Jump to content
  • 0

stripe tokenised

Mudgee Host

Asked by Mudgee Host,

 Share

Question

Mudgee Host Newbie

Mudgee Host

Posted
Posted

Hi,

I'm evaluating wisecp for my business. 

I am particularly interested in supporting automatic subscription renewals.

 

I'm having trouble setting up stripe (tokenised) 

a) API error - "Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing. To enable raw card data APIs in test mode, see https://support.stripe.com/questions/enabling-access-to-raw-card-data-apis."

This error indicates increased responsibility for PCI compliance since raw CC details are being passed around, the strip basic module doesnt do this.

could I get some clarity in the PCI-DSS status of this module? will I need to do a SAQ-D?

"If you are working with a third-party platform which is requesting that you enable this feature on your Stripe account, please contact that platform to obtain the necessary documentation."

do wisecp supply that?

 

 

b) web hook setup - documentation has no events need to be configured in the web hook, but stripe will not let me save the web hook without at least one event (makes sense)

https://docs.wisecp.com/en/kb/stripe

"If you are going to use "Stripe Tokenized" you do not need to make any selection."

what is the correct setting here?

 

thanks!

Link to comment
Share on other sites

2 answers to this question

Recommended Posts

  • 0
Onur Enthusiast

Onur

Posted
Posted
On 2/15/2024 at 9:21 AM, Mudgee Host said:

a) API error - "Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing. To enable raw card data APIs in test mode, see https://support.stripe.com/questions/enabling-access-to-raw-card-data-apis."

This error indicates increased responsibility for PCI compliance since raw CC details are being passed around, the strip basic module doesnt do this.

could I get some clarity in the PCI-DSS status of this module? will I need to do a SAQ-D?

"If you are working with a third-party platform which is requesting that you enable this feature on your Stripe account, please contact that platform to obtain the necessary documentation."

do wisecp supply that?

The "PCI-DSS" compliance certificate can only be issued by an authorized organization. "PCI-DSS" compliance certification is not only based on the software used. In order for a site to be compliant with "PCI-DSS", many factors such as server, network, transaction volume must be inspected and approved by an organization that issues a "PCI-DSS" certificate. Therefore, in order to obtain this document, you must be audited by an authorized organization that issues the "PCI-DSS" certificate.

Additionally, WISECP has all the necessary measures to securely process and send card information to the payment gateway provider. So you can be sure that you already have the necessary security measures on the software side.

On 2/15/2024 at 9:21 AM, Mudgee Host said:

b) web hook setup - documentation has no events need to be configured in the web hook, but stripe will not let me save the web hook without at least one event (makes sense)

https://docs.wisecp.com/en/kb/stripe

"If you are going to use "Stripe Tokenized" you do not need to make any selection."

what is the correct setting here?

I think you don't fully understand the situation. You do not need to define any HOOK on WISECP for "Stripe tokenized". As explained in the document, it is enough to make the following adjustments in your Stripe panel.

  1. Click the "Webhooks" tab and then click the "Add an endpoint" button at the bottom of the page.

    4d51b0898d5d57a15b7acc435e928b28.jpg
     
  2. In the window that opens, provide the following definitions.

    ff4a5d91f459b0cdf07b5cf20a37bd4c.jpg

    "Endpoint URL" > In this field, define the "Callback URL" information found in the "WISECP Stripe module".

    "Description" > Type "FOR WISECP" in this field.

    "Version" > Select "Last Version" in this field.

    "Select events to listen to" > In this field, if you are going to use "Stripe Basic" type, select the "payment_intent.succeeded" event.

    If you are going to use "Stripe Checkout" type, select "checkout.session.completed". 

    If you are going to use "Stripe Tokenized" you do not need to make any selection.

    Important Warning: If the "Select events to listen to" field is not defined correctly as described above, payment information will not be sent to the WISECP system and services and invoices cannot be created on WISECP even if payment has been received on Stripe.

Helpful links : Developer Center | Usage Guide | Translate | What's New?

Link to comment
Share on other sites
  • 0
Mudgee Host Newbie

Mudgee Host

Posted
  • Author
Posted
On 2/16/2024 at 8:52 PM, Onur said:

Additionally, WISECP has all the necessary measures to securely process and send card information to the payment gateway provider. So you can be sure that you already have the necessary security measures on the software side.

ok, thats reassuring but I need some more clarity

The error message being thrown in your module, is:

"Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing. To enable raw card data APIs in test mode, see https://support.stripe.com/questions/enabling-access-to-raw-card-data-apis."

in the link, stripe states:

 

Quote

 

To enable this functionality, please use this link to contact our support team and:

  • Provide a brief written description of the systems and services in your application which handle card data. If you fully outsource this activity to a PCI DSS-compliant third party, please provide the name of that service provider.
  • Attach one of the following documents:
    • A current, complete PCI DSS Self-Assessment Questionnaire (SAQ) D, or
    • If you meet the qualifications of a Level 1 merchant or service provider, a current PCI DSS Attestation of Compliance for on-site assessment, or
    • If you fully outsource the handling of card data to a PCI DSS-compliant third-party service provider, only accept online or mail order/telephone order (MOTO) payments, and otherwise qualify, a Self-Assessment Questionnaire (SAQ) A. This document must list your entity's information and list the third-party service provider in Part 2f.

 

so to get this working I need to send stripe a SAQ-A because you are fully PCI-DSS compliant or SAQ-D because you are not?

the module just errors right now, I can't use it until stipe allows raw cc details in the api

 

(FWIW stipe basic works fine)

 

On 2/16/2024 at 8:52 PM, Onur said:

You do not need to define any HOOK on WISECP for "Stripe tokenized".

thanks, thats very unclear. it reads like "create web hook and if you are using stripe tokenised do not select any events"

 

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing
×
×
  • Create New...