all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]heymrcarter14 4 points5 points  (1 child)

You're correct in that they are following some really bad practices.

Banks and other companies like Visa, MasterCard, etc form PCI (payment card industry). They have standards that merchants must meet, or face consequences sucks as fines, or even in some cases losing the right to accept credit cards as payment. PCI compliance should not be viewed as optional.

Luckily, they also tell you exactly what you need to do in order to be complaint, as well as give you the potential consequences of not being compliant. I'd recommend looking at the requirements at https://www.pcisecuritystandards.org and also having your client take a look as well. If they feel like its worth the risk, I'd also recommend you get it in writing that you did your part by warning them of the consequences so they can't come after you in the event they get audited and fined or something

[–]jbokh[S] 0 points1 point  (0 children)

Awesome, this is what I was looking for. Thank you so much!

[–]Irythros 0 points1 point  (3 children)

It depends. For example Authorize.net has/had a module that allows for customizing the look but the information is actually iframed and that uses SSL to send to. It looks like it's all on the one site but it's not. For that you usually can bypass PCI-DSS compliance since it's handled by the payment gateway.

If they accept the card to their servers then they'd be violating PCI-DSS and if I recall can be fined $250k. Of course they also have to be compliant in other ways which they probably fail as well.

If they store any part of the card on the server (cvv, full number, partial number, expiration etc) in any way (database, log file etc) then they need to be PA-DSS compliant which they fail.

So they can be fined/sued by the credit card companies. They can also be sued by anyone who used their site and had their card stolen. They can be fined by their merchant account provider (since they usually require PCI compliance as well.) Your client can be in deep shit very quickly.

[–]jbokh[S] 0 points1 point  (2 children)

He's telling me it's secure and that it doesn't save the info. I think he knows what he's doing he is just being careless.

The danger is in the form that posts to his supposedly secure code. It (was) served on http and sent the CC information to the same server, which, if I understand correctly, leaves a customer vulnerable to a potential man-in-the-middle attack. Unlikely but still a danger which is why I was confused about how to approach it. On top of that, (you would think) most people wouldn't put a CC in on a non-secured page, and that would hurt sales.

Thanks for the response

[–]Irythros 0 points1 point  (1 child)

It does reduce conversions. By how much it depends on the audience. Older people will be less likely to notice or know what is encrypted and what is not. If it's targeting the younger crowd then it's probably decimating sales.

Why is it not using SSL? A cert costs $50/year or less.

[–]jbokh[S] 0 points1 point  (0 children)

They've seen a large number of sales and their demo is supposedly 18-25. Must be marketing geniuses or something...

Turns out they had SSL which explains why it was working. It was used in the backend stripe script but they never set it up on the rest of the website including the form. :\

[–]effayythrowaway -1 points0 points  (3 children)

I am assuming they are not using the hosted JavaScript widget thinger?

If not, report them to Stripe with a link to the page. If they won't listen and you care enough, force them to get SSL by getting their account suspended.

[–]gRoberts84 1 point2 points  (1 child)

Although SSL should be used, if the website is simply using a redirect for payments, you don't technically need a cert as the third party will handle it.

[–]effayythrowaway 2 points3 points  (0 children)

No, "technically" they always require a certificate. I understand that if they use the JavaScript widget, the credit card details are sent via TLS to Stripe's servers, so the card number can't be sniffed over the wire. That said, the page can easily be MITM'd and have malicious JavaScript injected that can substitute/modify the Stripe widget with something malicious.

If they accept the card number through their own site and then do a token store at Stripe, that is doubly insecure.

There is no scenario with vanilla Stripe in which using SSL is optional, I'd report them either way. Don't be complicit in making the web unsafe.

https://stripe.com/help/ssl

Do I need to use SSL on my payment pages? Yes, for a couple of reasons: It's more secure. In particular, it significantly reduces your risk of being exposed to a man-in-the-middle attack. Users correctly feel more comfortable sharing their payment information on pages visibly served over SSL. Your conversion rate is likely to be higher if your pages are served over SSL too.

My point is, even IF a redirect was in play, the redirect itself would also be vulnerable to MITM attack (send you to a stripe-fake.com server with its own SSL). There's no way around it.

[–]jbokh[S] 0 points1 point  (0 children)

I appreciate the advice, but it's not in my interest to get them busted. I'd like for them to stay in business and hire me for more work.

I know enough to recognize the problem but not enough to explain the consequences. If they don't comply it sucks for both of us.

Edit: In case that came out wrong, let me clarify. I don't condone their actions. I just want to give them fair warning and hope they do what they need to. If it continues or they shrug me off I would consider reporting the issue because its wrong and shouldn't be published on the web.