0

We have a simple form that allows our customers to make payments for our services. We are using the "StripeCheckout" JS library and everything works as expected.

Some of our customers provide us with the credit card information and want us to make the payments on their behalf. This is obviously a security issue but our customers trust us :) This is a problem on stripe as it doesn't allow multiple payments to happen from the same IP (which is understood)

Would like to know if stripe provides a different API to be able to do this (that is process multiple client payments from our operations center) with the same IP?

maximus 69
  • 1,388
  • 4
  • 22
  • 35

2 Answers2

0

If you have card numbers already (or customers are willing to give them to you) then you can create a Card object in Stripe via their API using https://stripe.com/docs/api#create_card and then once you have a payment source (which can be the card you created) you can use https://stripe.com/docs/api#create_charge to create a Charge object.

I don't think IP addresses really come into it apart from any rate limiting stripe may perform - but that's possibly limited on your API keys rather than just source IP only.

As you touch upon, there are many possible risks on having card details - even if your customers do trust you - I'd encourage you to consider creating the card object from the client side via their API and passing just card ids and tokens to the backend if possible. That way you reduce your risk exposure to the original card number(s) being stored or even being inside your systems. There are probably very few companies able to do this better that Stripe - so may as well leverage their security by relying on them to store and handle card details.

David
  • 7,652
  • 21
  • 60
  • 98
  • Thank you David. Currently I am doing it the way you proposed which is creating the card then passing the token to the server side script for processing. The card details are inputted in the stripe screen so we don't maintain any sensitive information. – maximus 69 Jun 04 '18 at 18:37
0

The best solution to this using the Stripe Idempotent request. We had a similar issue while dealing with payment. User payment got processed multiple time.

Idempotent key ensures that only once successful payment can be processed for each idempotent key, multiple failed attempt can be made. see here

and In the official doc.

Let's consider an example You want to process payment for order with unique order_id. so obviously you want one successful payment for the order. so you can pass the idempotent key while creating a charge. You don't need to save card details of the user only one-time token created using stripe.js will work

require "stripe"
Stripe.api_key = "sk_test_BQokikJOvBiI2HlWgH4olfQ2"

Stripe::Charge.create({
  :amount => 2000,
  :currency => "usd",
  :source => "tok_visa", # obtained with Stripe.js
  :description => "Charge for joseph.davis@example.com"
}, {
  :idempotency_key => "FVnElesDto9UXlOr"
})

idempotency_key should be unique per charge object.

Rahul Sharma
  • 1,393
  • 10
  • 19