credit card going through our server?

Appreciate!

Brian, thanks for your reply above. I am interested to know more about the approved encryption formats you have mentioned. Can you please let me know how to implement some of them or where I can find more information?

Hi Brian,

I guess many BroadleafCommerce users may need help on payment gateway setup with PCI compliance. If you can give us some guideline for initial steps, users like me may start working on it, and at the end of the trial (hope we succeed), we can help put together a complete document for other users to follow in the future. Don't know if you like this fashion of collaboration. If yes, this can apply to other area as I can see BroadleafCommerce has great features, but lack of detail documentation.

Thank you!

We are actively working on improved documentation including a guide to using the included payment gateways. We are likely 6 weeks out on the revised documentation but will try to post incrementally here as items are completed.

Again, thank you, Brian! It'll be great to have such document. However, we have a project to get out of the door soon. Our Phase I option is to store credit card, billing address, etc. to a payment gateway without going through our service. As you said before and per the document, BroadleafCommerce does support this option. If you can point me to the code location(s), I would appreciate it and will dive into it to get it moving.

A related question about payment, it looks like BroadleafCommerce only implemented single phase authorization. I don't see two-phase authorization and settlement.

Appreciate it!

In regards to PCI Compliance and Broadleaf, we have updated our documentation to address this question:

http://docs.broadleafcommerce.org/curre ... e.html#PCI

With the new 2.0 release we have also released several third party payment gateway integrations that allow you to avoid most PCI Compliance concerns.

This is great! Just one more question, does it support 2-phase transaction (authorize and capture payment)? I don't see the document addresses it.

Thank you!

Broadleaf does support 2-phase transactions, however you will need to customize and extend Broadleaf to achieve it. Out of the box, all of Broadleaf's third party payment modules support authorizeAndDebit (single transaction). The default Checkout workflow is also set to authorizeAndDebit, so you will need to override that as well to achieve a 2 phase transaction.

All third party modules implement the interface PaymentModule:


The implementations differ from Payment Gateway to Payment Gateway, so you will need to look at the source of the Broadleaf third party module as well as the documentation of your chosen Payment Gateway to see if they also support two phase transactions.