akust0m Posted July 19, 2021 Share Posted July 19, 2021 Hi there, I'm currently looking into exactly how the Stripe payment process works for PCI compliance reasons. The thing I'd like to know is whether the clients credit card information ever touches WHMCS or the server WHMCS resides on, or does the data get posted directly to Stripe? Any clarification on this would be great! Thanks! 0 Quote Link to comment Share on other sites More sharing options...
UnwilfulExpenditure Posted July 19, 2021 Share Posted July 19, 2021 2 hours ago, akust0m said: Hi there, I'm currently looking into exactly how the Stripe payment process works for PCI compliance reasons. The thing I'd like to know is whether the clients credit card information ever touches WHMCS or the server WHMCS resides on, or does the data get posted directly to Stripe? Any clarification on this would be great! Thanks! The idea is that a token is stored so you can bill it, without retaining the information. In an ideal world this is absolutely compliant provided your using sufficient practices in terms of security. The reality is, Nobody knows what data whmcs transfers, Nor what they hold as it's all pretty elusive and hidden! You could never really say with 100% certainty that they don't do anything that would cause an issue later on - With many critical security issues over the years and the insistence on hiding everything we'll never truly know until it becomes an issue! You could ask them to provide in writing exactly what they check for and why they NEED you to log in every X amount of days or face invalid licenses/branding re-appear.... but you would probably get a non-answer! I think, saying "to the best of my knowledge" is an honest enough answer - It remains to be seen if that is an appropriate answer the next time a database gets leaked, or the licensing server compromised! 0 Quote Link to comment Share on other sites More sharing options...
steven99 Posted July 20, 2021 Share Posted July 20, 2021 (edited) 21 hours ago, akust0m said: The thing I'd like to know is whether the clients credit card information ever touches WHMCS or the server WHMCS resides on, or does the data get posted directly to Stripe? It depends on which WHMCS version you are using. If WHMCS 8+, then it should be using Stripe elements and expecting a token and card data never touches WHMCS as that happens within Stripe's form and that just returns a token. WHMCS before 8 uses Stripe API to get the token AND it stores the card data because that goes through WHMCS. Stripe's flow should be, on any system and not just WHMCS, Load page with Stripe.js and init elements form Client enters card data, hits submit Javascript listening for the submit stripe.createToken is fired submitting the form's elements to stripe using stripe's javascript libs and functions Token is received Payment form gets submitted to backend and that form holds client id, token, and any other info but not the card info and no way to get that Backend checks the token is valid, invoice is valid, etc Backend then creates a Stripe customer object or updates an existing one if a customer token is known Backend then charges the invoice against the customer object's primary source or source selected Show success or failure message Edited July 20, 2021 by steven99 0 Quote Link to comment Share on other sites More sharing options...
akust0m Posted July 21, 2021 Author Share Posted July 21, 2021 Thank you very much for this information 🙂 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.