Merchants have access to a wealth of data points to gauge the health and success of their business....
Customer Story: Branch
Branch Case Study Overview
To avoid vendor lock-in, Branch needed to decouple their CDE from their PSP
Turned to Basis Theory for universal tokens that could pair with any PSP
Built a proof-of-concept in one day and went live in a few weeks
What is Branch?
Branch provides consumers with affordable and personalized insurance policies in seconds.
Branch attributes its unicorn status to focusing exclusively on its core product—an approach made possible by offloading non-differentiating pieces of its infrastructure to specialized services.
With scale, however, came new needs, like reducing transaction costs, adding additional payment service providers (PSPs), and facilitating transactions with third-party partners. Unlocking these capabilities would require significant backend investments and challenge Branch's "core-only" strategy.
Putting the challenge into context
Branch used a single PSP to process customer credit card payments on its website. As part of its processing services, the PSP provided the hosted iFrames and infrastructure needed to compliantly collect, store, and charge credit cards on a recurring basis.
Instead of storing the cardholder data, Branch received unique tokens from its PSP. While these tokens allowed Branch to charge credit cards and avoid the heavy compliance costs and distractions of securing it themselves, it meant that its customers' cardholder data could only be used with that PSP.
As they grew, new opportunities to partner with other insurance carriers emerged. By surfacing third-party policies where gaps existed in its own coverage (e.g., motorcycle insurance in California), Branch could continue to reach into new markets, support its customers, and generate revenue.
While Branch's "one-stop" shopping experience would be convenient for consumers, it would also reveal the handcuffs between Branch and its PSP. To process its payments, Branch's partners needed its customers' cardholder data—something the current system couldn't access let alone had the security or compliance posture to support. To compound the problem, Branch's PSP tokens were unique to them and would be useless to its partners.
Unlocking these partners meant Branch had to have customers call its partners separately to complete the purchase.
As Branch began to look for solutions, its CTO, Joe Emison, learned about tokenization service providers or, as he refers to it: "Stripe without the processing." Using these solutions, companies could spin up their own PCI-compliant cardholder data environment (CDE) to collect, store, and share cardholder data without taking additional PCI scope or building and maintaining the necessary infrastructure.
Branch found and chose Basis Theory’s compliance engineering platform, citing its developer experience, approach to serverless, and strong security posture.
“By storing cards with Basis Theory, we have more flexibility in optimizing our payment stack and reacting to our customers' needs. It’s made compliance a competitive advantage for us.”
Joe Emison, CTO of Branch
Elements: To collect credit cards, Branch replaced its PSP’s hosted iframe with a like-solution offered by Basis Theory. The new form matches the look and feel of its website, and can be used in front of any PSP or partner.
Cardholder data environment (CDE): In less than a minute, Branch spun up a dedicated Level 1 PCI-compliant and SOC 2 Type II environment, giving it a safe and secure infrastructure to receive and store its existing credit and debit card information. Recurring scheduled payments were not impacted. Using Basis Theory's universal tokens to abstract PSP tokens meant it could use its cardholder data with any PSP or partner.
Proxy: The routing service allowed Branch to transform and share payloads to meet the API specifications of any partner or PSP, allowing them to process payments downstream.
Using Basis Theory’s infrastructure, hosted iframe, and proxy service, Branch can collect, store, transform, and route cardholder data to any number of PSPs and third parties.
Branch completed its proof of concept in one day, went live a few weeks later, and maintained its existing PCI DSS compliance scope. As a result, the insurance marketplace has the flexibility and compliance posture to offer a single-click payment experience and improve redundancy, authorization rates, and costs with multiple PSPs.
“Your compliance infrastructure won’t differentiate your product, but it will impact your ability to differentiate and do it quickly. With Basis Theory we get compliance and speed without sacrificing flexibility.”
Joe Emison, CTO of Branch