How Streamlined used tokenization to protect their developer experience
Learn how one early-stage company is using Basis Theory to help its customers build their ideal payment workflows and avoid PCI compliance scope.
The context
Over the last decade, business automation platforms have helped millions of resource-strapped startups and agencies streamline their day-to-day operations with simple drag n’ drop tools, pre-configured workflows, and standardized schemas.
While useful, Cameron Sechrist and Carlos Lima were frustrated by these tools' lack of configurability and one-size-fits-all mentality. They launched Streamline to provide small-to-medium-sized enterprises and tech-savvy entrepreneurs a platform to quickly and efficiently program and scale their day-to-day operations.
The problem
Payment workflows are highly contextual and regulated, providing Streamline an incredible opportunity to help customers (i.e. developers) build automations specific to their needs. To do so, Streamline needed to overcome two significant challenges:
Getting PCI Compliant: Historically, the only way to enable the kind of flexibility Streamline wished to provide their customers was to build out and support a PCI-compliant cardholder data environment (CDE), platform, and program. While they decided to pursue PCI Level 1 certification, Cameron and Carlos determined that the cost and time to build and maintain this infrastructure would detract from their core product and that storing this data posed too much risk to the company.
Maintaining flexibility: While Streamline wished to obfuscate the PCI burden from its customers, it knew that a complex or prescriptive solution would limit its platform’s capabilities and value to its customers. Streamline reviewed popular payment processors, but each diluted its value proposition with constraints and gaps or required additional workarounds. If Streamline were to build a dynamic and programmable platform to enable dynamic and programmable workflows for payments, they’d need a “non-opinionated” and “modern” solution.
Streamline needed a solution that afforded its developers the flexibility of owning their card data without the costs, timelines, and risks to secure it.
Data Security as a Service and a false start
Cameron’s background as a developer and familiarity with payments and banking led him to investigate tokenization platforms. These specialized platforms provide the PCI-compliant infrastructure, developer tools, and services needed to collect, secure, and use card data—without exposing their client’s systems to the underlying sensitive information.
“Without tokenization, we wouldn’t be able to offer our payments product”
Cameron originally contracted with ”a tokenization provider that had been around for a while.” Unfortunately, upon interacting with the vendor’s “expensive” CDE and platform, Cameron realized his customers would struggle with its aging tools, APIs, and prescriptive design.
“As a platform aimed at developers, any constraint or limitation placed on us by a vendor impacts our product. As developers, our customers will notice when iFrames don’t render correctly in React. We want to give them providence, but it felt like—with this vendor—we were taking that away piece-by-piece,” said Cameron.
The solution
A fresh start at tokenization with Basis Theory
Having heard about their frustrations, their auditor mentioned Basis Theory.
“I about fell out of my seat when I looked at Basis Theory’s developer documentation and tokens,” said Cameron. “Basis Theory’s non-opinionated platform meant we could pass on more flexibility and control to our customers. In this space, that’s a huge differentiator for us.”
In just two weeks, Streamline team built a proof of concept and completed their implementation. As an added benefit, Cameron eliminated over 100 lines of “workaround code” written to address gaps from the previous vendor.
The implementation
Securing high-risk data using Basis Theory’s PCI Compliant Environment
The development and documentation required to stand up a secure PCI Level 1 cardholder environment can take weeks or even months to build and can cost hundreds of thousands of dollars each year to maintain and audit.
While their previous provider charged Streamline a five-figure sum for access to its cardholder environment, Basis Theory’s self-serve approach allowed Streamline to spin one up in less than 30 seconds and at no additional cost.
“By storing our data in Basis Theory’s cardholder environment, we get a safe, compliant, and flexible infrastructure built and maintained by experts.”
Collecting card data using Elements
Streamline customers needed to collect payment information in their application without exposing themselves to the underlying data. To keep their systems out of scope, Streamline used Basis Theory’s Elements.
Modern, modular, and configurable, Elements provides easily stylized UI components that can be seamlessly embedded into Javascript and React environments, allowing them to collect and pass sensitive card data directly to Basis Theory without bringing an application into PCI scope.
Sharing tokenized data with any third-party processor using Proxy
Streamline felt it was important that customers could connect their existing payment providers to automated payment workflows. Unfortunately, each provider, like Stripe or Tabapay, requires a different messaging formats. Streamline needed a way to detokenize, transform, and route the card data from their Basis Theory environment to their customers’ various payment providers without touching it themselves.
Streamline used Basis Theory’s Reactors, which are configurable serverless functions that can tokenize, detokenize, and transform tokens stored in the Basis Theory environment, and Proxy, a programmable service used to send and receive payloads to and from any third-party endpoint.
By programming Reactors and Proxy, Streamline could offer pre-configured connections to popular payment providers, allowing their customers to route payments to their processors without exposing themselves to their end users’ card information.
Comparing tokenization platforms
Challenges | Basis Theory | Previous Vendor |
---|---|---|
Cardholder Environment | Free, instantaneous access to and control over their PCI and SOC2-certified cloud CDE | Required five-figure downpayment to receive access to their cloud CDE |
Embeddable forms | React-friendly iframes and modern UI components | Intermittent issues with iFrames rendering in React |
Tokens | Feature-rich and configurable Token properties | Configurable Token IDs |
Services | Programmable routing and serverless functions to send, receive and transform tokens | Preconfigured routing services |
Others | Ability to fingerprint, search, and dedupe data without decryption | Not applicable |
Results
Streamline’s implementation provided Cameron and Carlos the desired level of flexibility and PCI compliance they had envisioned with a number of additional benefits:
Fast, simple implementation: Built and tested Basis Theory implementation in 14 days while removing over 100 lines of code from the previous implementation
Reduced PCI compliance costs: Saved an estimated $200,000 per year in support costs (vs. building an in-house system)
Increased optionality: Expanded the number of providers available for payment processing by 100%
Curious about how to start your journey to PCI compliance? Reach out to an expert or check out developer documentation to see how tokenization works with Basis Theory.