I'm building an app that needs to accept credit card payments with something like active merchant. In terms of security, is it possible for it to live on heroku and use authorize.net (or similar) as the payment gateway?
What if it needs to store the credit card numbers?
Edit
Would not be forwarding users to authorize.net.
The simple answer is yes, I believe so, but beyond that it depends.
You can set environment variables for various keys and other values related to the third party service(http://docs.heroku.com/config-vars), or just check them in and deploy them.
If you are using the hosted payment service for authorize.net, and forward to their site, you don't need ssl yourself. If you will be hosting the form where credit card number and personal info are submitted, then forwarding this to authorize.net via their API on the server, you need to set-up ssl for heroku (http://docs.heroku.com/ssl) so that your form is secure.
Now, it is one thing to accept payment via credit cards and just pass it thourgh, it is another to save credit card numbers and other private information. Without pointing you to various security standards docs (i.e. PCI DSS applies here), I will simply say that unless you absolutely have to, don't store CC numbers and related personal information, just forward to the gateway and make sure you aren't logging those fields (http://guides.rubyonrails.org/security.html#logging). If you do need to store credit card data, I think you need to have more control of the database and server to reach compliance, and I don't know a general cloud host like AWS or heroku that you can use and do this (maybe some other SO user will correct me). Using a payment gateway like authorize.net, however, can get you there.
I'll also point out that different states now have laws about storing sensitive data (like MA, where I live), so yet another reason to avoid doing it unless it is essential to your business model.
For a somewhat dated, but good general discussion of PCI compliance, look here: http://broadcast.oreilly.com/2009/02/pci-in-the-cloud.html
Related
I am currently developing a marketplace type of website. When it comes to handling payments, I would like to be able to charge customers on behalf of sellers.
Which payment gateway API should I use (if this is even possible)? I am using React and Node.
For reference, what I was looking for was something like Stripe Connect. According to their website: "Marketplaces and platforms use Stripe Connect to accept money and pay out to third parties. Connect provides a complete set of building blocks to support virtually any business model, including on-demand businesses, e‑commerce, crowdfunding, and travel and events."
I have an app hosted on Heroku (still in development and not live) which is an online course. Users can sign up for free and they get access to the free video section. The free video section has a Stripe Payment button. If users which to become members then they can make payment and will gain access to the 'membership' video section of the app once payment is successful.
My question is to do with SSL and taking payment. I have asked this question to Stripe and they have responded:*
Yes, you'd have to set up a TSL/SSL certificate for PCI compliance. Since you're using Heroku, I'd recommend reaching out to their customer support for more information on that.
I then spoke to Heroku and they said to contact Stripe...
As I'm not very experienced in this area, can someone recommend what I need to do? Do I need to activate SSL when the Stripe Checkout pop up is activated. Does Stripe Checkout even need SSL or is it already secure?
Further information: I'm using Heroku Professional Standard package.
I have found the following from Stripes website:
PCI compliance is a shared responsibility and applies to both Stripe and your business. When accepting payments, you must do so in a PCI compliant manner. The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. Stripe makes this easy for you as we can do the heavy lifting to protect your customers’ card information. You can simplify your PCI compliance as long as you:
Use Checkout, Stripe.js and Elements, or our mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through your servers
I'm pretty sure as I'm using Stripe Checkout then I do not need to do anything further, but just want to be 100% sure before I start taking payments...
Thanks
Even if Stripe Checkout itself is served over HTTPS from Stripe's servers, your payment page including Stripe Checkout also needs to be served over HTTPS with a valid TLS certificate in order for you to be PCI compliant.
(Technically, if your site was served over unencrypted HTTP, an attacker could do a man-in-the-middle attack and change https://checkout.stripe.com/checkout.js with the URL to a malicious script.)
You should simply ask Heroku to help you setup HTTPS on your site -- the fact that you're using Stripe is just context for why you need this, but it doesn't change anything for Heroku.
If you go out and look for how to process credit cards online, you will continuously get sent towards Paypal or Stripe (which are great options!). These have great features, including nice client UIs, but they don't always fit the problem domain.
I need to accept credit card payments to replace in-person payments for a business, which means no extra fees outside of what credit cards already charge. This is for both Canada and the USA.
Is there an established "best pick" for open source frameworks for handling credit card payments in Node and React?
To be clear, I am showing you one merchant that you can use. Whichever merchant your client is using now to take credit card payments will most likely have a REST API to use.
Most merchant service will have some sort of an API you can use. Since we do not know which merchant you are planning on using I will show you a popular one.
I have used authorize.net a lot in my career. They have a REST API you can consume to handle payments for your clients. The API has a SDK you can download for whichever language you want to use.
The developer portal is here.
You can see popular language examples here.
When you go to that last link click on code examples and pick the
language you want to see.
Here is the SDK repo for Node.js.
Find more SDKs on git and use them in your app!
Let me know if you have anymore questions.
Some time ago, it was commonplace for smartphone apps to open a browser to a registration page with a CAPTCHA, or to require separate signup via web, because API signup was seen as vulnerable.
Now most apps seem to offer registration via native form, though endpoints for this are usually not documented in their public API. I haven't seen many reports of this being abused to create spam accounts.
How is this done? Is there a standard crypto/handshake process to verify real signups, or does signup typically rely on undocumented endpoints and simple API key passing?
Embedding yields a better experience but has the issue you mention. Yes, the service owners on the other end are still worried about this and combating the problem. And undocumented APIs don't help and the service owners know this.
One of the tools in the toolbox these days is keys assigned to devices which can be used for throttling. This would essentially let you limit the amt of service that can be consumed on a per device basis and it would require you have a device (or can steal the key from one) in order to provide service. So long as the process to issue keys to new devices is strong (a solvable problem) then you can offer a CAPTCHA-free signup experience within the confines of what you are willing to give to a device.
I'd also note that there are other well known approaches you can use, like IP throttling and handshakes with other service providers (like a phone carrier). Depending upon the problem domain these are on the table too...
I am trying to understand how the https://squareup.com/ square Credit Card reader works.
What would be the underlying middleware that is being used to
send the data to the squareup server,
process the payment
send verification to a user of a successfull payment
This is implmented on the iPhone, could there be a generic middleware that could be used for other devices to access this service created, so we could have all type of smartphones access a similar service language independent?
Also what security protocols would be used to ensure the data is sent encrypted over the network?
Their own website contains details about their security technology. They appear to use common and trusted technologies like SSL, which isn't a surprise.
If you want to build an application that integrates with their service, you should contact them. It's possible that they will require you to purchase a license in order to do so. They would also be the authority on the protocols and middleware required to integrate with it.