Requests | Blesta

Requests

Add Support for stripe.js to get around Stripe PCI compliance issues

Katy Computer Systems shared this idea 8 months ago
Under Consideration

Stripe is telling me to fill out a 60 page document to be PCI compliant with them.

I thought using the token option would be adequate, they say no, that the best approach is to use Stripe Elements.

This seems to be a most important update, there has been quite a bit of heated discussion on the forums regarding this topic.

Comments (12)

photo
2

Is this true that the current Blesta Stripe Plugin isn't PCI Compliant? I thought by storing all CC info offsite with Stripe through tokenization was compliant? Did something change over the past year?

photo
2

Are you choosing to store Credit Card information on your server? If so, that is why you have to meet certain PCI Compliance. I am using the Stripe plugin for Blesta using the tokenization method and choosing not to store any information whatsoever which leaves all Compliance up to Stripe.

What my dashboard shows at the link your provided: https://screencast.com/t/UnnJU7YmTRk

Additionally, this is what shows under "Integration": https://www.screencast.com/t/D6OCAoTN78

Scared me there for a second :)

photo
1

I am not storing cards on my server, still having Stripe issues:

https://i.imgur.com/hGg24br.png

https://i.imgur.com/awX8QKG.png

photo
2

Have you tried disabling the Stripe Plugin and generating new keys yet? Maybe a glitch with the handshake between both apps?

photo
1

I did as you suggested, we'll see what happens after a few days, but I am getting this when I click change:

https://i.imgur.com/AgwYL9A.png

This is all above my pay grade, but there are quite a few references to the need for migration to Stripe's latest technology if we want to be assured our billing systems will function as expected in the future without going through a bunch of PCI non-sense.

Curiously, when I go to https://dashboard.stripe.com/account/integration/settings Stripe reports:

Good news!You’re using tokenized payment information to securely process payments on Stripe and keep your cardholder’s information safe.

photo
1

Jason,

I've realized disabling the Stripe Plugin was a bad idea. When we attempt to pay new invoices with existing client credit card accounts, we get "The gateway does not exist or is not enabled".

Looks like I need to restore backup ASAP :-(

John

photo
2

On no! That's weird, the only time I had that happen was when I switched from the 3rd Party version of the plugin back to the Blesta version, it's never happened just "deactivating" the plugin though nor should it. Hope that you are able to restore from a backup :|

photo
1

Restore saved the day - also proved the wisdom of my philosophy of always having multiple backups. Our primary backup failed me, but I was able to use Softaculous' backup to restore the database.

What's odd about this issue is that new clients were able to use the Stripe gateway, but existing clients got the dreaded "The gateway does not exist or is not enabled" message.

photo
photo
4

The current Blesta Stripe gateway (when choosing to store CC offsite) stores only a token, and never the full card number, but it passed through Blesta. Stripe has always preferred stripe.js, which allows the card data to go directly to Stripe from the client and never touch Blesta at all. This is pretty much a loophole because an attacker who can modify your Blesta to capture card data could also modify Blesta to use a malicious stripe.js to do the same.

In order to support stripe.js and similar methods by other gateways, a change to the core merchant gateway system is required. This is something we have been planning to do for some time, but demand has been fairly low and the solution not trivial. We'll discuss internally and revisit this task soon.

photo
1

Paul -

Just curious to know if this is still being considered, I am now more fearful knowing that this loophole exists and that it can be exploited. I do have everything encrypted and on lock down, but the more protections in place the better... for everyone's sake.

photo
1

Hi Jason,

I don't think this would be too hard to implement. If you are desperate for it to be done a coder can make the changes for you. I done it for our install a while back. You need to make a lot of edits but basically, wherever the code is looking for parts to the CC, eg last4, expiry you just edit that. Any page that accepts card details, edit that as well to send the details to your processor and to satisfy Blesta we just had it storing 4111 1111 1111 and some in the future expiry. This way we are/were full PCI compliant, no customer card details were saved on our server and we only used the Braintree drop-in UI. I'm pretty sure the stripe.js would work the same.

Daniel.

WebhostingNZ.com