Reputation: 6418
Staying PCI Compliant with Stripe in a Flutter app
I'm integrating Stripe as the payment gateway an I'm looking at the flutter_stripe package it says on the tin
Simplified Security: We make it simple for you to collect sensitive data such as credit card numbers and remain PCI compliant. This means the sensitive data is sent directly to Stripe instead of passing through your server. For more information, see our Integration Security Guide.
So I was expecting an integration to call Stripe sdk directly as I do in my Nodejs server where I create the PaymentIntent as mentioned in Stripe custom flow guide
Create a PaymentIntent Add an endpoint on your server that creates a PaymentIntent. A PaymentIntent tracks the customer’s payment lifecycle, keeping track of any failed payment attempts and ensuring the customer is only charged once. Return the PaymentIntent’s client secret in the response to finish the payment on the client. (server)
Use Stripe.js to remain PCI compliant by ensuring that payment details are sent directly to Stripe without hitting your server. (client)
and confirm that PaymentIntent in my flutter app without hitting try server.
I was expecting to find in their API the equivalent of the Stripe node sdk
const paymentIntent = await stripe.paymentIntents.confirm(
'pi_1EUq4543klKuxW9fVKimzjFV',
{payment_method: 'pm_card_visa'}
);
but I found only the method
Future<PaymentIntent> confirmPayment( String paymentIntentClientSecret,PaymentMethodParams data,[ Map<String, String> options = const {},])
which does
Confirms a payment method, using the provided paymentIntentClientSecret and data. See PaymentMethodParams for more details. The method returns a PaymentIntent. Throws a StripeException when confirming the paymentmethod fails
I see from their example app that they hit a server to register customers making the PCI Compliance go down the drain right?.
https://github.com/flutter-stripe/flutter_stripe/blob/main/example/server/src/index.ts
I'm sure I'm not understanding the package but their API confirmPayment just ads the paymentMethod to the PaymentIntent.
Any explanation will be very helpful. Cheers
Upvotes: 2
Views: 1143
Answers (1)
Reputation: 6495
The sensitive information governed by PCI (i.e. raw card data) is sent directly from the client to Stripe. Stripe creates a Payment Method to represent that data (pm_) and returns that to the client so it can be referenced from there.
However, Payment Intents must be created server-side in a secure context with a secret or restricted API key, then the Payment Intent's client secret should be sent to the client to allow for client-side confirmation.
The section about validating your PCI compliance in Stripe's integration security guide has more information.
Upvotes: 1
Related Questions
- Accepting payments in Flutter Web
- how Do I Implement stripe payment functionality in flutter desktop app
- How to use Stripe metadata in Flutter?
- Integrating Stripe Payment in Flutter
- Is it PCI compliant to create PaymentIntent directly from my Flutter app?
- How to implement payments in a Flutter app?
- Flutter stripe SDK custom form
- Stripe + Plaid + Flutter best practises
- Stripe SDK integration using swift and flutter
- How to integrate Stripe using React Native and be PCI compliant?