small medium large xlarge

Back to: All Forums  Take My Money
20 Oct 2016, 23:54
John McDowall (2 posts)

The ‘Charging Cards with Server Authentication’ goes about showing the user how to create a Stripe token on the server, once the credit card details have been passed from the HTML form to the server.

It should be noted that this is actually strongly discouraged because it does create a PCI compliance issue, and it not recommended unless you have taken strong precautions for making sure that your server does not log any credit card details in any way.

I’m not sure why Stripe don’t make this more clear - Braintree call this issue out with a nice big alert box in their documentation:

I understand why you would use this as a learning example before introducing client side payment collection, but I think if you’re going to keep this section, you owe a duty to your readers to be very, very explicit about this PCI compliance issue, and also demonstrate how to keep the server scrubbed of any credit card details.

Might be worth contacting someone at Stripe to confirm all of this, because my fear would be that even though subsequent chapters show client side collection, someone out there is sure to use the information in this chapter and get into trouble.


21 Oct 2016, 18:20
Noel Rappin (48 posts)

I agree with this, and it’s something that will be addressed in the final draft of the book, especially now that I have a discussion of compliance to point to.

I still think there’s value in the server solution for learning purposes, but there are a couple of security and compliance concerns that need to be more explicitly called out.

You must be logged in to comment