The way that the Stripe payment gateway is implemented does not comply with PCI, especially on a shared server instance. One of the main advantages to stripe is that you can use javascript to send the credit card number to stripe and return a token. That token should then be sent to the server to be used to submit the payment.
The way this stays PCI compliant on shared hosting servers is by not setting the “name” field on the cc form, so that the number never hits the server.
I’m disappointed that I’m going to have re-write this gateway before I can use it.
in EE 4.2, which is currently in ALPHA testing and will be released soon asap, we have added the Mijireh gateway, which will help significantly with PCI-compliance issues like this. Mijireh can basically act as a middle-man between your site and Stripe (or a large number of other gateways). So, using Mijireh, you can use Stripe to process payments and keep PCI compliance.
When we do implement the Stripe gateway for EE4, we are planning on sending the credit card details via javascript in order to help with PCI compliance. However, Mijireh makes the argument that even that isn’t fully PCI compliant either. So yes, our current implementation of Stripe for EE3 does require HTTPS and does handle CC data (although it is never stored: it is briefly handled and sent to stripe), which means it would require the same PCI-compliance measures as any other onsite gateway (eg Paypal pro). That’s why its listed as an onsite-gateway and we recommend using HTTPS with it. The fact that you are using a shared-server, to my knowledge, does not mean you cannot pass-on CC data (although it does make issues like keeping your server’s software up-to-date more challenging). If you can point us to where a PCI compliance document that specifies such a restriction for those using shared-servers, we’ll definitely update our documentation.
We are sorry that our EE3 implementation of Stripe did not alleviate your PCI-compliance needs more than other onsite gateways.
Does that address your issue?
This reply was modified 10 years, 8 months ago by Michael Nelson.
Viewing 0 reply threads
The support post ‘Incorrect implementation fo Stripe Gateway (EE3)’ is closed to new replies.
Have a question about this support post? Create a new support post in our support forums and include a link to this existing support post so we can help you.
Support forum for Event Espresso 3 and Event Espresso 4.