Frequently asked questions about the Butter Payments solution

We agree - and accordingly our two step process requires just what we need and only that. For the first step — the Payment Health Analysis — we need access to historical data. You can export it to us or simply share read only access via API. We do not need or touch PII, and data is encrypted end to end in flight and at rest.

Our system is designed with the highest security standards in mind. We've invested in state-of-the-art security infrastructure and best practices to ensure that our customer data remains protected at all times. Regular vulnerability assessments, penetration testing, and continuous monitoring are part of our ongoing commitment to security. Additionally, we've achieved SOC2 Type 2 and PCI Level 2 compliance, ensuring that we meet stringent requirements for securely handling credit card transactions and protecting cardholder data.

From a data privacy perspective, we purposely do not need or access PII. If requested by our customers we are happy to complete BPA forms and are familiar with CCPA and GDPR requirements. Accordingly we can also remove any and all data upon request if needed once we have done our analysis.

We get it - there are a lot of things tied to whether a payment fails or succeeds. For systems where payment success triggers fulfillment processes we work closely to ensure that as Butter rescues payments quietly and quickly in the background we do so with your time windows in mind as well as ensuring for great customers we can pause if it makes sense vs. canceling.

A big part of Butter’s value is fixing a valid failed payment without the need to notify your end users either over email, sms, or in app. We work to deliver the best end user customer experience; one where the customer is notified only when you really need them to do something which is after we have tried to recover the payment.

We also have integrated with a number of third party and internally developed end user communication systems in this way and are passionate about getting it right. but is an additional tool in your belt that is focused on a very specific element of churn.

We are adding new PSPs and payment methods at a rate of about one a month, so chances are whatever payment method you are using is on our road map including 3DS options and internationally focused PSPs. Please send us a line and we can quickly see how well we might match up to what you need.

Card tokenization is a security measure that replaces sensitive card information (such as credit card numbers) with a unique token. This token refers to the original card data but does not contain the actual card details. Tokenization enhances security by minimizing the risk of exposing sensitive information in transactions.

Butter's solution tokenizes the card data and stores it in individual compartments, ensuring the flow complies with PCI-DSS regulations. With this functionality, you get access to enhanced data from your users like card type, details on bank, issuer, country, currency, customer profile, and more. As you will only receive the enhanced data, not having access to the card number, your liability doesn't increase. Butter will also leverage this information to improve the machine-learning based models to recover more failed payments.

You have to integrate with Butter to have access to it. There are a few options: adding elements into your checkout page (an embedded iframe) or directly through API. The elements are compatible with popular frontend frameworks like React and are fully customizable from a UI perspective. We also offer native JavaScript implementations that can be tailored to work with any other front-end framework. The direct API is designed to provide access for merchants requiring integrations with mobile applications or backend requirements. Interacting directly with our vaulting API will require providing PCI DSS AOC documentation.

Owning the card tokenization flow using a third party provider allows you to access key information while not exposing or augmenting the liability of your business. 
By tokenizing card data at checkout, you get access to enhanced information on your user payment profile like what card type the user is inputting (prepaid, debit, credit), if the card is a 'combo' (both credit and debit), if the card can be used for this purchase (domestic, gambling block, express benefit transfer), besides information on network and issuing bank. Additionally, by having your own card tokens, you can route transactions to different payment processors, considering their fees and acceptance rates per BIN.

With Butter's solution, you get access to all data in real-time as your user inputs the card details on the checkout page. You also get to use the same tokens across multiple PSPs, enabling routing strategies best suited for your business. Ultimately, Butter will leverage this data to improve the recovery machine-learning-based model tailored to your account, lifting the revenue from recovered failed payments.

Card tokens are unique per merchant and securely stored individually within Butter's Card Vault solution. The tokens generated for your business will only be used by you.

Each card is encrypted, ensuring that sensitive information is securely compartmentalized. We also utilize UUIDs to reference encrypted cards, minimizing potential risk exposure. Our encryption methods adhere to the highest standards set by the Payment Card Industry Data Security Standard (PCI-DSS). This includes utilizing envelope encryption with AES256-GCM, ensuring robust card data protection. Our system is designed to restrict direct access to underlying credit card information. Butter employees do not have the capability to view or access raw card data, aligning with strict PCI-DSS compliance requirements.

Our solution undergoes rigorous examination by independent certification organizations to validate its security and compliance with PCI-DSS standards. This ensures that our system remains robust and resilient against potential threats.