logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

2 Pages12>
Options
Go to last post Go to first unread
charles25686713  
#1 Posted : Thursday, February 15, 2024 3:27:57 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
We're exploring alternatives to authorize.net that have native support in AC, and checking out Stripe.

I setup an account in Stripe, everything in Test mode, and placed a test payment through the Stripe gateway plugin.

It failed, with this error:

---
invalid_request_error

Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing. To enable raw card data APIs in test mode, see https://support.stripe.c...s-to-raw-card-data-apis.
---

It doesn't appear that the Stripe plugin/gateway in AC is up to par with the latest Stripe requirements?

Wanna join the discussion?! Login to your AbleCommerce Forums forum account. New Registrations are disabled.

Katie S  
#2 Posted : Thursday, February 15, 2024 5:06:15 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi there,

It wasn't that long ago when we added Stripe. I believe it was 9.0.5, so it should be working.

I've linked the help instructions below. Be sure use one of the testing credit cards when you are in a test mode.  

https://help.ablecommerc...%2FGateways%2FStripe.htm

Stripe Test Credit Card numbers

Visa 4242424242424242 (no authentication required for std US card)
Visa 4000002760003184 (triggers authentication as required)

Please let me know if this solves the issue.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#3 Posted : Thursday, February 15, 2024 5:24:18 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Hi, thanks for the quick response.

Your help doc doesn't quite match what the Stripe dev dashboard looks like now, but it's close enough.

I did what's listed there, using the 4242 card, and got the error I posted above. As far as I know, I did everything right.

It looks like the rules changed on you?

Originally Posted by: Katie S Go to Quoted Post
Hi there,

It wasn't that long ago when we added Stripe. I believe it was 9.0.5, so it should be working.

I've linked the help instructions below. Be sure use one of the testing credit cards when you are in a test mode.  

https://help.ablecommerc...%2FGateways%2FStripe.htm

Stripe Test Credit Card numbers

Visa 4242424242424242 (no authentication required for std US card)
Visa 4000002760003184 (triggers authentication as required)

Please let me know if this solves the issue.


charles25686713  
#4 Posted : Thursday, February 15, 2024 5:27:24 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
P.S. 9.0.5 came out Sept 27, 2021.

That's forever in ecommerce/PCI compliance time!!
Katie S  
#5 Posted : Thursday, February 15, 2024 5:39:17 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Ok, I'll have to find our test info and give it a try. We have two releases per year, and we support many different gateways. We don't always know when something changes until it's already happened. This is quite common.

One thing that you can try is enable the debug for the gateway. Run another test transaction and check the stripe log file under \app_data\logs\ folder. This will often give you a bit more info.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#6 Posted : Thursday, February 15, 2024 5:54:42 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
I understand, and expected as much.

I did have debug enabled, and I didn't find a stripe log file in the app_data\logs folder.

I did see the error both on the AC side, and on the Stripe dev dashboard side.

Looking closer in the logs folder, I see it in app.log. Perhaps the exception chain will help you?

---
2024-02-15 13:46:17,949 ERROR AbleCommerce Provider threw exception in DoAuthorize.
Stripe.StripeException: Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing. To enable raw card data APIs in test mode, see https://support.stripe.c...s-to-raw-card-data-apis.
at Stripe.StripeClient.ProcessResponse[T](StripeResponse response)
at Stripe.StripeClient.<RequestAsync>d__25`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Stripe.Service`1.<RequestAsync>d__26`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Stripe.Service`1.Request[T](HttpMethod method, String path, BaseOptions options, RequestOptions requestOptions)
at Stripe.PaymentMethodService.Create(PaymentMethodCreateOptions options, RequestOptions requestOptions)
at CommerceBuilder.Payments.Providers.Stripe.StripeProvider.DoAuthorize(AuthorizeTransactionRequest authorizeRequest)
at CommerceBuilder.Services.PaymentService.Authorize(AuthorizeTransactionRequest request, IPaymentProvider paymentProvider)
---

Originally Posted by: Katie S Go to Quoted Post
Ok, I'll have to find our test info and give it a try. We have two releases per year, and we support many different gateways. We don't always know when something changes until it's already happened. This is quite common.

One thing that you can try is enable the debug for the gateway. Run another test transaction and check the stripe log file under \app_data\logs\ folder. This will often give you a bit more info.


Katie S  
#7 Posted : Thursday, February 15, 2024 6:22:36 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Ok, the error message in the app.log makes sense now. Stripe is not sending anything back at this point, so the stripe transaction log isn't recording anything yet.

Do you see any settings "To enable raw card data APIs in test mode" ?

I tried the URL in the error message, but the page no longer exists. I searched their documentation and nothing is coming up.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#8 Posted : Thursday, February 15, 2024 6:59:31 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
The page works for me. Try it without the trailing period:

https://support.stripe.c...ss-to-raw-card-data-apis

It basically says you can use it in production if you can prove PCI compliance. In test they can do it without proof, but that doesn't really help.

I'm not really interested in making it harder to be PCI compliant! :) And it certainly doesn't meet the qualifications of a "payment gateway".



Originally Posted by: Katie S Go to Quoted Post
Ok, the error message in the app.log makes sense now. Stripe is not sending anything back at this point, so the stripe transaction log isn't recording anything yet.

Do you see any settings "To enable raw card data APIs in test mode" ?

I tried the URL in the error message, but the page no longer exists. I searched their documentation and nothing is coming up.




Katie S  
#9 Posted : Thursday, February 15, 2024 7:36:56 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Yes, thanks for pointing out the link issue.

From this page:

Quote:
The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. To facilitate this, you can integrate using Checkout, Elements, or our mobile SDKs. These integrations collect payment information and transmit it directly to our servers.


Also from this page:

Quote:
some Stripe users may have integrations which require that they, or a third party, take on a greater degree of this shared responsibility. This is generally required if your servers directly handle card data and pass it to Stripe.


Then, I found these notes in our dev system when the integration was built:

Quote:
There are two implementation for stripe:

  • Prebuilt Checkout pages : This is similar to the Paypal where user completes the payment on the provider site. A popup in case of paypal and for stripe there is a separate page where we complete the card payment and then returns on our site.

    Custom Payment Flow: This is standard card payment method that we are following for all other payments methods  where we complete the payment process staying on our own site.


There are two methods Prebuilt Checkout pages (UI handled by stripe) and Custom Payment Flow. We are intending to use Custom Payment Flow method where we can have control over UI elements and payment operations.


So...from what I'm reading, the "raw card data" might be a required option for AbleCommerce because we directly handle card data and pass it to Stripe. I can verify with the dev team, but it may be quicker for you to enable the option in test mode to see if it fixes the issue.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#10 Posted : Thursday, February 15, 2024 7:51:34 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
It'll probably fix it, however without direct guidance and documentation from AC on how to prove to Stripe that we're PCI Compliant, this is a no go for us.
Katie S  
#11 Posted : Thursday, February 15, 2024 8:20:23 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
I understand. In the past, we've recommended this service to prove PCI compliance.

https://www.qualys.com/s...reports%20are%20provided

You might want to look at Braintree. It works with std. credit cards, Paypal, Express, Apple Pay, and Google Pay. I've seen a few merchants recently move to their service.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#12 Posted : Thursday, February 15, 2024 8:27:19 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Our setup is a bit unique in that we also take "card present" payments, not just online.

I looked at Braintree earlier and they were online only?

Originally Posted by: Katie S Go to Quoted Post
I understand. In the past, we've recommended this service to prove PCI compliance.

https://www.qualys.com/s...reports%20are%20provided

You might want to look at Braintree. It works with std. credit cards, Paypal, Express, Apple Pay, and Google Pay. I've seen a few merchants recently move to their service.


charles25686713  
#13 Posted : Thursday, February 15, 2024 8:39:43 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Here's the scary alert I received from Stripe when I made one test payment through your plugin:

---
We noticed that you passed a customer's full credit card number to Stripe's API in test mode. To keep your customer's information safe, we don't process charges that include full card numbers.

To continue processing payments with Stripe, use one of our official client integrations to collect payment information securely. These integrations ensure that sensitive card data never needs to touch your server.

We strongly discourage passing full card numbers to our API because it:

Can expose your customers' sensitive data to bad actors

Requires you to meet complex PCI compliance requirements

Makes it harder for Radar, Stripe's fraud protection tool, to protect your business

In very rare cases, you might need to pass full card numbers. If this applies to you, you can allow it in your integration settings.
---
Katie S  
#14 Posted : Friday, February 16, 2024 10:40:23 AM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
I'm not sure what to make of this warning message.

When we develop integrations with payment gateways, the credit card information 'can' be stored in AbleCommerce, using encryption of course. On purchase, the card info is passed to the API, but that is over a secure channel. It seems that Stripe does not prefer this type of integration because of the liability the merchant has to keep the card data safe.

With the link I provided to qualys.com, and the help of their online system, it's not too difficult to get PCI approved. The basic steps are to first run a scan on your website. A report is generated. Then you start fixing any the security issues that are ranked high. Run the scan again to confirm all the P1 issues are taken care of. (It might take a few attempts to get them all)

Then you have an official scan to provide the payment service. You'll also have a questionnaire to complete. Most of it has to do with your internal procedures for handling credit card info.

Before you make any decisions, let me have quick discussion with the dev team. We have a new integration coming in the next version, and I want to check and see exactly what it covers.

Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#15 Posted : Friday, February 16, 2024 1:01:59 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
We are all too familiar with how to stay PCI compliant! We already are...

I found the option in Stripe to enable "handle card information directly". It refers to the link we talked about above.

I think this means in theory we can go there, it's just more complicated than before, and PCI is already a real hassle.

Originally Posted by: Katie S Go to Quoted Post
I'm not sure what to make of this warning message.

When we develop integrations with payment gateways, the credit card information 'can' be stored in AbleCommerce, using encryption of course. On purchase, the card info is passed to the API, but that is over a secure channel. It seems that Stripe does not prefer this type of integration because of the liability the merchant has to keep the card data safe.

With the link I provided to qualys.com, and the help of their online system, it's not too difficult to get PCI approved. The basic steps are to first run a scan on your website. A report is generated. Then you start fixing any the security issues that are ranked high. Run the scan again to confirm all the P1 issues are taken care of. (It might take a few attempts to get them all)

Then you have an official scan to provide the payment service. You'll also have a questionnaire to complete. Most of it has to do with your internal procedures for handling credit card info.

Before you make any decisions, let me have quick discussion with the dev team. We have a new integration coming in the next version, and I want to check and see exactly what it covers.



Katie S  
#16 Posted : Friday, February 16, 2024 1:52:32 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Got it on the PCI compliance.

This morning, our devs confirmed that Stripe is working using the current API supported in Able.

Be sure to use the 4242424242424242 for the test card.

FYI - We are implementing Stripe POS in the next version of Ablecommerce. It will handle inventory updates and payments.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#17 Posted : Friday, February 16, 2024 2:02:28 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Please clarify what that means.

Does "working" mean I have to enable the "handle card information directly" and prove to them we're PCI compliant, or something else?

I did use the 4242 card to generate the error that started this topic.

Is there an ETA on next version of AC? Does that POS support include Stripe terminals??

Originally Posted by: Katie S Go to Quoted Post
Got it on the PCI compliance.

This morning, our devs confirmed that Stripe is working using the current API supported in Able.

Be sure to use the 4242424242424242 for the test card.

FYI - We are implementing Stripe POS in the next version of Ablecommerce. It will handle inventory updates and payments.

Edited by user Friday, February 16, 2024 2:03:05 PM(UTC)  | Reason: Not specified

Katie S  
#18 Posted : Friday, February 16, 2024 2:50:20 PM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
It's working in our test environment. I have to assume you will need to enable the option and be PCI compliant if you want to use our integration with Stripe. Enabling this option in your test environment would be a confirmation.

Quote:
Is there an ETA on next version of AC? Does that POS support include Stripe terminals??


Sorry, I meant SQUARE POS, not Stripe. I can get a better description of the features from our devs next week. We hope to have 9.0.10 by end of next month, or into first part of April....depending on how final QA goes, and final testing should be starting in about 2 weeks.
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
charles25686713  
#19 Posted : Wednesday, February 28, 2024 4:23:42 PM(UTC)
charles25686713

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 7/1/2022(UTC)
Posts: 71

Thanks: 5 times
Was thanked: 1 time(s) in 1 post(s)
Hello again, please consider updating the Stripe plugin to use the current Stripe.Net dll.

I'm building a custom Stripe implementation and the outdated version in the plugin is causing problems.
Katie S  
#20 Posted : Friday, March 1, 2024 11:58:01 AM(UTC)
Katie S

Rank: Advanced Member

Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472

Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
Hi Charles,

I opened an issue report with the dev team. If we have time to get it in, then it will be available in the next release. Otherwise, we can provide an updated Plugin soon after.

Thanks!
Thanks for your support!

Katie
Secure eCommerce Software and Hosting
Users browsing this topic
Guest (10)
2 Pages12>
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.