Tipsi-stripe: SCA compliance

Created on 13 Apr 2019  路  19Comments  路  Source: tipsi/tipsi-stripe

It's not related to library bugs, so the initial format isn't relevant for this case.

Is this library compliant with SCA when paying via credit cards?

If yes, what are the methods we can use? Is it enough to createTokenWithCard and createSourceWithParams (type=threeDSecure)?

enhancement wont-fix

Most helpful comment

@AleenaVJ1995 there is no support for it right now. You can watch #448 to get a notification when it will have some updates.

All 19 comments

@n-sviridenko I haven't read detailed information about SCA yet but probably it won't be compliant until we have #448 fixed

Stripe has prepared pre-built and customizable solutions to help you prepare for SCA. You will need to update your integration to support 3D Secure 2 before September 14, 2019.

If you wish to use 3D Secure, we strongly encourage you to adopt Stripe鈥檚 new Checkout or the Payment Intents API. Both support Dynamic 3D Secure, which helps you prepare for Strong Customer Authentication regulation in Europe. If your integration uses Dyanamic 3D Secure with new Checkout or the Payment Intents API, it will seamlessly transition to 3D Secure 2 once supported鈥攚ithout requiring any changes. Use of Stripe鈥檚 legacy 3D Secure Sources API is no longer recommended, and will not support 3D Secure 2.

@cybergrind as I understand, there is still time till September. What's the current way (using this library) I can collect a card info which I can charge multiple times when user is offline afterwards?

Create Token and then create customer on the backend server. After that, you will be able to charge the user without asking for payment details/

@cybergrind token is single-use and expirable. I know sources are long-term. But 3d secure sources are single-use.

we need to create a card source which can be used multiple times when customer is offline

Then you have a choice:

  • Use regular customers that allows using them multiple times (you can create them with token)
  • Expect that user approval will be required to confirm your transactions
  • Wait for SCA compliant 3D secure version 2 support (it will allow offline payments)

@cybergrind I see. Btw. is this library compatible with https://github.com/expo/expo? They have their own implementation, but it doesn't support card source currently (only 3d secure).

Their implementation is based on tipsi-stripe. So I believe it is quite straightforward to port everything from this library to expo.

How to integrate Payment intent API in react native with this plugin?

@AleenaVJ1995 there is no support for it right now. You can watch #448 to get a notification when it will have some updates.

@cybergrind What if we use tipsi-stripe as is currently with having #448 resolved? is there security risk?

@hopewise SCA is just new regulatory requirements for Europe (which introduces some good features). But I cannot say that previous requirements really have low security.
Basically, if you don't save/log/expose user private data, like CC number, CVC. You don't need this data because Stripe handles it on their side and you will use stripe token that is secure if you don't expose your app's secret key

Thanks @cybergrind for your note

What level of PCI compliance does this library give? (https://github.com/tipsi/tipsi-stripe/issues/292 ) seems to suggest Android is not compliant.

@tomrevansecho this is incorrect. Usage of the Stripe SDK native implementation is required for SAQ-A and SAQ-A is just questionary before actual evaluation.
To be PCI compatible you need to pass the assessment by a certified assessor from list https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

Thanks for the quick reply but still not 100% clear. To qualify for self assessment compliance. Are you able to use this library or does it increase the scope as Android uses a custom UI for credit card input? Would love to use if possible. Although would need to look to add PaymentIntents to use.

If you're using Android cart form you're not SAQ-A eligible because of tipsi-stripe wasn't validated by qualified security assessors.
If someone will do this procedure and send this code to assessment it will be eligible.

This issue will be fixed in 8.0.0 which is in beta right now! Please check #532 for more details.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

LaVielle picture LaVielle  路  17Comments

apolishch picture apolishch  路  56Comments

projectpublius picture projectpublius  路  37Comments

ignivaankushrishi picture ignivaankushrishi  路  53Comments

ecarrera picture ecarrera  路  40Comments