Being Pci Compliant With Stripe

[gutterboy]

Hello,

 

We will probably be using Stripe and have been reading about being PCI compliant and Stripe has this page up:

 

https://support.stripe.com/questions/do-i-need-to-be-pci-compliant-what-do-i-have-to-do

 

#1 we have covered, however #2 I would need to know. Does Blesta Use Stripe.js or Checkout to accept payment information and transmit it directly to Stripe's servers?

 

Thanks!

[flangefrog]

Blesta uses the Checkout method. There are some other threads about Stripe and PCI compliance, you might want to search for them.

[gutterboy]

OK thanks mate!

[gutterboy]

Well that thread was an interesting read. Not wanting to kick the wheelbarrow over again, but I'm now a little confused. From what I have come to understand from that page I linked above and via that thread is that stripe.js or stripes checkout both send the data directly to Stripe and the server Blesta is on doesn't touch the data.

 

So if Blesta currently is using the checkout method, then why the need for stripe.js and what was that thread all about - was Blesta using neither of these methods during the majority of that thread!?

[Michael]

Well that thread was an interesting read. Not wanting to kick the wheelbarrow over again, but I'm now a little confused. From what I have come to understand from that page I linked above and via that thread is that stripe.js or stripes checkout both send the data directly to Stripe and the server Blesta is on doesn't touch the data.

 

So if Blesta currently is using the checkout method, then why the need for stripe.js and what was that thread all about - was Blesta using neither of these methods during the majority of that thread!?

 

Don't know to be honest with you haha that's why I kept out of it, I've not had any issues with it and no-one has complained to me.

[flangefrog]

The checkout method doesn't send data directly to Stripe, it sends it to Blesta and then to Stripe. The stripe.js method sends it directly from the users's browser to Stripe.

[Michael]

The checkout method doesn't send data directly to Stripe, it sends it to Blesta and then to Stripe. The stripe.js method sends it directly from the users's browser to Stripe.

 

Ah I see.

[gutterboy]

The checkout method doesn't send data directly to Stripe, it sends it to Blesta and then to Stripe. The stripe.js method sends it directly from the users's browser to Stripe.

 

Hmmmmm ok. I thought it was direct as that's what this post indicated: http://www.blesta.com/forums/index.php?/topic/2055-stripe-payment-gateway-pci-compliance/page-4#entry19419

[Daniel B]

I was a bit confused by all the stuff happening in that thread as well, but the way I understood it was that in it's current state, the Stripe Module leaves the onus of PCI compliance on you, because it sends card information to the server to be tokenized before passing it along to stripe (since it doesn't use stripe.js).  There is a fix/workaround item in progress, looks like it's assigned to 3.5.  Core-1085

 

Blesta does not store the credit card details, but it does send them to the server to be tokenized on the initial charge.  The fact that it has to send the card details to the server to tokenize them is the step that requires your server to be PCI Compliant, whereas if we could use stripe.js, you wouldn't have to worry about PCI compliance because stripe would be responsible for it since the card info would never touch the Blesta server.  So, once the above task is completed, using stripe.js will be possible.

[flangefrog]

Sorry, you're right. Stripe chekout is just a JavaScript app built using stripe.js so it is the same in regards to PCI compliance. Blesta recives the data and passes it on to stripe like Daniel has described.

Although in the latest PCI specifications you are supposed to be compliant even when using stripe.js

[gutterboy]

Sorry, you're right. Stripe chekout is just a JavaScript app built using stripe.js so it is the same in regards to PCI compliance. Blesta recives the data and passes it on to stripe like Daniel has described.

Although in the latest PCI specifications you are supposed to be compliant even when using stripe.js

 

So you have to be compliant now even if we end up getting stripe.js implemented?

[Paul]

Although in the latest PCI specifications you are supposed to be compliant even when using stripe.js

 

Do you have a reference? I predicted this in one of those previous threads. Logically, your server sends the markup for stripe.js, so if your server was compromised an attacker could modify that javascript to capture the card data anyway. It was a loophole that has apparently been closed as I suspected.

[flangefrog]

Do you have a reference? I predicted this in one of those previous threads. Logically, your server sends the markup for stripe.js, so if your server was compromised an attacker could modify that javascript to capture the card data anyway. It was a loophole that has apparently been closed as I suspected.

