英文:
Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using
问题
I am encountering errors when using the test card number "4242424242424242" on my newly created Stripe account, even though I've added the required Secret key to my Node Express routes? and also I have tested with a similar card number available in the docs. but it give error Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using.
But it works in my old Secret key.
英文:
Why am I encountering errors when using the test card number "4242424242424242" on my newly created Stripe account, even though I've added the required Secret key to my Node Express routes? and also I have tested with a similar card number available in the docs. but it give error
Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using.
But it works in my old Secret key.
答案1
得分: 4
Stripe在他们的文档中提到了这一点:https://stripe.com/docs/testing?testing-method=card-numbers#test-code
> 我们不建议直接在API调用或服务器端代码中使用卡号,即使是在测试模式下。
我明白你现在正在测试模式下工作,但要考虑到生产环境:除非你符合PCI合规性,否则你的服务器端代码不应该直接访问客户的原始卡号。在生产环境中,你可能会使用Stripe Checkout或PaymentElement来收集客户的卡号。卡号将直接与Stripe共享,Stripe将创建一个PaymentMethod ID来代表实际的卡片。Stripe在其测试文档中提供的PaymentMethod IDs是你应该在服务器端使用的。
英文:
Stripe flags this in their documentation: https://stripe.com/docs/testing?testing-method=card-numbers#test-code
> We don’t recommend using card numbers directly in API calls or
> server-side code, even in test mode.
I understand you're working in test mode right now but think about the production scenario: unless you're PCI compliant, your server-side code should never have access to a customer's raw card number. In production, you'll likely use Stripe Checkout or the PaymentElement to collect a customer's card number. The card number will be shared directly with Stripe, and Stripe will create a PaymentMethod ID to represent that real card. The PaymentMethod IDs in Stripe's testing doc are what you should use server side.
答案2
得分: 2
我正在遇到完全相同的问题(我正在使用“4242424242424242”卡创建TokenCardOptions),但只有在使用我一天前的秘密密钥时才会出现此异常。当我使用我的同事两个月前的Stripe API秘密密钥时,就不会抛出此异常。
TokenCreateOptions tokenOptionsCredit = new TokenCreateOptions
{
Card = new TokenCardOptions
{
Name = "John Smith",
Number = "4242424242424242",
ExpYear = "2042",
ExpMonth = "12",
Cvc = "555"
}
};
TokenService tokenService = new TokenService();
// 创建新的Stripe令牌
Token stripeTokenCredit = tokenService.Create(tokenOptionsCredit);
我同意LauraT的答案;我的测试帐户不符合PCI标准,所以我不应该能够使用原始卡号。但是,我的同事的测试帐户也不符合PCI标准,所以我仍然很好奇为什么他的秘密密钥可以使用,而我的不能。
英文:
I'm having this exact same issue (I'm creating TokenCardOptions using the "4242424242424242" card), but I only get this exception while using my day-old secret key. When I use my coworker's stripe API secret key (two months old), this exception isn't thrown.
TokenCreateOptions tokenOptionsCredit = new TokenCreateOptions
{
Card = new TokenCardOptions
{
Name = "John Smith",
Number = "4242424242424242",
ExpYear = "2042",
ExpMonth = "12",
Cvc = "555"
}
};
TokenService tokenService = new TokenService();
// Create new Stripe Token
Token stripeTokenCredit = tokenService.Create(tokenOptionsCredit);
I agree with LauraT's answer; my test account isn't PCI compliant, so I shouldn't be able to use a raw card number. But my coworker's test account isn't PCI compliant either, so I'm still curious as to why this works with his secret key, but not mine.
