PayPal Website Payments Standard Security - security

I currently have a Website Payments Standard checkout process for purchasing recurring payments. WPS just use some inputs hidden to send all information to PayPal.
But it's very insecure because if you know HTML, you can change these inputs hidden at browser's developer tool and change the prices.
I chose WPS because it's simplest than the Express Checkout, and you don't need a API integration.
So, someone had the same problem? There is a security way to use WPS?

How are you using WPS? With the PayPal buttons? If so, you can create encrypted buttons when you log into your PayPal account. If you are using something else, let me know and I can look into it.

Related

Recaptcha for stripe checkout

I'm facing card testing attack lately on a website that uses stripe checkout.
After two days of being under attack, I finally deactivate the concerned page which leaves my website without any way to pay for services.
Now I would like to add a recaptcha to protect the stripe button, but just can't seem to understand how to do it.
I have a page with three services, under each one is a stripe checkout button. What I would like to do is to prevent bots to access the Stripe checkout page, which is external and hosted on stripe servers.
I did recaptcha integrations before in php and with a regular form. Here I'm working with nodejs and there's no real form to query. Is it possible to prevent bots from accessing those buttons ?
I saw some tutorials online but everytime the form is hosted on local server.
If you have a clue, it would be a great help.
Thank you
Have you followed the official Google docs for reCAPTCHA v3? They provide code snippets and go into detail about how to do this.
https://developers.google.com/recaptcha/docs/v3
It's easiest to implement it in the payment flow before your customers ever get to the page with the Checkout button (e.g. on the shopping cart page), but you can also bind it to the form action that triggers the creation of the Checkout Session.

Saving User's card in Square Payments

I'm new to Square and want to implement it in a React Native app with a Node backend.
I see that there is a method to save the customer's card details.
https://github.com/square/square-nodejs-sdk/blob/master/src/api/customersApi.ts#L230
But there is also the payment form?
https://developer.squareup.com/docs/payment-form/how-it-works
Firstly, I cannot see if the payment form is even available in React Native - information seems very scarce.
Secondly, even if I do implement that form, I can't see a way to connect it to the customers API endpoint.
I don't want to use in-app payments (i.e. google or apple pay). I want to be able to save card details like Amazon does, and use them whenever a user places an order in app (probably triggered by a node process). I'm not sure if I'm going about this the correct way, guidance would be appreciated.
In-App Payments SDK will be the way to go (and there is a React Native plugin already). The In-App Payments SDK is basically a mobile Square Payment Form, that you linked to. It will generate a secure nonce, and you can use the nonce to save the card on file. The next time the customer comes, instead of bringing up In-App Payments, you can simply call CreatePayment in your backend, with the customer_id and the customer_card_id as the source.
As for "connecting it to the Customers API" - you don't connect it directly per se. You would collect information from the customer, on your own, and pass it directly to the Customers API to create a customer. You can then call CreateCustomerCard using the nonce (generated by In-App Payments), and the customer_id that you just created, to save the card to this customer profile.

Stripe - Using the right react frontend component for credit card storage?

I am working on a stripe backend in node and a react frontend, the idea being to create a platform for buyers and sellers. I have created the seller's side where users create connect accounts and add a bank to that account.
Now I want to set up the buyer's side. I want to be able to have a customer store their credit/debit card information to use to pay in the future. Below are my questions, they're a bit broad but I just want some basic guidance, not looking for code answers:
Should I aim to have users enter information and then have stripe create a customer object with all their information as a way of storing credit card info?
Can I use the react-stripe-elementslibrary to facilitate this process as it seems to be made to be secure? I've been looking at the examples but they seem to revolve around paying directly by inputting information to pay right away. Unless I am misunderstanding?
Should I aim to have users enter information and then have stripe
create a customer object with all their information as a way of
storing credit card info?
Yes, the main approach is to collect the card details which will produce a PaymentMethod object that you can then save to a Customer. The easiest way to do this is by using the SetupIntents API as described here:
https://stripe.com/docs/payments/save-and-reuse
If you follow that guide a PaymentMethod will be created automatically when you confirm the SetupIntent, and since you provide a Customer when creating the SetupIntent, Stripe will automatically save the PaymentMethod to the Customer.
Can I use the react-stripe-elementslibrary to facilitate this process
as it seems to be made to be secure? I've been looking at the examples
but they seem to revolve around paying directly by inputting
information to pay right away. Unless I am misunderstanding?
You should use the new React library from Stripe instead (assuming you're on React v16.8 and above):
https://github.com/stripe/react-stripe-js
The library is a simple wrapper around Stripe Elements which exposes an input field for your users to enter in their credit card details. When you use that pre-built input field from Stripe, they will automatically create PCI compliant forms for you: https://stripe.com/docs/security/guide. Otherwise, you would need to prove your business's PCI compliance annually which is a lot of work.
The client-side steps in the Save and Reuse guide all have a "React" tab that you can click on to show the React version (that uses the new react-stripe-js library):
https://stripe.com/docs/payments/save-and-reuse#web-collect-card-details

PayPal payment without redirection to PayPal's website

Is there any way to integrate PayPal without redirecting user to PayPal's website for payment in case of debit cards or PayPal payment type ?
Yes you can, it is explained by Paypal here : https://developer.paypal.com/docs/classic/adaptive-payments/ht_ap-embeddedPayment-curl-etc/
There are paypal products available in some countries with this functionalisty. I heard that Payflow Pro and Paypal Payments Advanced have such functionality.
But actually from my developer experience, if Stripe platform is avaialble for country where your project is hosted, then better to use Stripe Elements - they found a way to securely place fancy controls to get CC info in a way your website can get just either a token or a payment method object, without redirects, and if necessary, show a popup with 3D secure window during payment flow.

Stripe - One Click Upsell Possible with stripe.js?

I'm making a simple stripe checkout using Leadpages. With that said, I'm only able to use stripe.js rather than all of the massive API features that Stripe has to offer.
After entering the credit card information, the customer will be sent to an upsell page. Is it possible to do a 1-click upsell using Stripe.js?
If not, I may have to look into other options.

Resources