Add Support for stripe.js to get around Stripe PCI compliance issues
Katy Computer Systems shared this idea 5 years ago
Stripe is telling me to fill out a 60 page document to be PCI compliant with them.
I thought using the token option would be adequate, they say no, that the best approach is to use Stripe Elements.
This seems to be a most important update, there has been quite a bit of heated discussion on the forums regarding this topic.
Is this true that the current Blesta Stripe Plugin isn't PCI Compliant? I thought by storing all CC info offsite with Stripe through tokenization was compliant? Did something change over the past year?
Log in to Stripe & go to:
The current Blesta Stripe gateway (when choosing to store CC offsite) stores only a token, and never the full card number, but it passed through Blesta. Stripe has always preferred stripe.js, which allows the card data to go directly to Stripe from the client and never touch Blesta at all. This is pretty much a loophole because an attacker who can modify your Blesta to capture card data could also modify Blesta to use a malicious stripe.js to do the same.
In order to support stripe.js and similar methods by other gateways, a change to the core merchant gateway system is required. This is something we have been planning to do for some time, but demand has been fairly low and the solution not trivial. We'll discuss internally and revisit this task soon.
Just curious to know if this is still being considered, I am now more fearful knowing that this loophole exists and that it can be exploited. I do have everything encrypted and on lock down, but the more protections in place the better... for everyone's sake.
I don't think this would be too hard to implement. If you are desperate for it to be done a coder can make the changes for you. I done it for our install a while back. You need to make a lot of edits but basically, wherever the code is looking for parts to the CC, eg last4, expiry you just edit that. Any page that accepts card details, edit that as well to send the details to your processor and to satisfy Blesta we just had it storing 4111 1111 1111 and some in the future expiry. This way we are/were full PCI compliant, no customer card details were saved on our server and we only used the Braintree drop-in UI. I'm pretty sure the stripe.js would work the same.
This issue has been dropped since we now have a separate Stripe Payments gateway that implements Stripe JS and 3DS that can be used instead of the original Stripe gateway in Blesta.
Comments have been locked on this page!