Is Amember and Stripe secure?

Discussion in 'Payments processing' started by 123Marketing, Feb 2, 2017.

  1. 123Marketing

    123Marketing aMember Pro Customer

    Joined:
    Jun 4, 2005
    Messages:
    128
    I keept getting potential members asking me (via my help desk) if the connection is secure.

    When I try paying with Stripe, it appears that my credit card info is typed into an unsecured page.

    Any thoughts on how to SSL secure this?
    mhelelamparo likes this.
  2. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,661
    The main advantage of Stripe is your site do not deal with sensitive data (CC info) at all. CC info submitted from user browser to secure stripe server directly. It is most secure approach nowadays.

    In same time it is good idea to enable https on your site. It will not increase security but your customers will feel more comfortable to pay on your site. I suggest to contact either your system administrator or hosting support and ask to enable https for your site.

    Then you can set secure url (https) in aMember settings
    aMember CP -> Configuration -> Setup/Configuration (License and Root Url)

    Best Regards.
  3. 123Marketing

    123Marketing aMember Pro Customer

    Joined:
    Jun 4, 2005
    Messages:
    128
    I am a bit confused.

    When a customer enters their credit card number from my membership site, the sensitive data is not secure:

    [​IMG]

    Isn't this a big security issue if I do not have an SSL certificate?
  4. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,661
    Your site does not matter here. These fields with CC info has not names. It means browser never send it to your site/server.

    We uses special javascript library that send this data directly to secure stripe server.
    Your server never deal with CC info. Only user's browser and Stripe server deal with user's CC info.
  5. 123Marketing

    123Marketing aMember Pro Customer

    Joined:
    Jun 4, 2005
    Messages:
    128
    I am still confused;

    If my customer types their credit card info at my unsecured server, can't their numbers get stolen when amember hands off their numbers to stripe's site?

    In other words, shouldn't my customer type in their credit card information on Stripe's site? I am pretty sure this is how PayPal does it.
  6. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,661
    Client fill in Credit Card info on his computer in his browser (It is not your server, browser just retrieve page from your server and show it to user. user interact with this page in his browser). Then his browser send it to stripe server directly. Stripe return special token to browser and then browser send this token to your server.

    Your server do not transfer/store/process Credit Card info.

    You can read more detailed description on stripe site here
    https://stripe.com/docs/custom-form

    I can recommend to setup https on your server as well but current configuration is secure without it.

    Best Regards.
  7. swintec

    swintec aMember Pro Customer

    Joined:
    Nov 24, 2008
    Messages:
    45
    it is secure as you have it, but good luck trying to convince users of this. You should save yourself the headaches and just get an SSL certificate and call it a day.
  8. 123Marketing

    123Marketing aMember Pro Customer

    Joined:
    Jun 4, 2005
    Messages:
    128
    Yes, that is exactly what I am thinking.

    It is a perception problem, right?
  9. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,661
    Yes, you are right.

Share This Page