Jump to content

WHMCS Stripe Gateway and PCI Compliance


Recommended Posts

We recently received a notification from Stripe that an action was required in our Stripe account to lodge a SAQ-D self assessment to remain PCI compliant. This came as a surprise because it was our understanding that WHMCS v8.1 uses Stripe Elements, which supports a simplified PCI compliance. When I questioned Stripe about this I received the following response...

It looks like your current integration sends card details directly to our API rather than first securely exchanging these for a representative token client-side. We strongly discourage this approach, as it means that your application code and servers are handling card numbers.

While it may be true that you're not storing the payment information, we're only able to help simplify PCI compliance when you've integrated with Elements, Checkout, or our mobile SDKs. We recommend upgrading your integration to one of these methods to be eligible for simple PCI compliance — a pre-completed Self-Assessment Questionnaire A (SAQ A) from Stripe. If you’re using a third-party platform or plugin to make these requests on your behalf, we recommend reaching out to see if there is an upgraded version available.

Otherwise, we ask that you complete and upload a SAQ D form [1] to your Dashboard here: https://dashboard.stripe.com/account/compliance

Separate from the significant PCI burden that accompanies this approach, I should mention that you'll continue to be ineligible for Stripe's customizable and sophisticated fraud prevention, Radar [2], if you send card details directly to our API.

Kind regards,

[1] https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-D_Merchant-rev1_1.pdf
[2] https://stripe.com/radar

Can anyone shed more light on the WHMCS PCI compliance situation and if the Stripe gateway in WHMCS really is using Stripe Elements?

I was basing my understanding on this blog article, however there seems to be a disconnect between this article and what Stripe is saying:



Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated