zlacker

[parent] [thread] 5 comments
1. wolco+(OP)[view] [source] 2020-04-21 18:10:48
Wouldn't it be just a server side to stripe call on a form submit? Even easier than using js (probably not as good user experience wise)
replies(3): >>brogra+o3 >>Nextgr+F4 >>Kalium+fl
2. brogra+o3[view] [source] 2020-04-21 18:29:36
>>wolco+(OP)
Sure, you could.

We more or less do this today, but if you need to setup a new workflow to take payments (one-time or recurring) there's a lot of work already done for you in the Stripe.js ecosystem.

So in our case, to take one-time payments it would've been more work to stand-up the checkout page itself and all of that work behind the scenes. It is much easier to just create a checkout session (basically just hitting the DB to pull the outstanding payment record and creating a stripe customer if one doesn't already exist) and redirect to Stripe's checkout.

The PCI part isn't overstated either, that checkout session lives on Stripe's domain not ours and that's where payment method is collected & stored within Stripe so you're not having to worry about it.

It's pretty nifty, give it a look - https://stripe.com/docs/payments/checkout/one-time

3. Nextgr+F4[view] [source] 2020-04-21 18:36:34
>>wolco+(OP)
I think that you will be on the hook for PCI compliance if card data touches your server, while with Stripe.js your server never sees the card data. Of course, it's extremely stupid, because your server is still the one serving the original page and can change it to silently exfiltrate the card details if it gets compromised.
replies(1): >>skoski+Yb
◧◩
4. skoski+Yb[view] [source] [discussion] 2020-04-21 19:19:15
>>Nextgr+F4
I mean, if your server is compromised, you are completely screwed, no matter what services you do or don’t use.
replies(1): >>Wowfun+Hi
◧◩◪
5. Wowfun+Hi[view] [source] [discussion] 2020-04-21 20:08:18
>>skoski+Yb
I believe the point was, if your server is compromised but you're using stripe.js, you're not legally on the hook for exposing CC details, even though they definitely could have been exposed.

(I have no idea if this is even true, this was just my reading.)

6. Kalium+fl[view] [source] 2020-04-21 20:23:12
>>wolco+(OP)
> Wouldn't it be just a server side to stripe call on a form submit? Even easier than using js (probably not as good user experience wise)

Sure! You just have to also handle PCI-DSS.

One of the nasty things I've had to accept about PCI-DSS is that if you think you have a clever hack for getting around it, you probably don't. It's really a remarkable work of standards authoring.

[go to top]