Stripe Question

[Potato]

Hey Blesta!

I've been doing a little digging, please correct me if I'm wrong. As I understand you're only really partially supporting Stripe?

 

For example, I found this comment on a competitors forum:

 

"With Blesta, Stripe does not do remote tokenization, the information first goes through your server which creates an security alert on your stripe security (saying that you are not compliant and should fix it). Not sure on the details, but point is, Blesta's Stripe module is not fully supporting stripe, just partially, which means you need PCI-DSS compliance to use it (which defeats the purpose)."

 

 

I'm a person that's still weighing up pros and cons of billing software, so would be great if you're able to provide comment on the following and if true, when you plan on offering full support?

 

Many thanks.

[Tyson]

What do you consider to be 'full support'? Stripe, like many other gateways, supports taking payment in different ways. Typical behavior is to either allow a customer to pay from your website using their API, or to pay from the gateway's website. We categorize these behaviors into Merchant and Non-merchant gateways, respectively.

 

Blesta implements the Merchant behavior of Stripe, that is, to allow payment to be taken from within Blesta without redirecting the client to pay off-site.

 

When a customer makes a payment, their card data comes to your server before it is sent along to Stripe. You can choose to either store the credit card information in Blesta via a Payment Account, or to store it remotely with Stripe and use a token to process payments with it in the future. In either case, your server sees the credit card number at some point. This requires you to be PCI-compliant. Blesta also stores the last four digits of it as well as the expiration date for internal use, such as to send email reminders when the card is about to expire.

 

The person that wrote the comment you quoted appears to consider "full support" to be a scenario where card data never touches your server (i.e. PCI avoidance). This can be accomplished using Stripe.js whereby credit card data is submitted directly from the customer's web browser directly to Stripe, skipping your server altogether. Blesta does not currently integrate with Stripe.js. I have no ETA on when that may be available, but it is on our radar and you would want to follow this task for updates.