Stripe for Credit card payments

Publicat
2018-10-25 15:11
Written by
mattwire - member of the CiviCRM community - view blog guidelines

If you've heard of stripe you'll know it's a great platform for accepting credit card payments.  If you haven't heard of it and are reading this then you should try it out: https://stripe.com

If you already use Stripe please read to the end and upgrade to 5.0 as soon as possible.

Stripe logoFrom the Stripe website: "Stripe is the best way to accept payments online. Stripe aims to expand internet commerce by making it easy to process transactions and manage an online business."

 

 

There are three reasons I recommend it to my clients:

  1. You don't need to know about PCI compliance - credit card details NEVER get sent to your CiviCRM server (they are submitted via Javascript directly to Stripe instead).
  2. Sign-up is REALLY easy and quick - you certainly don't need to send them a photo of your 3rd uncle to verify your identity.
  3. Fees are lower than other popular payment systems.

 

If you have been using Stripe with CiviCRM you'll know that the integration had become a little out of date, with many users suffering from the "Stripe token not passed" and other issues.

That has now changed! Some of you will have noticed a new 5.0 release.  

mjwconsulting logo

ptplogo

MJW Consulting have now taken over as the maintainers of the extension and, in partnership with Progressive Technology Project have rewritten much of the user-facing parts so that it now works properly in all situations:
 
  • Whether on Drupal, Wordpress or Joomla
  • Memberships, donations or events
  • Webform CiviCRM (drupal): https://github.com/colemanw/webform_civicrm/releases/tag/7.x-4.23

 

How?

You can download 5.0 now from: https://civicrm.org/extensions/stripe-payment-processor or ask your system integrator for more information.

For development / feature requests / issues please see https://lab.civicrm.org/extensions/stripe

Why upgrade to 5.0?

5.0 is a stable base.  We will be releasing 5.1 soon which will introduce some new features, upgrading will ONLY be supported from 5.0.

  • Lot's of bugfixes.
  • New CiviCRM standard IPN (using civicrm/payment/ipn/XX).
  • Multiple Stripe processors supported.

What is coming in 5.1?

That all depends on what funding is offered!

  • Remove requirement to have an email address in order to make a payment.
  • Submit more information to Stripe (eg. contact ID / name) so it is easier for staff to review.
  • Significantly improve reliability of recurring payments (and support Joomla properly for recurring payments).
  • Support Cancellation of recurring payments from within CiviCRM (pending funding).

The Future?

  • The Stripe platform supports a whole range of payment systems, not just credit card.  We could implement additional payment methods such as SEPA (Europe), Multibanco (Portugal).
  • Charging an existing customers card.
  • Notification of a failed payment in CiviCRM.

If your organisation can offer funding we can implement it!

Comments

Stripe has a neat way of reducing PCI scope, but you go too far to claim that you don't need to know about PCI compliance. If you receive credit card payments on your site (or any other way), you need to know about PCI compliance, it's part of the contract with the card provider when you are a merchant.

More specifically - if you receive credit card payments, you are required to fulfill one of the self-assessment questionaires, and you get to do one of the easier ones if you can reduce your "scope". There's a pretty good summary on this page: https://www.pcicomplianceguide.org/the-pci-basicsquick-guide-what-do-small-merchants-need-to-do-to-achieve-pci-compliance/

The goal is to reduce your scope to just A-EP, which is required even if you are redirecting off your site for payments.

Here's my rather blunter version:

http://homeofficekernel.blogspot.com/2018/06/beware-pci-compliance-salesperson.html

Yes, that's a good link, and I don't see that as trivial at all. You'll note that if you have any javascript on your site, you have the potential for it to interfere with the stripe javascript, and you also need to keep your https certificates up to date with the latest issues. So your site has to be kept secure itself, and that's non-trivial.

As per my blog posting, the most important thing is that as a merchant you are never off the hook for PCI compliance.

I think you do a disservice by minimizing PCI compliance.

Is 'Significantly improve reliability of recurring payments' means that 5.1 will address issues like https://lab.civicrm.org/extensions/stripe/issues/3?

Hey Matt,

Just wanted to say thank you for taking on mantainence of this extension. I know that you have put in lots of unpaid hours into improving it, so thanks on behalf of everyone that is benefiting from that work.

Hi Matt

What is the status of the update of the Stripe extension (MiH funded)? 
Will all users have to upgrade to this new version before the 14th September 2019? 
Will the new version use "Stripe Elements"? 
And would that be sufficient to qualify for SAQ A "fast lane" (as opposed to A-EP)?
 
Thanks Mike