Jump to content
akust0m

Understanding Stripe Payment Process

Recommended Posts

Hi there,

I'm currently looking into exactly how the Stripe payment process works for PCI compliance reasons.

The thing I'd like to know is whether the clients credit card information ever touches WHMCS or the server WHMCS resides on, or does the data get posted directly to Stripe?

Any clarification on this would be great!

Thanks!

Share this post


Link to post
Share on other sites
2 hours ago, akust0m said:

Hi there,

I'm currently looking into exactly how the Stripe payment process works for PCI compliance reasons.

The thing I'd like to know is whether the clients credit card information ever touches WHMCS or the server WHMCS resides on, or does the data get posted directly to Stripe?

Any clarification on this would be great!

Thanks!

The idea is that a token is stored so you can bill it, without retaining the information. In an ideal world this is absolutely compliant provided your using sufficient practices in terms of security. The reality is, Nobody knows what data whmcs transfers, Nor what they hold as it's all pretty elusive and hidden! You could never really say with 100% certainty that they don't do anything that would cause an issue later on - With many critical security issues over the years and the insistence on hiding everything we'll never truly know  until it becomes an issue! You could ask them to provide in writing exactly what they check for and why they NEED you to log in every X amount of days or face invalid licenses/branding re-appear.... but you would probably get a non-answer! 

I think, saying "to the best of my knowledge" is an honest enough answer - It remains to be seen if that is an appropriate answer the next time a database gets leaked, or the licensing server compromised!  

Share this post


Link to post
Share on other sites
Posted (edited)
21 hours ago, akust0m said:

The thing I'd like to know is whether the clients credit card information ever touches WHMCS or the server WHMCS resides on, or does the data get posted directly to Stripe?

It depends on which WHMCS version you are using.  If WHMCS 8+,  then it should be using Stripe elements and expecting a token and card data never touches WHMCS as that happens within Stripe's form and that just returns a token.  WHMCS before 8 uses Stripe API to get the token AND it stores the card data because that goes through WHMCS. 

Stripe's flow should be, on any system and not just WHMCS,

  1. Load page with Stripe.js and init elements form
  2. Client enters card data, hits submit
    1. Javascript listening for the submit
      1. stripe.createToken is fired submitting the form's elements to stripe using stripe's javascript libs and functions
    2. Token is received
      1. Payment form gets submitted to backend and that form holds client id, token, and any other info but not the card info and no way to get that
        1. Backend checks the token is valid, invoice is valid, etc
        2. Backend then creates a Stripe customer object or updates an existing one if a customer token is known
        3. Backend then charges the invoice against the customer object's primary source or source selected
  3. Show success or failure message

 

Edited by steven99

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated