AWS Lambda stripe payment backend, PCI concerns? - stripe-payments

I hope to build a mobile app that sends credit card information to an aws-lambda microservice, which then submits that information to stripe. I'm concerned about PCI compliance/security, and I'm wondering if there is something I'm missing. The following is my plan:
1) Users sign in using PCI compliant passwords - and are assigned unique ids and get cognito access keys.
2) Users enter payment information in the mobile app. The app then sends that credit card data via POST request using HTTPS to a cognito authenticated aws-lambda instance (api gateway is used to create endpoints).
3) Upon a successful post request the app deletes the local credit card data.
4) The lambda instance decrypts encrypted stripe secret access keys using KMS.
5) The lambda instance uses Stripe NodeJS sdk to send the data to stripe and stores stripe tokens in databases.
6) At no point does the Lambda instance save ANY credit card data - it ONLY writes Stripe tokens to the database.
Is there anything I'm missing here? Is there something I should be concerned about?
EDIT:
Additional Info:
Credit card details are collected within the app and stored in the app state until they are deleted. The https POST does not use Stripe tools because I'm using React Native.

Further to our discussion in the comments, you could write a service wrapper to POST the data directly to Stripe using their JavaScript API. You'd just need to embed the public API key in your app.
See the solution in this blog post: http://blog.bigbinary.com/2015/11/03/using-stripe-api-in-react-native-with-fetch.html

Related

Processing Apple / Google Pay with Stripe

We're adding Stripe as one of the several providers for our payment gateway.
The workflow we currently use for processing Apple / Google / Samsung Pay payments is the following:
Mobile Client generates an encrypted payment token via API provided by the OS
Mobile Client sends a payment request to the Backend (user ID, amount, token).
Backend sends a request to Bank API
Bank API responds to Backend with either success or failure
Backend responds to Mobile Client
However, after reading Stripe's documentation, I haven't found a way to implement the same workflow. Apparently, the interaction is inverted:
Mobile Client requests a "client secret" from Backend
Backend sends a PaymentIntent request to Stripe's API
Backend returns the created PaymentIntent's "client secret" to Mobile Client
Mobile Client executes the payment by directly communicating with Stripe's API using the client SDK
This seems problematic, because it requires a major redesign for both our Mobile Client and Backend applications. Moreover, it makes the abstraction leak, because now the Mobile Client is bound to a particular payment provider.
Is it possible to implement our existing workflow with Stripe's API?
You definitely can obtain ApplePay/GooglePay token directly from Apple/Google, and use it to exchange for a Stripe token to "get into Stripe's world", similar to your original approach. However this approach requires some tweak and you would want to reach out to their Support.
Yes, it is possible to implement the flow you described with Stripe.
Refer to https://github.com/google-pay/pay-server-demos/blob/main/google-pay-psp-client/handlers/stripe.js for an example of how you might implement it for Google Pay:
return stripe(config.secretKey).charges.create({
amount: order.totalInt,
currency: order.currency.toLowerCase(),
source: order.paymentToken.id,
});
order.paymentToken.id is the payment token returned by Google Pay.

How to verify stripe webhook signatures without endpoint secret?

I'm building a "multiplatform" solution where each user could have it's "shop" and receive the founds directly on their stripe accounts.
So each user when creates it's shop provides public and secret stripe key which are stored on the server and used when some payments are made.
The problem comes when i have to use the webhooks where i have to verify the user webhook endpoint secret, i can't ask the users to provide and store the WH endpoint key...
(I use the webhook to send the order in preparation once the payment charge is succeeded)
So i was wondering if there was a way to manually verify the webhook signature without using the endpoint secret, i saw that here is possible manually verify signature but anyway i have to use the endpoint’s signing secret as key..
It's not possible to verify Stripe webhook event payloads without a webhook signing secret.
However, it sounds like your use case fits Connect quite well, and a Connect webhook endpoint may work for your needs.
Connect webhooks will receive events from all connected accounts, and will avoid the need to manage individual webhook endpoints and secrets for each account.

Angular.js with Stripe

I am using angular.js for Stripe Integration.
I found a couple of libraries for anuglar.js but I think they don't provide features.
This is what I am trying to do on angular.js using Stripe API for subscription payment.
Create Customer.
Add credit card information on this customer.
Add customer with subscription plan.
Check customer's subscription is expired or not.
If expired, renew subscription.
Does stripe.js will handle this?
What libraries should I use? if not, is it possible using standard $http.post for stripe API?
Looking forward your help.
A payment flow with Stripe is divided in two parts:
client-side, in your frontend code, you collect and tokenize the customer's payment information using Stripe.js or Checkout. You then send the token to your server
server-side, in your backend code, you use the token in an API request, e.g. to create a charge or a customer
Except for token creation requests, all other API requests need to be sent using your secret API key, so you can't do this from your frontend code without revealing the secret API key, which you definitely don't want to do (because then anyone could retrieve it and use it to send API requests on your behalf).

Is it possible to configure Paypal's Node SDK with an authToken instead of a client ID / secret?

We have a situation where our users will be logging into Paypal and then paying other people from their Paypal account via our dashboard. We have the connection setup to retrieve refresh & authTokens for them via simple-oauth2 module. What I don't see is how to utilize a token in the Paypal Node SDK. It seems to only support client id and secret configurations.
Is there a way to utilize the paypal.configuration with an authToken instead?
Should we be using the REST APIs directly instead of the SDK?
You cannot directly transfer amount to other people account.
You firstly need to transact it into your own buisness account and then you can transfer it to any other person account.

Paypal: How my server can authorize some payment made by mobile client

I want to let my customers on mobile application to be able to make payments using Pypal .. so far so good!
Now I want the mobile application to send to the backend server a payment confirmation with the amount payed, if I just made the mobile application to send those information to the backend just like that without any type of authenticity, that will be very hackable and totally insecure, is there some kind of token that Paypal passes to the client, and then to the my backend server, that the server can authorize the payment?
From the official documentation, steps are listed by details:
https://developer.paypal.com/webapps/developer/docs/integration/mobile/verify-mobile-payment/

Resources