Payment network tokenization is a process of replacing sensitive payment information, such as a...
Passes Journeyed From Payment Provider Nightmare to Payments Optionality with Basis Theory
Passes Case Study Overview
Creator platform considered "high risk" to PSPs
Turned to Basis Theory for payments optionality, including cascading payments
Integrated with Basis Theory in 2 weeks
Descoped 90% of PCI requirements
Patrick Zhang, the tech lead at Passes, found himself scrambling at two in the morning to integrate a new payment service provider (PSP) after the one they were using shut them off without warning. “It was terrible. I had to get up in the middle of the night and integrate our payment system with Stripe because they're quick to integrate with. But then we realized that no one PSP was going to last forever and we needed a fundamentally new solution to make sure that we won't be in danger of this happening again.”
Passes is a Miami-based creator platform that enables fans to access exclusive content and experiences. The platform provides tools for the web3 creator economy, which allows creators to unlock exclusive content and IRL experiences. Founded in 2022, Passes has a similar business model to OnlyFans or Fansly, empowering creators to monetize on their own.
Struggles with Payment Service Providers
With a team from a tech background, Passes seeks to revolutionize the creator economy by enabling seamless and secure transactions between creators and their fans. However, the team had trouble building relationships with payment providers because of the perceived high-risk nature of the platform, which allows creators to unlock exclusive content and IRL experiences. Passes has strict content rules and does not allow nudity on its platform, but with the level of control creators have, Passes is viewed as a high-risk platform. Unfortunately, many PSPs specializing in high-risk transactions were slow, difficult to work with, and could shut them down without warning.
Patrick was in charge of engineering and product design, including getting payments working. He recalled, "We were working with a PSP, and they said they were okay with our business but they ended up going back on their word and shutting us off without any warning." Passes had to quickly integrate with another payment provider in the middle of the night, but there was a risk they would be shut down there too.” He continued, "We wanted to make sure that we're always in a position where we will have a provider even if something happens."
The team decided to store credit card information so that they could have a Cascading Payment Provider system, where alternate PSPs could be engaged for processing depending on factors such as price, geography, and type of transaction. Patrick explained, "We decided that relying on a single payment system wasn’t going to cut it, so we started looking into actually storing our own cardholder data.” But the team didn’t know where to start, and the required PCI-DSS compliance seemed insurmountable. “We really didn't have any experience with payment providers or traditional finance systems. We all came from other aspects of tech and we only vaguely knew even what PCI compliance was."
Risks and Complexity of Storing Credit Card Data
The team started down the path of building out their own cardholder data environment (CDE) and engaged with a qualified security assessor (QSA) for PCI compliance purposes. Patrick recalled, “We realized quickly this was way too much. Even just filing for PCI compliance would have taken way too long. It's not even issues with our engineering resources; AWS has built in security solutions and network segregation, it's all the policies and testing afterwards to harmonize them with PCI requirements that is the problem.”
“Bringing other employees into scope of needing to know policies, dealing with things under risk, more people would have to be interviewed by the QSA, more people would have to go through training and be a part of the process. This would put in scope employees that weren’t even involved in payments in any way,” Patrick remembered, “So I just started thinking: if someone else could do it for us that would be great.”
Quickly Implementing Basis Theory to Achieve PCI Compliance
That's when they found Basis Theory, a PCI-compliant cloud provider for data encryption and storage, through their QSA. The team replaced the front-end component with the Basis Theory card Elements and used the Basis Theory Proxy to send data to PSPs. Patrick was impressed with Basis Theory's product and documentation, saying, "I can tell that the engineering of the actual product itself kept in mind how engineers tend to go around and think about things."
The implementation process only took two weeks, which was impressive considering how complex PCI compliance is. They were then quickly able to complete an SAQ D to get PCI compliance, but they only had to answer the questions required for an SAQ A-EP, a much shorter form for merchants who outsource their payment channels to compliant third parties like Basis Theory. Patrick noted, "I think literally the number of requirements gets reduced by 90%, I think it goes from 215 to 22." With Basis Theory, Passes was also able to work with a broad range of PSPs, even those that use old tech, JSON, or CSV string.
Basis Theory provided the solution Passes needed to continue its mission of enabling creators to monetize their content securely and efficiently. With the help of Basis Theory, Passes was able to navigate the challenges of high-risk payment service providers, store credit card information securely, and achieve PCI compliance without extensive and resource-intensive efforts. The team was impressed with Basis Theory's product and documentation, and the implementation process only took two weeks, enabling Passes to get back on track quickly. By partnering with Basis Theory, Passes was able to build a solid foundation for its payment system, ensuring it would always be in a position to have a provider to process transactions for its platform.
"I think literally the number of (PCI) requirements gets reduced by 90%, I think it goes from 215 to 22."
Patrick Zhang, Tech Lead at Passes