#wrong_man

hi! well if you send raw card numbers to the API from your backend server than you do need to be PCI compliant and submit those docs yes

well i never had to do anything of the sort. have used stripe for years

anyway, the alternative is to submit them via the frontend, which is also not safe

or well, is as safe as the alternative

yes, but recently we are making changes to require this

but you understand, i can easily hijack the card numbers from all the elemets and checkout

do you think it's a false positive and you don't actually send raw PANs?

if i wanted to do something shady

oh its not about the actual sending of the data

the sending of the PANs is still handled by strpe's own SDK

in this case the python one

but your own Python code still has the raw card numbers in your variables right?

sure, so does my JS code using elements and checkout

then that means you are in PCI scope

that's not true, if you use Elements/Checkout your code has zero access to the card numbers(and so are not in PCI scope).

if you are saying you do use Elements/Checkut and think it's a false positive that we're asking you to submit your PCI docs, I'd be happy to chdeck your account quickly.

thats not true
I can access all the elements of the form created here:

const elements = stripe.elements({ appearance:appearance });
const cardElement = elements.create('card', options);
cardElement.mount('#card-element');

show me how you get the raw card number 4242424242424242 the customer enters into the Element using that code. Because you can't.

my old code used the stripe python SDK to send the pans via the backend. i am now trying to change to elements/checkout.

sounds perfect! anything I can help you with there in terms of the implementation?

yes of course you can access stuff from devtools

but your own code can't do that.

if i can access it here, i can acces it my websites js code

no you can;t

🤦‍♂️

that <input> is in an iframe on a different domain from your JS code so it won't work

I don't want to argue with you but this is the fundamental principle of our most important product

what iframe?

the one you cropped out just above the <html> tag

anyway. anything I can help you with there in terms of the implementation?

yes

sorry i got sidetracked

can i submit it like this:
var card =stripe.createPaymentMethod('card',cardElement);

?

because since i can submit test cards via the (test) API i cant actually tell if this is the way i'm supposed to do it

cardElement is setup here

the way you're supposed to do this is confirming a PaymentIntent on the frontend(https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=elements). But it is possible to create a PaymentMethod on the frontend (the code you mention) and then pass that object's ID pm_xxx to the payment_method parameter when confirming a PaymentIntent on the backend, it's just not recommended since it makes 3D Secure difficult to handle.

no no

this is before seting up intents

just adding a card to my user

then same idea. Except you'd confirm a _Setup_Intent instead of a PaymentIntent, on the frontend, to save a card to a customer.

https://stripe.com/docs/payments/save-and-reuse?platform=web&ui=elements

but i dont want to send the client_secret to the frontend

scratch that

i dont want to have to recreate code for seting up intents, code i already have setup on the backend

i would like to re-use my already existing code as much as possible, which means basically just adding cards on the frontend, then setting up the intents on the backend

and continue the flow on the frontend

this should be a perfectly valid use-case

so i would pass the pm_XXto my backend, and attach it to the user (on stripe)

then as I said, But it is possible to create a PaymentMethod on the frontend (the code you mention) and then pass that object's ID pm_xxx to the payment_method parameter when confirming a [SetupIntent] on the backend

perfect

i.e. SetupIntent with customer=cus_xxx confirm=true payment_method=pm_xxx

I don't recommend that but you can do it if you must as part of migrating a legacy system