I have an app hosted on Heroku (still in development and not live) which is an online course. Users can sign up for free and they get access to the free video section. The free video section has a Stripe Payment button. If users which to become members then they can make payment and will gain access to the 'membership' video section of the app once payment is successful.
My question is to do with SSL and taking payment. I have asked this question to Stripe and they have responded:*
Yes, you'd have to set up a TSL/SSL certificate for PCI compliance. Since you're using Heroku, I'd recommend reaching out to their customer support for more information on that.
I then spoke to Heroku and they said to contact Stripe...
As I'm not very experienced in this area, can someone recommend what I need to do? Do I need to activate SSL when the Stripe Checkout pop up is activated. Does Stripe Checkout even need SSL or is it already secure?
Further information: I'm using Heroku Professional Standard package.
I have found the following from Stripes website:
PCI compliance is a shared responsibility and applies to both Stripe and your business. When accepting payments, you must do so in a PCI compliant manner. The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. Stripe makes this easy for you as we can do the heavy lifting to protect your customers’ card information. You can simplify your PCI compliance as long as you:
Use Checkout, Stripe.js and Elements, or our mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through your servers
I'm pretty sure as I'm using Stripe Checkout then I do not need to do anything further, but just want to be 100% sure before I start taking payments...
Thanks
Even if Stripe Checkout itself is served over HTTPS from Stripe's servers, your payment page including Stripe Checkout also needs to be served over HTTPS with a valid TLS certificate in order for you to be PCI compliant.
(Technically, if your site was served over unencrypted HTTP, an attacker could do a man-in-the-middle attack and change https://checkout.stripe.com/checkout.js with the URL to a malicious script.)
You should simply ask Heroku to help you setup HTTPS on your site -- the fact that you're using Stripe is just context for why you need this, but it doesn't change anything for Heroku.
Related
Can I get users to enter credit card details on the PayPal site, rather than my own when setting up a recurring payments profile for direct credit card payments?
When setting up a recurring payments profile for a user who wishes to subscribe to my service, I currently follow the standard recurring payment flow (as shown in the PayPal API examples):
Use the REST API to create a billing plan and agreement.
Redirect the user to the PayPal site.
User logs in/registers on PayPal site and confirms their acceptance there.
PayPal redirects them back to my site for final confirmation of the billing agreement.
Once they have confirmed on my site, billing commences and we start listening for IPN's.
However, it seems that if you want to use direct credit card payments (i.e. the customer does not have/want a PayPal profile), you have to capture the credit card details on your own site and pass them through to PayPal on the API call. Is there a way to move the credit card detail capturing to the PayPal site itself?
Yes, PayPal supports this arrangement; they call it hosted pro or hosted sole solution. However, it's classic, not the new REST.
PayPal's newer direct credit card APIs use vaulting, but I don't believe they come with a fully PayPal-hosted page that would avoid all PCI complications for you.
You might also want to look at Braintree's solution, which integrates into your page but handles encrypting & tokenizing the card details so you don't have to worry about PCI.
I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?
Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.
I'm an engineer at Stripe.
Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:
Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add https://api.stripe.com to support communicating with Stripe.
Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.
(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)
I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).
Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!
Original answer:
Implement Stripe Payment Gateway in Cordova/Phonegap Application
I am trying to understand how the https://squareup.com/ square Credit Card reader works.
What would be the underlying middleware that is being used to
send the data to the squareup server,
process the payment
send verification to a user of a successfull payment
This is implmented on the iPhone, could there be a generic middleware that could be used for other devices to access this service created, so we could have all type of smartphones access a similar service language independent?
Also what security protocols would be used to ensure the data is sent encrypted over the network?
Their own website contains details about their security technology. They appear to use common and trusted technologies like SSL, which isn't a surprise.
If you want to build an application that integrates with their service, you should contact them. It's possible that they will require you to purchase a license in order to do so. They would also be the authority on the protocols and middleware required to integrate with it.
I want to add Paypal functionality to my app but I'm kind of in the dark about some of the security issues.
Specifically, when the user wants to pay, I have to redirect them to Paypal and then Paypal sends me some kind of token/key to indicate whether the payment took place.
So, on the page where I pass the user to Paypal, do I need SSL? Why/why not?
What about the page where I receive the response token from Paypal?
Is it possible for a hacker, for example, to make up some random token and post it to my app to pretend that he paid?
If so, does this mean I need to make another call to Paypal after I receive the token - to make sure the token is real?
I've done this before using drupal e-commerce to sell app downloads via Paypal and used SSL neither on the redirection nor the landing page. While technically I suppose a hacker could intercept the token of someone who paid for the app and use it to pretend he paid, I don't think this is likely scenario because the average criminal is more interested in credit card numbers than one-time free access to some product/service. Further, one of the main reasons you would use Paypal in the first place is so that you wouldn't have to pay as much attention to security as you would if you had to process the users credit cards yourself since Paypal takes care of this for you (and their system is secured by SSL).
correct me if I'm wrong but I think that without ssl the following two scenarios are possible using a man-in-the-middle attack:
phishing:
the hacker redirects the user to a paypal-like site and receives his paypal user/pw or credit card details.
this attack isn't perfect as phishing sites do get found and pulled down.
hijacking the payment:
the hacker creates his own real paypal token (order data scrapped from your site) but with his own paypal account as the receiver and redirect the customer to that address. in this case paypal's policies might be enough to make this actions pointless.
I'm building an app that needs to accept credit card payments with something like active merchant. In terms of security, is it possible for it to live on heroku and use authorize.net (or similar) as the payment gateway?
What if it needs to store the credit card numbers?
Edit
Would not be forwarding users to authorize.net.
The simple answer is yes, I believe so, but beyond that it depends.
You can set environment variables for various keys and other values related to the third party service(http://docs.heroku.com/config-vars), or just check them in and deploy them.
If you are using the hosted payment service for authorize.net, and forward to their site, you don't need ssl yourself. If you will be hosting the form where credit card number and personal info are submitted, then forwarding this to authorize.net via their API on the server, you need to set-up ssl for heroku (http://docs.heroku.com/ssl) so that your form is secure.
Now, it is one thing to accept payment via credit cards and just pass it thourgh, it is another to save credit card numbers and other private information. Without pointing you to various security standards docs (i.e. PCI DSS applies here), I will simply say that unless you absolutely have to, don't store CC numbers and related personal information, just forward to the gateway and make sure you aren't logging those fields (http://guides.rubyonrails.org/security.html#logging). If you do need to store credit card data, I think you need to have more control of the database and server to reach compliance, and I don't know a general cloud host like AWS or heroku that you can use and do this (maybe some other SO user will correct me). Using a payment gateway like authorize.net, however, can get you there.
I'll also point out that different states now have laws about storing sensitive data (like MA, where I live), so yet another reason to avoid doing it unless it is essential to your business model.
For a somewhat dated, but good general discussion of PCI compliance, look here: http://broadcast.oreilly.com/2009/02/pci-in-the-cloud.html