#trevor_raw-pans-pci

👋 Welcome to your new thread!

⏲️ We'll be here soon! Typically we respond in a few minutes, but sometimes we might take a bit longer if the server is busy or if you have a particularly tricky question.

⏱️ We close idle threads, which makes them read-only. Once a thread is closed it won't be reopened, but you can always start a new thread if you have another question.

🔗 This thread will always be available, even after it's closed. You can find it again using Discord's search, or you can save this link: https://discord.com/channels/841573134531821608/1354476095797334056

📝 Have more to share? Add more details, code, screenshots, videos, etc. below.

Not sure what you mean exactly

Can you share the request id

https://support.stripe.com/questions/finding-the-id-for-an-api-request

1254195

is that the id.

I wrote a web page using c# to collect payment using tokens.
everytime we attempt to process payment we get an error.
when using SK: we got this error: Sending credit card numbers directly to the Stripe API is generally unsafe. To continue processing use Stripe.js, the Stripe mobile bindings, or Stripe Elements. For more information, see https://dashboard.stripe.com/account/integration/settings. If you are qualified to handle card data directly, see https://support.stripe.com/questions/enabling-access-to-raw-card-data-apis.

when we use the Pk: we got this error: You do not have permissions to make this API call

I'm not sure if the account is in test mode, I can't see where that is set.

See the above link I shared

Please get the request id using that

So I can take a look

I am the developer and I am instructing the account holder.

I am now getting this error: 10002 Security header is not valid

I can't really help unless I get some request id's to look at

Is there simple instructions to pass to them to setup the api key to use tokens, we are using stripe.net

ok i will get the request id for you

based on the errors you're getting it sounds like you're passing raw pan, which can't be done on a stripe account without it being enabled and proving you're pci compliant

but i need to see some request id's to confirm exactly what's going on here

Is using stripe.net tokens in c# considered raw pan?

I've asked the person with access to the dashboard to get me a request id.

Depends how you create the token

If it's from the backend via passing a card number, then yeah

If it's from the front-end via stripe.js+elements, then no

it is from backend collecting card info into c#, then creating token in c#
ie: StripeConfiguration.ApiKey = user;
try
{
var cardoptions = new TokenCreateOptions
{
Card = new TokenCardOptions
{
Number = cardnumber,
ExpMonth = expirymonth,
ExpYear = expiryyear,
Cvc = cvd,
},
};
var cardservice = new TokenService();
var r = cardservice.Create(cardoptions);
var chargeoptions = new ChargeCreateOptions
{
Amount = Convert.ToInt32(myAmount),
Currency = merchantcurrency,
Source = r.Id,
Capture = capture,
};
var chargeservice = new ChargeService();
var stripeCharge = chargeservice.Create(chargeoptions);

if (stripeCharge.Paid == true)
{
APPROVAL CODE TESTING.
string paymentprocessedid = stripeCharge.BalanceTransactionId;
string strSuccess = "Thank you, your order for: $" + totalcost.ToString() + " " + merchantcurrency + " has been processed.";
update_transaction_payment(context, transactionid, paymentprocessedid, success, "", "", merchantcurrency);
}
else
{
    error = "Not Paid.";
    errorcode = "error";
    update_transaction_payment(context, transactionid, "", success, error, errorcode, merchantcurrency);
}

This tecnique is considered "passing raw pan"?

Yes that is

That requires explicit approval on your stripe account to use

It's almost never recommended to do it that way

As the pci compliance burder falls on you

And you have to prove that your system is pci compliant

Does the JS model require using Stripe UI elements?

we want to integrate payment using our own UI and no others.

it does

To use your own form, you have to pass raw pan

And prove pci compliance

It's a process through stripe support

How long does the PCI compliance take assuming we meet the requirements?

No idea

You'd need to ask support

I belive this is the request id

Yep

That's what we discussed

Can I integrate the JS somehow on this screen? or will they have to leave and come back?

this is a sample

What do you mean?

I don't want the users to have to leave the page and come back.

is that possible?

Why would they need to leave the page? Not sure I understand the issue

can you provide me with a link to the JS API and how to integrate that as a payment method.

JS is the only way to process payments without using raw PAN correct?

You have to use our card form

Payment Element

https://docs.stripe.com/payments/accept-a-payment?platform=web&ui=elements

Or really any of our payment surfaces

Checkout, Payment Links, Invoices, mobile payment sheet, etc

is there a c# method that can be used that does not use raw pan?

c#/dotnet

No the issue is how you handle card details

If the sensitive details are not transmitted via one of our surfaces, then it's considered raw pan

And pci compliance burden falls on you

And you have to prove that you're pci compliant and have this enabled on your account

So really you should implement the payment element via the link I shared

Otherwise, it's a tougher, lengthy process to get this enabled

thanks for that explanation.