I'm looking into using Stripe.js for payment processing in a mobile web application wrapped in Cordova. According to the Stripe documentation all checkout pages should be served over https. Since Cordova will technically be serving these pages locally in a webview, are there any security concerns I should worry about?
Note: I will still be using https to submit the tokenized card details from Stripe to my remote API server to actually complete the charge.
I'm an engineer at Stripe.
Cordova/PhoneGap isn't a platform we actively support with Stripe.js, but after talking it over with the team, we have two suggestions for how to mitigate potential vulnerabilities:
Configure your Domain Whitelist sensibly, to limit the possibility of other scripts maliciously sending payment data to an untrusted third party. You should only need to add https://api.stripe.com to support communicating with Stripe.
Always load the latest version of Stripe.js from our servers, per the Stripe.js documentation. This will ensure that you're always up-to-date with any bugfixes and patches we add to Stripe.js
Beyond that, I believe your exposure is similar to using Stripe.js in a normal webpage, loaded in-browser.
(I should note that I assume you're using Stripe.js and not Stripe Checkout—the latter would require the https://checkout.stripe.com domain to be added to the domain whitelist, as well.)
I posted an answer related to this in a similar question. If you control a custom API, give it https protection and send your whole checkout form down into an iframe (source set to your API endpoint).
Then use a plugin like Cordova-HTTP for SSL pinning, and you should be more secure!
Original answer:
Implement Stripe Payment Gateway in Cordova/Phonegap Application
Related
I began to develop an online store website with html, css and js, I use Firebase as backend. Then came up the payment part, I want to use Stripe for that, and it turns out that I have to use Node.js to manage that payment part. (or any other server technology)
I have to say that I'm very novice in back-end (and stripe) and the idea was to get rid of that part (the reason why I use Firebase) except that the payment part requires it.
My question is:
Is it enough to use Firebase only as a backend to manage the payment part with Stripe?
If no,
can I use node.js(express framework) just on the payment page and not extend it to all the other pages with those routing things? Or do I have to deploy it on the whole website?
Thanks.
There is a Firebase Extension that is built by Stripe and states:
Use this extension as a backend for your Stripe payments.
It makes use restricted API keys so you have granular control over what records can be created/read/updated by the extension.
I think that sounds easier that trying to work out an Express app for a single payment page.
I have a website that redirects to a Moneris Hosted Pay Page in order to accept any payments. There is nothing Moneris or payment related on the website side, that is all done via the HPP.
My question is there anything that needs to be done in my case in order to upgrade to 3-D Secure 2.0 to get the added security benefits, or would this be done automatically on Moneris' side?
Thanks in advance!
I think what you refer as "Moneris Hosted Pay Page" is what Moneris calls "Moneris Checkout". In which case, they say in a blog post that this feature will automatically be upgraded to 3d secure 2.0.
https://community.moneris.com/blogs/b/announcements/posts/3-d-secure-2-0-what-you-need-to-know
Moneris Checkout
Our hosted payment solution that allows merchants to process online payments on their website now supports 3DS 2.0. From a development perspective all that is required is an integration to our Moneris Checkout (MCO) solution and quick configuration in the Merchant Resource Center (MRC). A sales order is required to enable 3DS on your merchant account. 3DS integrates into MCO by routing transaction requests to the card brands for a 3DS authentication request. Only transactions that are authenticated will be sent for authorization. If the issuing bank is not authenticating the transaction, the transaction is not eligible for fraud-related chargeback protection and sending for authorization would not be a good idea. Merchants who were using 3DS 1.0 via MCO will automatically have their transactions sent to 3DS 2.0. Please note that there are new fields in the Moneris Checkout response for 3DS 2.0, which you may choose to consume. Moneris will also control this transition from 3DS 1.0 to 3DS 2.0 within MCO.
I have a React frontend deployed on Netlify. I want to implement a simple payment system where user can enter the amount they want and pay using Stripe checkout or even PayPal. I wanted to know If this is possible without paying for a separate backend. Or is there any other self hosted payment gateway you can suggest?
thanks! :)
Technically, you can use client-only Stripe Checkout, however it's not the recommended path: https://stripe.com/docs/payments/checkout/client
Client-only is not recommended because it lacks many of the features made possible with a client-server integration. Furthermore, the client-only integration is not currently (as of this post) receiving new features or upgrades.
If you don't want to do server-sided development, then Stripe Checkout (client-only integration) is the way to go. Everything you need can be done on Stripe dashboard.
Stripe now has a solution called Stripe Payment Links. It's a client-only solution... in fact it requires no code!
As you can see on Stripe docs The Stripe API uses API keys to authenticate requests. - so this means that you need a secure way to integrate with them, without exposing those keys.
So the best way would be to use some serverless backend (FaaS) for that, like Amazon Lambda, GCP Cloud Functions etc.
Here's a good article, how to integrate Stripe with webtask.io, which should be pretty simple to use
Helpers, I want to use Connect services with my DocuSign rest APIs integrated website. Could anyone help me out, Where can I get these in the GitHub? Basically the need is:
Once the document is fully executed, it will be routed via DocuSign connect to a folder which aligns with the name of the employee. This will require work on both the elected system as well as the DocuSign API to configure.
No problemo! These days, I suggest using an intermediate PaaS to queue and deliver the webhook notifications to your application which can live safely behind your firewall.
Here's a blog post on the technique. Note that we have PHP example software for this technique.
Once your PHP app is notified that an envelope is complete (fully signed), just download the documents from DocuSign and store them in your file system. Easy Peasy!
I have an app hosted on Heroku (still in development and not live) which is an online course. Users can sign up for free and they get access to the free video section. The free video section has a Stripe Payment button. If users which to become members then they can make payment and will gain access to the 'membership' video section of the app once payment is successful.
My question is to do with SSL and taking payment. I have asked this question to Stripe and they have responded:*
Yes, you'd have to set up a TSL/SSL certificate for PCI compliance. Since you're using Heroku, I'd recommend reaching out to their customer support for more information on that.
I then spoke to Heroku and they said to contact Stripe...
As I'm not very experienced in this area, can someone recommend what I need to do? Do I need to activate SSL when the Stripe Checkout pop up is activated. Does Stripe Checkout even need SSL or is it already secure?
Further information: I'm using Heroku Professional Standard package.
I have found the following from Stripes website:
PCI compliance is a shared responsibility and applies to both Stripe and your business. When accepting payments, you must do so in a PCI compliant manner. The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. Stripe makes this easy for you as we can do the heavy lifting to protect your customers’ card information. You can simplify your PCI compliance as long as you:
Use Checkout, Stripe.js and Elements, or our mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through your servers
I'm pretty sure as I'm using Stripe Checkout then I do not need to do anything further, but just want to be 100% sure before I start taking payments...
Thanks
Even if Stripe Checkout itself is served over HTTPS from Stripe's servers, your payment page including Stripe Checkout also needs to be served over HTTPS with a valid TLS certificate in order for you to be PCI compliant.
(Technically, if your site was served over unencrypted HTTP, an attacker could do a man-in-the-middle attack and change https://checkout.stripe.com/checkout.js with the URL to a malicious script.)
You should simply ask Heroku to help you setup HTTPS on your site -- the fact that you're using Stripe is just context for why you need this, but it doesn't change anything for Heroku.