#onur3910

What is the 'Stripe iframe'?

Hi, i have built a bridge that uses a stripe payment form onto any website

Ok and what specifically is the issue?

we have saved the customer's card in Stripe itself... so partly this logic has been applied already.. but for the first time we're sending the info through this form, which needs to change.

They also would have done the same thing.. stored the customer's card details into stripe..

but sending the card info and showing it on the system is something we need to look into..

Solution is to open the stripe window.. as we do in Loveland also.. and not send card information through form directly.

stripe keeps wanting to open a pop up to take the customers card information

in test mode the system did not require a pop up to enter card information also the V1 of our app didnt require it

now we have se the app to live stripe wants to upen a pop up to enter custoemrs card information

You'll need to describe which Stripe APIs/UIs you're using, and perhaps share some code and/or an example of the issue as I'm not understanding right now

we are sending the card information using add card information API. We got an error email from Stripe suppport

Hi One Page Pay!

We noticed that you passed a customer’s full credit card number to Stripe’s API. To keep your customer’s information safe, we don’t process charges that include full card numbers.

To continue processing payments with Stripe, use one of our official client integrations to collect payment information securely. These integrations ensure that sensitive card data never needs to touch your server.

We strongly discourage passing full card numbers to our API because it:

Requires you to meet complex PCI compliance requirements
Makes it harder for Radar, Stripe’s fraud protection tool, to protect your business

In very rare cases, you might need to pass full card numbers. If this applies to you, you can allow it in your integration settings.

This is only a first-time notification; we won’t email you about this again in the future. If you have questions, you can contact us via our support site.

Thanks,

The Stripe team

Yep, you shouldn't be sending raw card details to the API without PCI compliance. Instead you should be using our payment UIs, like Payment Element, to collect payment information from customers

our system combines Stripe payments and sends payment details to a CRM

Do you have the necessary PCI compliance do be handling raw card data? https://stripe.com/docs/security/guide

If not, then you need to re-review your Stripe integration and collect payment info in a PCI compliance manner using our payment UIs

we followed this process: https://stripe.com/docs/api/payment_methods/create

Yep, that's not a PCI compliant flow so your business would need to have the SAQ compliance certificate hence the email we've sent

how do we get that?

as a stripe partner we are trying to build an approved partner integration

See link above

But generally you'd just use the Payment Element

but the payment element is apop up

we want to build it without a pop up

Not sure what you mean by a pop-up. It's an iframe that embeds directly on your page

one sec I will make a quick screen recording

this is the setup

https://share.zight.com/NQu50bJ6

Ok, not sure what I'm meant to infer from that. You have custom UI to collect payment details from users – you can't do that. So in your app when they select Stripe you should instead use our payment UIs

You say it's a 'pop-up' but I don't know what you mean by that and your video didn't show a pop-up

we are just making another video of the payment process

one sec

this is hte desired payment process:

https://www.awesomescreenshot.com/video/22854408?key=e765640b08cef71fe90b38e11fd3bfe2

Ok, but you're handling raw card data in those form fields – you can't unless you have necessary PCI compliance (which I guess you don't)

So, instead of your custom form in that video, you need to use our payment UIs (like Payment Element) to collect payment information and process the payment

ok so our app needs to have the relevant PCI compliance?

ok we will investigate that

Yes if you want to handle raw card data from your customers like that. But I wouldn't really recommend it

but how does Worldpay doi it?

They're probably PCI compliant

As they're a huge payment processor

we are trying to create an app that makes it easy for anyone to put a payment form onto a webpage

(as are we to be clear, but you need to use our payment UIs)

yes

So yeah, not really sure what else to say at this point., My recommendation is to adjust your integration to render the Payment Element to collect payment data as opposed to your custom form and calling API directly

Start here: https://stripe.com/docs/payments/accept-a-payment?platform=web&ui=elements