Skip to content
This repository has been archived by the owner on Jan 3, 2024. It is now read-only.

SCA compliance #466

Closed
n-sviridenko opened this issue Apr 13, 2019 · 19 comments
Closed

SCA compliance #466

n-sviridenko opened this issue Apr 13, 2019 · 19 comments
Labels
enhancement wont-fix

Comments

@n-sviridenko
Copy link

It's not related to library bugs, so the initial format isn't relevant for this case.

Is this library compliant with SCA when paying via credit cards?

If yes, what are the methods we can use? Is it enough to createTokenWithCard and createSourceWithParams (type=threeDSecure)?
@cybergrind
Copy link
Member

@n-sviridenko I haven't read detailed information about SCA yet but probably it won't be compliant until we have #448 fixed

Stripe has prepared pre-built and customizable solutions to help you prepare for SCA. You will need to update your integration to support 3D Secure 2 before September 14, 2019.

If you wish to use 3D Secure, we strongly encourage you to adopt Stripe’s new Checkout or the Payment Intents API. Both support Dynamic 3D Secure, which helps you prepare for Strong Customer Authentication regulation in Europe. If your integration uses Dyanamic 3D Secure with new Checkout or the Payment Intents API, it will seamlessly transition to 3D Secure 2 once supported—without requiring any changes. Use of Stripe’s legacy 3D Secure Sources API is no longer recommended, and will not support 3D Secure 2.

@n-sviridenko
Copy link
Author

n-sviridenko commented Apr 13, 2019
edited
Loading

@cybergrind as I understand, there is still time till September. What's the current way (using this library) I can collect a card info which I can charge multiple times when user is offline afterwards?

@cybergrind
Copy link
Member

Create Token and then create customer on the backend server. After that, you will be able to charge the user without asking for payment details/

@n-sviridenko
Copy link
Author

@cybergrind token is single-use and expirable. I know sources are long-term. But 3d secure sources are single-use.

@n-sviridenko
Copy link
Author

we need to create a card source which can be used multiple times when customer is offline

@cybergrind
Copy link
Member

Then you have a choice:

  • Use regular customers that allows using them multiple times (you can create them with token)
  • Expect that user approval will be required to confirm your transactions
  • Wait for SCA compliant 3D secure version 2 support (it will allow offline payments)

@n-sviridenko
Copy link
Author

@cybergrind I see. Btw. is this library compatible with https://github.com/expo/expo? They have their own implementation, but it doesn't support card source currently (only 3d secure).

@cybergrind
Copy link
Member

Their implementation is based on tipsi-stripe. So I believe it is quite straightforward to port everything from this library to expo.

@AleenaVJ1995
Copy link

AleenaVJ1995 commented Apr 16, 2019
edited
Loading

How to integrate Payment intent API in react native with this plugin?

@cybergrind
Copy link
Member

@AleenaVJ1995 there is no support for it right now. You can watch #448 to get a notification when it will have some updates.

@hopewise
Copy link

@cybergrind What if we use tipsi-stripe as is currently with having #448 resolved? is there security risk?

@cybergrind
Copy link
Member

@hopewise SCA is just new regulatory requirements for Europe (which introduces some good features). But I cannot say that previous requirements really have low security.
Basically, if you don't save/log/expose user private data, like CC number, CVC. You don't need this data because Stripe handles it on their side and you will use stripe token that is secure if you don't expose your app's secret key

@hopewise
Copy link

Thanks @cybergrind for your note

@tomrevansecho
Copy link

What level of PCI compliance does this library give? (#292 ) seems to suggest Android is not compliant.

@cybergrind
Copy link
Member

@tomrevansecho this is incorrect. Usage of the Stripe SDK native implementation is required for SAQ-A and SAQ-A is just questionary before actual evaluation.
To be PCI compatible you need to pass the assessment by a certified assessor from list https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors

@tomrevansecho
Copy link

Thanks for the quick reply but still not 100% clear. To qualify for self assessment compliance. Are you able to use this library or does it increase the scope as Android uses a custom UI for credit card input? Would love to use if possible. Although would need to look to add PaymentIntents to use.

@cybergrind
Copy link
Member

If you're using Android cart form you're not SAQ-A eligible because of tipsi-stripe wasn't validated by qualified security assessors.
If someone will do this procedure and send this code to assessment it will be eligible.

@xsv24
Copy link

xsv24 commented Aug 8, 2019

Will the payments method API be integrated to #448 ? as the Sources API doesn't support SCA.

https://stripe.com/docs/mobile/android/sources
https://stripe.com/docs/mobile/ios/sources

https://stripe.com/docs/mobile/android/payment-methods
https://stripe.com/docs/mobile/ios/authentication

@fbartho
Copy link
Collaborator

fbartho commented Sep 10, 2019

This issue will be fixed in 8.0.0 which is in beta right now! Please check #532 for more details.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement wont-fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@cybergrind @fbartho @hopewise @n-sviridenko @xsv24 @AleenaVJ1995 @tomrevansecho