0

I'm developing an application using react native and Stripe api in order to handle all the sensitive information about the users and their credit cards.

  1. I'm trying to manage a digital wallet inside the application: one user can add/delete or see a list of their own cards (directly inside the mobile app). I am very confused about this point. For now I'm using my server side as an intermediate between my application and Stripe.
    For example to add a credit card I give the possibility to insert card information using a form, then i create the token, and finally I send that token to my server-side (POST /users/cards body:{tokenId}) endpoint which, using stripe.createSource({ customerId, tokenId }), I can save a card into a customer object (In my DB I store only the customer ID).
    For delete a card I use this endpoint of my server: DELETE users/user_id/cards/card_id and this endpoint use stripe.deleteCard({ customerId, cardId }) to delete the specified card from customer.
    For get the list of cards: GET users/cards/ and the endpoint use stripe.listCards(customerId).
    My questions are: Can I do this? Is there a better solution? Is this PCI compliance? Can i use my server as an intermediate between my clients and Stripe?

  2. The second point is simple: in a checkout phase (in the client side) how can I let the user to choose which credit cards use for the payment and create a token with that? Can I send the cardId to my server in a POST request? Is it secure?

TheGorgeousSeal
  • 103
  • 2
  • 8
  • "Can i use my server as an intermediate between my clients and Stripe" yes, this is exactly what you want to do, the client-application should only tokenize, never make the calls to Stripe directly. I'm not clear on #2, if its a new card generate a token with stripe.js, checkout, stripe's mobile sdks. if its an existing card stored on a customer it's fine to send the card ids (card_xxxyyyzzz) to Stripe, or display the last4, type of card (visa, mastercard, debit, credit) to the user on the screen to help them determine which card they want to use – duck Mar 05 '18 at 20:01
  • Great, I'm using tipsi-stripe as the client-side library in order to tokenize and collect cards information. Then I use my server as an intermediate to add, delete and get all users cards, displaying last 4 digits and brands. So the cards iDs are not sensitive data and they can transit easily with no security problem on an https connection? "if its an existing card stored on a customer it's fine to send the card ids (card_xxxyyyzzz) to Stripe" yes the card is saved in the customer object. The problem here is I have to send card id from client to my server and then use it to make a charge. – TheGorgeousSeal Mar 05 '18 at 21:07

0 Answers0