Working with stripe for payment process- Is it safe

[Ankit Jindal]

Currently I have implemented stripe in an application in test mode but from user perspective I find it very unsecured and highly risk prone.

I want to know it happens only in test mode or live mode as well??

Based on an example as one customer enters his card details and saves his card for future use. We can generate customer id based on those card details and charge the customer n times without asking him again or his/her prior information.

There is nothing like OTP thing yet I have seen in this and also CVC number is also saved, so in all it makes the transaction highly risk prone. 

[Matthew Arkin]

Tons of Stripe's Security stuff can be found at https://stripe.com/help/security.

Just to note: CVC is not stored, when you provide Stripe with CVC data the CVC would be used at most once against the network, per PCI rules, CVC can never be stored. 

When it comes to charging the customer anytime, that is indeed something you could do, its actually something you can do with any company that provides a "vault" type service. There are also a number of things that exist to protect customers and punish merchants for charging customers without their consent. 

The first thing is that ALL charges must have the consent of the cardholder, failure to do so can lead to Stripe closing your account, refunding charges, and withdrawing those funds from your bank account. Even if that does happen, you are subject to chargebacks, where the customer complains to their credit card company, and then the money gets sucked out from your bank account. Excessive chargebacks can lead to closure of your Stripe account as well.

When it comes to security, I prefer to use Stripe Checkout, since the customer enters information directly into an iframe of Stripe's URL. While there is also Stripe.js, I find that it feels much less secure  just because the card numbers are entered into your own site and its much easier for malicious javascript to attack it then with an iFrame. (I really like Braintree's Hosted Forms solution for this, but this part of the topic could be its own thread).

Basically, you could save a customers details and then charge it once, Stripe's Terms of Service, as well as the card networks prohibit this and would cause you tons of problems.

--
You received this message because you are subscribed to the Google Groups "Stripe API Discussion" group.
To post to this group, send email to api-d...@lists.stripe.com.
Visit this group at http://groups.google.com/a/lists.stripe.com/group/api-discuss/.

To unsubscribe from this group and stop receiving emails from it, send an email to api-discuss...@lists.stripe.com.