 

See these two posts:

http://www.blesta.com/forums/index.php?/topic/3353-accepting-credit-cards/?p=24599

http://www.blesta.com/forums/index.php?/topic/3353-accepting-credit-cards/?p=24638

 

As I understand it, the way PCI compliance is enforced is that credit card companies tell the gateways to make sure the merchants are compliant, and those gateways usually hold the merchant to the requirements. I'm sure that companies such as PayPal would not force you to complete an SAQ although it may technically be required. They would have the risk of being fined for non compliance but would't fine the merchant as they weren't held to the requirements.

 

I haven't actually had any experience with PCI compliance though so take this with a grain of salt.

So you have to be compliant now even if we end up getting stripe.js implemented?

The PCI security standards are not the law. So you only have to do what is layed out in the terms of your contract with Stripe. It is still a good idea to follow the standards as much as possible.

[Max]

 

See these two posts:

http://www.blesta.com/forums/index.php?/topic/3353-accepting-credit-cards/?p=24599

http://www.blesta.com/forums/index.php?/topic/3353-accepting-credit-cards/?p=24638

 

As I understand it, the way PCI compliance is enforced is that credit card companies tell the gateways to make sure the merchants are compliant, and those gateways usually hold the merchant to the requirements. I'm sure that companies such as PayPal would not force you to complete an SAQ although it may technically be required. They would have the risk of being fined for non compliance but would't fine the merchant as they weren't held to the requirements.

 

 

For non-merchant redirection gateways such as Paypal standard, where the users sees www.paypal.com in the address bar, instead of your site URL, there is no need for PCI compliance.

That's why non-merchant gateways are a much better option for most businesses.

 

For every gateway that allows payment information to be collected while your own site URL is in the address bar -including Stripe- you need PCI compliance when PCI 3.0 becomes required (2015?)

Do note that Mastercard and VISA do not require compliance VALIDATION by the acquiring bank for smaller merchants.

This means that while you do need to comply, the gateway/bank is not required to check that you actually ticked all the boxes on the SAQ paperwork, and actually did the quarterly external security scans.

It may therefore still be tempting to "forget" to comply. However if there is an incident, they likely do want to see it, and if it turns out you were not in compliance, there will be trouble.

That they didn't check up on you earlier, does not mean the contract clause requiring compliance will not stand.

[Daniel B]

 

The PCI security standards are not the law.

 

While they may not be federal laws (yet...though they already are in some states), PCI is required by all major credit cards networks (Visa, Master Card, Discover, American Express)...and if you are found in breach of them you can face hefty fines and expulsion from said credit networks.  Not complying with PCI Standards and being caught could easily mean that you'll never be able to accept credit cards or get approved for a merchant (or non-merchant) account again.  If you get blacklisted by the credit networks you are screwed as a business.

 

It's not something that many sole proprietor's or small business think about, but PCI Compliance is a serious issue and should be viewed as such.

[flangefrog]

While they may not be federal laws (yet...though they already are in some states), PCI is required by all major credit cards networks (Visa, Master Card, Discover, American Express)...and if you are found in breach of them you can face hefty fines and expulsion from said credit networks.  Not complying with PCI Standards and being caught could easily mean that you'll never be able to accept credit cards or get approved for a merchant (or non-merchant) account again.  If you get blacklisted by the credit networks you are screwed as a business.

 

It's not something that many sole proprietor's or small business think about, but PCI Compliance is a serious issue and should be viewed as such.

Your ability to get approved for a merchant account etc is something I didn't think of, but surely there's no way you could get fined unless your payment processor required required you to be compliant and mentioned the fines in it's terms and conditions?

[Max]

but surely there's no way you could get fined unless your payment processor required required you to be compliant and mentioned the fines in it's terms and conditions?

 

Sure.

But is there any payment service provider out there that doesn't mention it in the small print?

[Daniel B]

Your ability to get approved for a merchant account etc is something I didn't think of, but surely there's no way you could get fined unless your payment processor required required you to be compliant and mentioned the fines in it's terms and conditions?

 

The fine would come from the credit networks...most likely it would be levied on the payment processor for allowing you to use them without being PCI compliant, which I would guess would inturn be passed on to you.  The fine wouldn't be the biggest issue, very true...but the inability to ever get another merchant account again would be a bit difficult to swallow. (of course, this is all "worst case" stuff...not like they actually due complience checks on the "little fish").