Stripe - Sending credit card numbers directly to the Stripe API is generally unsafe

[mikeos]

We recently had a customer try and make a payment and got this error. We were instantly sent an email from Stripe saying what I attached below.

Furthermore, we have processed nearly $100k and this is the first time something like this has happened. No changes have been made. Running the latest 8.10.1 for over a month now. We are using the official Stripe module.

Source

Stripe/v1 PhpBindings/13.7.0 WHMCS/8 (https://www.whmcs.com)

 

Here is the POST with redacted data. The ****** were added by stripe.
 

{
  "billing_details": {
    "address": {
      "line2": "Unit 48",
      "line1": "2746 Wukjs St.",
      "state": "CA",
      "city": "SF",
      "postal_code": "90210",
      "country": "US"
    },
    "email": "riusy@redacted.com",
    "name": "Coin Lover"
  },
  "type": "card",
  "card": {
    "number": "************0420",
    "exp_month": "05",
    "cvc": "***",
    "exp_year": "28"
  }
}

 

-----------------------------

Hi !    
 
We noticed that you passed a customer's full credit card number to Stripe's API. To keep your customer's information safe, we don't process charges that include full card numbers.   
 
To continue processing payments with Stripe, use one of our official client integrations to collect payment information securely. These integrations ensure that sensitive card data never needs to touch your server.    

We strongly discourage passing full card numbers to our API because it:    
 
Can expose your customers' sensitive data to bad actors    

Requires you to meet complex PCI compliance requirements    

Makes it harder for Radar, Stripe's fraud protection tool, to protect your business    

In very rare cases, you might need to pass full card numbers. If this applies to you, you can allow it in your integration settings.    

This is only a first-time notification; we won't email you about this again in the future. If you have questions, you can contact us via our support site.    

Request Id

[WHMCS John]

Hi @mikeos,

This occurrs if full card details are stored in a WHMCS instance.

The Stripe module automatically attempts to migrate and tokenise the locally stored data over to Stripe for future use.

For more information, please see:

* https://docs.whmcs.com/troubleshooting/troubleshoot-payments/stripe-pci-compliance-issues/

* https://docs.whmcs.com/payments/payment-gateway-modules/stripe/#migrating-to-stripe

 

[mikeos]

2 hours ago, WHMCS John said:

Hi @mikeos,

This occurrs if full card details are stored in a WHMCS instance.

The Stripe module automatically attempts to migrate and tokenise the locally stored data over to Stripe for future use.

For more information, please see:

* https://docs.whmcs.com/troubleshooting/troubleshoot-payments/stripe-pci-compliance-issues/

* https://docs.whmcs.com/payments/payment-gateway-modules/stripe/#migrating-to-stripe

 

I did read the error, but why would it randomly happen when there have been 0 changes to the site after already processing so much? I didn't just migrate to stripe, and stripe is the only payment method we have on our site.

Not to mention 10 mins after writing this, that exact customer tried again, and the payment went through without any issues...

[WHMCS John]

Hi @mikeos,

Is Stripe the only payment gateways this client has ever used to pay all their invoices? How old is this client?

[mikeos]

Stripe is the only payment method and has been all we accept for the past 2 years. This was a brand-new customer.

[WHMCS John]

Hi @mikeos

The inclusion of Stripe.js on the checkout and invoice  payment pages replaces the stock local credit card fields with the Stripe Elements, whereby clients input the board details directly onto fields hosted by Stripe. This means that full card details never touch your WHMCS instance or server.

Theoretically if a javscript error occurred on the checkout or payment page which prevented the Stripe Elements from loading, clients might see the stock cc local storage fields instead.

I'd suggest checking your browser console on the checkout and invoice payment pages for any errors, particular javascript errors. Your webserver access logs will provide details of the exact purchase flow the visitor followed.

[mikeos]

Just to clarify, there are no Javascript errors on the checkout. You wouldn't randomly have a Javascript error after that many payments.

The problem is your default Stripe module is busted and needs an audit.