iamp

Do what, exactly?

I think we're missing the point here: there are a potentially high number of people using this plugin thinking that it doesn't contact the card numbers at all, when it actually does. These people need to be informed of this so they can make informed decisions about what to do next - be it PCI compliance or a plugin / gateway / software change.

Server is properly configured -> PCI compliance. My issue is that there is nothing that makes it clear to users that Blesta's Stripe integration doesn't support full no-contact with card details. As a result, there will be people (like I almost did, and like others on this post) who are preparing to or have already implemented this in live environments without filling out the necessary PCI questionnaire (which you can avoid if you don't touch the details) and without any idea that their regular hosting environments aren't good enough for it. That is where the compliance rules are being broken, and people are becoming liable for fines. These people need to know the exact spec of the plugin so they can make informed decisions about how to use it.

Cody - my point, and possibly secforus_ehansen's too, is that while you support tokenised storage, you don't support tokenised transmission (at least until CORE-1085 is resolved), so saying you fully support Stripe (which exists as an easy to setup payment gateway allowing you not to have to deal with PCI) leads people to believe you support it in full tokenised mode - transmission and storage. This will lead them to use it without checking and to attest to Stripe that they never touch the details - that is not PCI compliant. I think Blesta is a great piece of software and on its own I'm sure its compliant, but without sufficient documentation, the Stripe module is not. As SusanC said, I think it might be worth sending an email around to warn people before someone gets into serious trouble. Edit - I'm not trying to be a dick either, but am concerned by how close I got to implementing the gateway before I realised how it worked. I'm sure I'm not the only one.

@Paul - Stripe's terminology states that fully tokenised (at least for the security disclosure) means that card details are never accepted outside of one of their JavaScript APIs (see https://www.dropbox.com/s/8ltquhkkdv0fl9t/Screenshot%202014-03-04%2023.03.59.png) - you say you fully support tokenisation, which you do for storage - and users will check the box and not think twice about it - violating the PCI compliance rules and opening themselves up to huge fines in the event of a breach. I suspect that some of your existing licensees may be in this position. @secfous_ehansen - Stripe's checkout and stripe.JS payment methods are very similar - they both use JavaScript to take the credit card details, but stripe.JS completes the whole payment on the form submission, handing over a completed payment object to whatever receives the form. Checkout will collect the card details and tokenise them, passing the token to whatever receives the form, allowing its storage and immediate charging via the API. Stripe.JS is effectively a very, very simple way of taking payments, checkout takes it up a notch and gives you some control (ideal for a payment gateway). Edited to change APIs to JavaScript APIs

I wonder if the lack of demand is partially down to people not knowing it doesn't support it? There's nothing on your website to indicate this, and while I agree that people should do their own research, many don't and could be using it as though it did. There should certainly be a warning somewhere - like secforus_ehansen said, the fines are pretty steep. I certainly was attracted to Blesta by its Stripe support, and got as far as buying a license and running full payment tests (with the test gateway, luckily) before I realised that it wasn't fully tokenised.

Thanks for this - I appreciate your expertise and am interested to see what Cody says about it.

Hi there, Thanks for that, though I'm not entirely sure I understand. As I see it, using stripe.js or Stripe Checkout, and never handling the credit card details (they are shipped off direct from the user) as well as serving payment pages over SSL makes you sufficiently compliant (source: https://support.stripe.com/questions/do-i-need-to-be-pci-compliant-what-do-i-have-to-do) I was looking at Blesta as a competitor for WHMCS, which is fully compatible with the above setup (albeit by plugin) and as a result is fully compliant with all the questions Stripe ask. Blesta merrily advertises itself as Stripe compatible but does not state that you actually deal with card numbers. I assume this is what requires the PCI compliance above. Similarly, if I didn't realise after a lot of research (I had to deconstruct the payment form before it became obvious to me), how many other users are there out there blindly thinking they are using fully tokenised storage and transmission (and attesting this to Stripe) when they are actually handling card numbers - surely there should be a clear warning to them on the site docs, at the very least? Blesta is very easy to setup and its even easier to get Stripe working with it- most wouldn't even check.

Hi, Thanks for that. I'm very interested in the requirements for PCI compliance - the Blesta website does not at all make it clear that it doesn't support Stripe in a fully tokenised manner - this is the default selection on the Stripe website and there is no relevant documentation from Blesta, so I'm sure I'm not the only person who was caught by this. What would I have to do in order to make Blesta compliant? I thought PCI compliance was relatively unattainable for small businesses, that's why companies like WorldPay and Barclaycard ePDQ have such domination over the UK payments market?

I've been testing out the Stripe gateway, and unlike most others I've seen, it looks (from the code) like the credit card details are communicated to the server and then onto Stripe - is this true? If so, is there any way to implement it so the details go directly to Stripe, as with a WHMCS-style Stripe plugin? And if not, what are the PCI implications of having the credit card numbers touch your server as the client pays? Thanks!

Thank you - I appreciate the help. I wrote a modification for the ticket display so now it will tell you who the ticket is assigned to - my final hurdle is assigned ticket notifications and I'll be ready to move (after tomorrow's payment run). Nearly there!

Hi Michael, I've had SO many battles with WHMCS, it has just been a case of waiting for a suitable replacement to come along. Your ticket screen looks a lot more advanced than mine - I've got no checkboxes, buttons, - but you're right, it does get highlighted when its assigned. I wonder if I could create an additional column with the assigned user in it - presumably this would just be a case of editing the support plugin? Sorry for the barrage of questions - I'm matching up the essential functionality from WHMCS with its counterpart in Blesta to make sure we can do everything we need to before we move. I'm now down to this and emails getting sent to administrators when they are assigned tickets. Thanks!

Aha, that's handy - thanks! To what extent will the templates support conditional logic? I'd like to put the staff name into the from field, but only have staff ID from the array. Finally, maybe I'm being dense, but I don't see a way for staff to see tickets that are assigned to them - I'm sure this is a feature built into assignments but I can't find how to use it. Thanks for your help, I can't wait to get rid of WHMCS!

Hi Everyone, I'm in the process of customising a bunch of email templates, and I can't seem to find any documentation for the {ticket} merge object - it seems that {ticket.summary} will give me the ticket title, and I've been randomly trying a few others - but is there anything written anywhere about it? I'm most interested in obtaining a term for the name of the administrator that responded - though I'm not sure how do-able that is. Thanks!

Hi @Tyson, @mdoering - thanks for the help - I got the fields out no problem at all. I LOVE how easy it is to modify Blesta - I'm a long time WHMCS user and its just so easy. I'm having trouble hooking into the clients create event, but I'll keep going - thanks again!