Problem with StripeCFML

Roberto_Marzialetti · December 3, 2024, 4:37am

Hi everyone.

I’m trying to use StripeCFML to make some payments.

I put my application into production env and I got this API error:

"Sending credit card numbers directly to the Stripe API is generally unsafe. To continue processing use Stripe.js, the Stripe mobile bindings, or Stripe Elements.

I’ve used StripeCFML using Stripe’s test platform without any issues until yesterday

I read in Stripe’s documentation that I could enable this feature here:

but I would have to send Stripe tons of documentation.

Is there some StripeCFML configuration I’m missing?
Any hint?

mackindlays · December 3, 2024, 7:50pm

Stripe would rather you implement their JS version, Stripe.js. Using this absolves you of most credit card processing liability. The JS version loads the CC form on your site which prevents http communication and passing card details. You can still use StripeCFML, but you are really putting your company, insurance and lots of money at risk for forensic investigations in the event of credit card theft. That’s why they are making you verify your decision by turning the service on. It’s a very straightforward customizable integration. If you insist on passing card information over the wire you unfortunately have to stay compliant with PCI DSS and be able to prove that when asked.

Roberto_Marzialetti · December 4, 2024, 8:42am

Yes @mackindlays , thanks you so much for your explanations.

I understood that I can use StripeCFML to generate a PaymentIntent and than used it with StripeJS.

I’m leaving this post because it might be useful to others.

Cheers.

kenricashe · December 7, 2024, 4:56pm

I use stripe.js only for mounting Stripe’s card element into order forms so my server never sees the customer’s credit card data other than the last 4 digits which are later provided by Stripe’s API.

But I also use stripe-cfml extensively for creating and otherwise accessing paymentIntent objects, transfers, accounts, charges, balances, payouts, etc. Charges need to be validated via API after the payment form is submitted, so I cannot imagine proper due diligence for an e-commerce platform without stripe-cfml, at least when using Lucee with Stripe.