Stripe, using its stripe.js library, will exchange customer credit card information in a payment form for a token using javascript, entirely on the client. Our server never sees the credit card, only the token. As a result, we can avoid PCI compliance issues on our servers and still do direct credit card transactions.
Does PayPal offer any product that similarly allows me to directly charge customer cards, without incurring PCI compliance requirements on my servers?
Note: I see that PayPal offers a vault API to exchange credit card numbers for tokens. However, this API itself requires an OAuth bearer token that must be kept as a server secret, not to be shared with browser clients. Therefore, the CC# must travel to our servers for the vault API call to be issued, and therefore incurs PCI compliance requirements on those servers. I wonder, is it perhaps possible to generate an OAuth token that only has permissions to write new credit cards into the vault? I could then give this limited-scope bearer token to a javascript client library, and call it from the client, effectively replicating what stripe.js does.
(Context for the question: we need to accept PayPal due to customer demand, but also want to accept credit cards directly. I either need to use Stripe and write my payment processing code twice for two separate integrations, or I need to find a solution via PayPal that doesn't involve PCI compliance, as that is a headache I definitely want to avoid.)
The process described above is called client side tokenization. PayPal does support tokens, but not for credit card data and thus you can't capture credit card info on your own page without PCI. Seems kinda odd that PayPal is one of the few major credit card processors that doesn't support it.
Related
Can Stripe APIs be used without their client side UI ? For example, we already have credit card info and we want to pass it to Stripe to process charges ?
Yes, it's possible to use the Stripe API without Stripe Elements. I wouldn't personally recommend it since the handling your customers raw credit card information like you're describing has a host of regulatory implications which Stripe covers in-depth here:
https://stripe.com/docs/security/guide
That being said, if your business is prepared to assume that level of liability for your customer's credit card information, you can pass raw credit card information directly to the PaymentMethods API server-side as shown in the example on this page:
https://stripe.com/docs/api/payment_methods/create
Once you've created the payment method, you can use the payment method like any other throughout the rest of the API.
I'm developing a Symfony 3 application and the client chooses stripe for online payment
Users will make auctions on the website.
Is there a solution (with stripe or another system) to check if the user has provision on his account to accept the auction ?
Amounts can be quite big (10k€)
Thanks !
Olivia
A lot of payment gateways offer Auth/Capture separation, in which you can first authorize the payment (suggesting the shopper's credit card has enough in the CC cap\credit ceiling to afford this deal currently).
The issue is that this authorisation request often puts the funds on a "hold period" on the card - a time frame in which the CC cap is reduced as if the shopper purchased the item, and could cause the shopper to max-out their credit even if they didn't end up purchasing. This is why authorisation calls on large amounts need to be handled with caution.
If you want to go ahead with this business model, make sure you also have a cancel/reverse authorisation option - that will allow you to validate first with an auth only request, and then release the hold on the shopper's CC. I am not familiar with Stripe's API, but I know that BlueSnap has both Auth and Auth reversal APIs:
Auth API: https://developers.bluesnap.com/v8976-JSON/docs/auth-only
Auth reversal API: https://developers.bluesnap.com/v8976-JSON/docs/auth-reversal
You can use the auth & capture flow to create an authorization but not capture the funds immediately.
Note that such large amounts will probably have high decline rates. I recommend you reach out to Stripe's support at https://support.stripe.com/email to discuss your business model in more details.
I want to have the customer enter their card info once and have a "pay now" button that will save the users info for future payments without them having to reenter there info and stripe says this can be done if you create them in a user object.
When the user is entering their info in and saving it in a user object where it saves on the stripe side, I dont understand how this is secure, even with tokens. Couldn't the developer add another function to go along with the stripe custom forms 'submit' or 'pay now' to send the card info somewhere else before or simultaneously while stripe is generates the token? And if I want, can I have the last four digits be displayed of their "current card" in my hybrid ionic app? Can someone please explain to me what I'm missing?
Im sending the customers payment token over the wire for a affiliate to process the payment (my apps only on the client side), and because share the token does not put the card at risk, are there any security concerns I should be aware about?
Yes, a nefarious developer could easily do whatever he wants with the customer's credit card information and that would have nothing to do with Stripe. Stripe and every other payment processor assumes that its developers/clients are not using their services for malicious reasons and I'm sure if such evidence surfaced their account would immediately be revoked.
Stripe's security model allows developers to trust Stripe to store their customers' credit card numbers securely for them so that they can focus on developing their product, not worrying about building a PCI-compliant credit card database store. The idea is you hand over a customer credit card number to Stripe in exchange for a token (customer ID) which you later reference when making subsequent charges to that customer's card.
As for the last 4 digits of the card, yes that is easily obtainable via the Stripe API
https://stripe.com/docs/api#cards
I'm trying to use stripe connect and I want to make sure that I'm receiving stripe access tokens that I can use to make charges on the behalf of Stripe users. The access token I'm getting in my test environment looks like this:
sk_test_VyqtfZ6IIPMR1dyY0Po9O29i
Is this how they are formatted? Is there a way I can do a test charge on this token?
That looks to me more like a Test Secret Key, an internal API key, rather than a card token. To generate a card token you should be using the createToken function from Stripe's JavaScript API. Once you've done that you can pass that token instead of credit card details when creating a charge. Here is the relevant documentation from the API, and the part of interest:
card: optional, either card or customer is required, but not both. A card to be charged. The card can either be a token, like the ones returned by Stripe.js, or a dictionary containing a user's credit card details
Depending on your specific needs you might consider taking a look at Temboo's Stripe SDK, it reduces the complexity of doing things like creating customers, charges, subscriptions, etc. The free Temboo SDK is available in many popular languages and is a drop-in solution.
Full disclosure: I'm a Temboo employee
I am trying to understand how the https://squareup.com/ square Credit Card reader works.
What would be the underlying middleware that is being used to
send the data to the squareup server,
process the payment
send verification to a user of a successfull payment
This is implmented on the iPhone, could there be a generic middleware that could be used for other devices to access this service created, so we could have all type of smartphones access a similar service language independent?
Also what security protocols would be used to ensure the data is sent encrypted over the network?
Their own website contains details about their security technology. They appear to use common and trusted technologies like SSL, which isn't a surprise.
If you want to build an application that integrates with their service, you should contact them. It's possible that they will require you to purchase a license in order to do so. They would also be the authority on the protocols and middleware required to integrate with it.