答案3
得分: 0
这不建议在Stripe的最新API版本中使用。
改用以下方式:
// https://stripe.com/docs/api/cards/create
StripeConfiguration.ApiKey = "YourKey";
var options = new CardCreateOptions
{
Source = "tok_visa_debit", //https://stripe.com/docs/testing?testing-method=tokens
};
var service = new CardService();
service.Create("YourStripeUserId", options);
// 示例:此方法将创建具有付款卡的新客户
public async Task<Customer> AddStripeCustomerAsync(Customer customer, CancellationToken ct)
{
// 设置客户选项 - 我们首先需要创建客户,因为我们将需要id
CustomerCreateOptions customerOptions = new CustomerCreateOptions
{
Name = customer.Name,
Email = customer.Email,
};
// 在Stripe上创建客户
Customer stripeCustomer = await _customerService.CreateAsync(customerOptions, null, ct);
// 基于客户数据设置Stripe令牌选项
var cardTokenOptions = new CardCreateOptions
{
Source = "tok_visa_debit",
};
// 创建新的卡令牌
var cardToken = await _cardService.CreateAsync(stripeCustomer.Id.ToString(), cardTokenOptions, null, ct);
// 返回在Stripe上创建的客户(用于测试,以查看请求是否已成功)
return new Customer(stripeCustomer.Name, stripeCustomer.Email, stripeCustomer.Id);
/*在上面的代码中,我们通过API在Stripe上创建了一个新的客户和客户的信用卡。
* 我们首先创建一个新的令牌对象,其中包含客户的信用卡详细信息。*/
}
英文:
This is not recommended in Stripe's newest API version.
Instead do
// https://stripe.com/docs/api/cards/create
StripeConfiguration.ApiKey = "YourKey";
var options = new CardCreateOptions
{
Source = "tok_visa_debit", //https://stripe.com/docs/testing?testing-method=tokens
};
var service = new CardService();
service.Create("YourStripeUserId", options);
// Example: this method will create new customer with a payment card
public async Task<Customer> AddStripeCustomerAsync(Customer customer, CancellationToken ct)
{
// Set Customer options - We need to create the customer first as we will need the id
CustomerCreateOptions customerOptions = new CustomerCreateOptions
{
Name = customer.Name,
Email = customer.Email,
};
// Create customer at Stripe
Customer stripeCustomer = await _customerService.CreateAsync(customerOptions, null, ct);
// Set Stripe Token options based on customer data
var cardTokenOptions = new CardCreateOptions
{
Source = "tok_visa_debit",
};
// Create new Card Token
var cardToken = await _cardService.CreateAsync(stripeCustomer.Id.ToString(), cardTokenOptions, null, ct);
// Return the created customer at Stripe (good for testing, to see if the request gone through)
return new Customer(stripeCustomer.Name, stripeCustomer.Email, stripeCustomer.Id);
/*In the code above we are creating a new customer and the customer's credit card at Stripe through the API.
* We start off by creating a new token object that contains the customer's credit card details.*/
}
答案4
得分: 0
但是我的同事的测试账户也不符合PCI合规性,所以我仍然很好奇为什么他的秘密密钥有效,而我的不行。
这个错误是新的Stripe账户在启用服务器端付款方式收集方式发生变化后的一个特性:
https://stripe.com/docs/security/guide#:~:text=If%20you%20continue%20to%20send,implement%20to%20remain%20PCI%20compliant。
如果你的同事的Stripe账户比你的旧,那么这就是正常的。
你需要联系Stripe支持并提交SAQ D表格,然后才能在你的账户上绕过这个错误。
或者,如上所建议,使用测试令牌,或者不要将卡信息传递到服务器端,而是使用此处文档中记录的客户端端口:
https://stripe.com/docs/js。
英文:
> But my coworker's test account isn't PCI compliant either, so I'm
> still curious as to why this works with his secret key, but not mine.
This error is a feature of new Stripe accounts following changes to how you can enable Server-side payment method collection :
https://stripe.com/docs/security/guide#:~:text=If%20you%20continue%20to%20send,implement%20to%20remain%20PCI%20compliant.
This would be normal if your coworker's Stripe account is older than yours.
You'll have to contact Stripe support and submit a SAQ D form before this error can be bypassed on your account.
Or, as suggested above, use test tokens, or don't pass card information server-side, but client-side using functions documented here:
https://stripe.com/docs/js
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论