rishabnayak-card | Stripe Developers | Page 1

waxen crypt Feb 1, 2022, 6:06 PM

#

@tribal sand hello! what does "create a card directly via the API" means?
Also did you read our main docs on how to accept a payment? https://stripe.com/docs/payments/accept-a-payment

tribal sand Feb 1, 2022, 6:07 PM

#

yup, I did! this is what I mean by creating a card via the API - https://stripe.com/docs/api/cards/create

waxen crypt Feb 1, 2022, 6:08 PM

#

Our main doc covers how to accept a payment in a lot of details though. You said you read it but it never mentions https://stripe.com/docs/api/cards/create and you would never use this

#

so what is blocking you in our main documentation? What part is confusing you that made you go to the API Reference and try to manually create a card yourself?

tribal sand Feb 1, 2022, 6:10 PM

#

right, the issue is that we want users to be able to add cards to their account directly, and make a purchase later

#

https://stripe.com/docs/payments/save-and-reuse?platform=web#web-collect-payment-details

#

this tells us how to do that, but we are building a platform with some unique constraints which has us using the API direct method over Stripe Checkout/Payment Elements

waxen crypt Feb 1, 2022, 6:14 PM

#

Why though?

#

using the API direct method like you say leads to a higher threshold for PCI compliance which will put your entire business at risk unless you already are meeting the stringent requirements for PCI compliance: https://stripe.com/docs/security/guide#validating-pci-compliance
Almost no one ever wants to send "raw card details" via the API

tribal sand Feb 1, 2022, 6:27 PM

#

I understand that, we are looking into compliance as well. I'd love to get on a quick call if you're around to explain why I think we have to use the API direct method - would be great to get your input on this

waxen crypt Feb 1, 2022, 6:31 PM

#

We won't be able to do a call I'm sorry. I'm happy to answer any technical questions you have here about your code

#

you might want to contact our support team otherwise: https://support.stripe.com/contact

#

But really what you need to do is follow the guide you just shared: https://stripe.com/docs/payments/save-and-reuse?platform=web#web-collect-payment-details

tribal sand Feb 1, 2022, 6:32 PM

#

that doesn’t describe the api direct method though.. are there any guides that walk us through the flow there?

waxen crypt Feb 1, 2022, 6:33 PM

#

But you shouldn't use the api direct method. So don't use it! I really mean it you should use the Payment Element like we document in our guides

tribal sand Feb 1, 2022, 6:37 PM

#

we partner with companies who use our api to create/add customers and we’d have to give them our publishable api key for them to use payment element on our behalf - we’re looking to avoid this scenario and that’s why we are looking to use the api direct method

waxen crypt Feb 1, 2022, 6:41 PM

#

But then all those companies are now in PCI scope though which is unlikely to be what they want to do in the first place

tribal sand Feb 1, 2022, 6:44 PM

#

would having them use our publishable key take them out of PCI scope? since they send card data to an external server regardless of if its stripe or us, they would be in the exact same PCI scope from what I understand of it

waxen crypt Feb 1, 2022, 6:55 PM

#

The problem is that you still seem to try to avoid using our UIs which you shouldn't do

#

not unless those companies are PCI compliant themselves and already store raw card details on their server and such

#rishabnayak-card