Security & Compliance

When vaulting cards with Butter, we have ensured that your data is carefully encrypted with NIST and FIPS-compliant algorithms. Additionally, we ensure one-time-use encryption keys are used, which are then encrypted again and securely stored. This process guarantees that merchant data is uniquely encrypted each time a new card is vaulted. Merchant encryption keys are never mixed or reused. Encryption keys and encrypted data are scoped to individual private merchant containers to provide maximum security and separation of data.



Card elements exist in a secure iframe embedded within your checkout page that acts as a secure container, isolating payment information from the rest of the webpage. This isolation helps in preventing malicious scripts or third-party plugins on the merchant’s website from accessing sensitive card details. The card data captured within the iframe is encrypted and securely transmitted to a proxy endpoint which vaults the data and continues the request to the respective payment service provider. Since the data never touches the merchant's servers, the risk of compromising card information due to potential security vulnerabilities in the merchant's system is greatly reduced. Additionally, merchants are not exposed to PCI DSS requirements.



Butter has partnered with industry-leading fintech security company Basis Theory to make the vaulting and elements as secure as possible. PCI-DSS AOC documentation can be provided upon request.