Jump to content

Stripe - Sending credit card numbers directly to the Stripe API is generally unsafe


Recommended Posts

We recently had a customer try and make a payment and got this error. We were instantly sent an email from Stripe saying what I attached below.

Furthermore, we have processed nearly $100k and this is the first time something like this has happened. No changes have been made. Running the latest 8.10.1 for over a month now. We are using the official Stripe module.

Source
Stripe/v1 PhpBindings/13.7.0 WHMCS/8 (https://www.whmcs.com)
 
Here is the POST with redacted data. The ****** were added by stripe.
 
{
  "billing_details": {
    "address": {
      "line2": "Unit 48",
      "line1": "2746 Wukjs St.",
      "state": "CA",
      "city": "SF",
      "postal_code": "90210",
      "country": "US"
    },
    "email": "riusy@redacted.com",
    "name": "Coin Lover"
  },
  "type": "card",
  "card": {
    "number": "************0420",
    "exp_month": "05",
    "cvc": "***",
    "exp_year": "28"
  }
}

 

-----------------------------

Hi !    
 
We noticed that you passed a customer's full credit card number to Stripe's API. To keep your customer's information safe, we don't process charges that include full card numbers.   
 
To continue processing payments with Stripe, use one of our official client integrations to collect payment information securely. These integrations ensure that sensitive card data never needs to touch your server.    

We strongly discourage passing full card numbers to our API because it:    
 
Can expose your customers' sensitive data to bad actors    

Requires you to meet complex PCI compliance requirements    

Makes it harder for Radar, Stripe's fraud protection tool, to protect your business    

In very rare cases, you might need to pass full card numbers. If this applies to you, you can allow it in your integration settings.    

This is only a first-time notification; we won't email you about this again in the future. If you have questions, you can contact us via our support site.    

Request Id

Link to comment
Share on other sites

  • WHMCS Support Manager

Hi @mikeos,

This occurrs if full card details are stored in a WHMCS instance.

The Stripe module automatically attempts to migrate and tokenise the locally stored data over to Stripe for future use.

For more information, please see:

* https://docs.whmcs.com/troubleshooting/troubleshoot-payments/stripe-pci-compliance-issues/

* https://docs.whmcs.com/payments/payment-gateway-modules/stripe/#migrating-to-stripe

 

Link to comment
Share on other sites

2 hours ago, WHMCS John said:

Hi @mikeos,

This occurrs if full card details are stored in a WHMCS instance.

The Stripe module automatically attempts to migrate and tokenise the locally stored data over to Stripe for future use.

For more information, please see:

* https://docs.whmcs.com/troubleshooting/troubleshoot-payments/stripe-pci-compliance-issues/

* https://docs.whmcs.com/payments/payment-gateway-modules/stripe/#migrating-to-stripe

 

I did read the error, but why would it randomly happen when there have been 0 changes to the site after already processing so much? I didn't just migrate to stripe, and stripe is the only payment method we have on our site.

Not to mention 10 mins after writing this, that exact customer tried again, and the payment went through without any issues...

Link to comment
Share on other sites

  • WHMCS Support Manager

Hi @mikeos

The inclusion of Stripe.js on the checkout and invoice  payment pages replaces the stock local credit card fields with the Stripe Elements, whereby clients input the board details directly onto fields hosted by Stripe. This means that full card details never touch your WHMCS instance or server.

Theoretically if a javscript error occurred on the checkout or payment page which prevented the Stripe Elements from loading, clients might see the stock cc local storage fields instead.

I'd suggest checking your browser console on the checkout and invoice payment pages for any errors, particular javascript errors. Your webserver access logs will provide details of the exact purchase flow the visitor followed.

Link to comment
Share on other sites

  • 3 weeks later...

Just to clarify, there are no Javascript errors on the checkout. You wouldn't randomly have a Javascript error after that many payments.

The problem is your default Stripe module is busted and needs an audit. 

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated