Possible Compliance & Security Issue

  • Resolved nr123

    (@nr123)


    7 years, 10 months ago

    Hello, in debugging a plugin issue I noticed in the Stripe interface that this plugin is automatically creating a Stripe Customer Record for this client and then saving the Credit Card of the client against that Customer Record in Stripe.

    This is a red flag in that the client never gave permission to have their credit card details stored, even though it is in a secured Merchant Facility system.

    Is it possible to have an option added to the plugin to allow the developer to disable this saving of Credit Card in the Stripe wordpress plugin settings.

    Presumption that this storing of cards is for Subscription implementations however it feels incorrect to force save all cards even if the client isn’t subscribing to a service.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    Hi, the plugin developers will investigate further your issue/request.

    Thank you

    Plugin Author mra13

    (@mra13)

    You need to talk to Stripe team about this. Our plugin is implemented according to Stripe’s guideline. We talked to the Stripe team and got our implementation checked. They confirmed that it is all good. I don’t want to change anything in there and upset our existing users because we know the current implementation is good. I would rather you use a different plugin which is customized the way you want it.

    • This reply was modified 7 years, 10 months ago by mra13.
    Thread Starter nr123

    (@nr123)

    Hello, thank you for the reply.

    If the Stripe Checkout is implemented as per the Stripe documentation : https://stripe.com/docs/checkout/tutorial , a Customer record is not created in the Stripe system nor is the saving of their credit card details. This seems logical as the client does not indicate they would like them saved.

    However the standard Stripe Checkout implementation for non-subscription payments in your plugin does create a Customer Record and save the client credit card details. So presuming the Customer Record & credit card saving is being created by this plugins own code.

    Would also presume that most clients wouldn’t be happy that their Credit Card details were being saved against their name in a Merchant Facility without their prior agreement to save them. This is what is being referred to as a possible compliance/security issue.

    Is it possible for your plugin to not save the credit details against a Customer Record if your plugin is being used for non-subscription payments? Or at least provide an option for it to be disabled in the plugin should users of your plugin feel this is a compliance/security issue?

    Thank you for you consideration.

    • This reply was modified 7 years, 10 months ago by nr123. Reason: clarity
    Plugin Author mra13

    (@mra13)

    I will work on adding a settings option for this in a future release.

    Thread Starter nr123

    (@nr123)

    Thank you for your consideration.

    Plugin Author mra13

    (@mra13)

    There is a new option for this in the settings menu of this plugin.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Possible Compliance & Security Issue’ is closed to new replies.