TomB01 Posted August 22, 2014 Share Posted August 22, 2014 I'm building a replacement web store based on 2.3.4 (not going to try the upgrade route from 2.2). All of the extra capability over 2.2 is exciting, but it's confusing, too. I've been using simple Paypal for the last 7 years with great success, but would love to start taking credit cards. Both Stripe and Braintree have what I'd like: simple fees per transaction only, no monthly charges or other extras, and credit card acceptance totally contained on my store site - no switching to another site and back again. So, what are the advantages/disadvantages of either one? Is there another one out there that's better given the preferences above? I have noticed that Braintree is already inserting random adds on my regular web surfing, so I'm not sure I like an outfit that appears to be that aggressive with marketing. I only visited their site once!? Quote Link to comment Share on other sites More sharing options...
MrPhil Posted August 22, 2014 Share Posted August 22, 2014 Be careful. If the customer enters their credit card information while on your site, that means that your site must be PCI-DSS compliant. That can be quite expensive to pay for the security audits and such. It's far more than just having SSL. Check the fine print as to who is liable for any fraud or breach of security. Is Braintree your host? Are they free or very low cost, and thus the ads? Do they promise that they will not put any additional ads onto your pages? I think that if you're running a money-making store, it's worth 5 to 10 dollars a month in hosting fees to not subject your customers to someone else's ads, and to have complete control over the site content. With the improved customer experience, you should make up those fees and more. Quote Link to comment Share on other sites More sharing options...
TomB01 Posted August 22, 2014 Author Share Posted August 22, 2014 (edited) Be careful. If the customer enters their credit card information while on your site, that means that your site must be PCI-DSS compliant. That can be quite expensive to pay for the security audits and such. It's far more than just having SSL. Check the fine print as to who is liable for any fraud or breach of security. Is Braintree your host? Are they free or very low cost, and thus the ads? Do they promise that they will not put any additional ads onto your pages? I think that if you're running a money-making store, it's worth 5 to 10 dollars a month in hosting fees to not subject your customers to someone else's ads, and to have complete control over the site content. With the improved customer experience, you should make up those fees and more. 1. I didn't know that there were additional security standards to maintain lack of liability. The 2.3.4 demo site simply showed the choices of credit card capability just previous to the checkout page and then had a form credit-card entry right on the checkout page. None of this was implied on the Stripe website, either. In fact, they offer simple code examples for accessing their service. It sounds like you're stating that trying to have credit-card-capability is a fool's errand unless it transfers to their site (like simple Paypal does). Pardon my ignorance, but why would it be a security issue if the form code of an OsCommerce checkout page sends it directly to the credit card service server? 2. I think you misunderstood. There are no ads on my OsCommerce store. I simply meant that random ads on other sites that I visit - the kind based on user link history - are now showing many Braintree ads on my web browser. I only visited the Braintree site once - that was what I meant by "aggressive marketing." Edited August 22, 2014 by TomB01 Quote Link to comment Share on other sites More sharing options...
TomB01 Posted August 22, 2014 Author Share Posted August 22, 2014 Here's a reference on the Stripe website: <form action="" method="POST" id="payment-form"> <span class="payment-errors"></span> <div class="form-row"> <label> <span>Card Number</span> <input type="text" size="20" data-stripe="number"/> </label> </div> <div class="form-row"> <label> <span>CVC</span> <input type="text" size="4" data-stripe="cvc"/> </label> </div> <div class="form-row"> <label> <span>Expiration (MM/YYYY)</span> <input type="text" size="2" data-stripe="exp-month"/> </label> <span> / </span> <input type="text" size="4" data-stripe="exp-year"/> </div> <button type="submit">Submit Payment</button></form> Fairly standard. Note how input fields representing sensitive card data (number, CVC, expiration month and year) do not have a "name" attribute. This prevents them from hitting your server when the form is submitted. We're also including a data-stripe attribute on the relevant fields, which we'll discuss later in the tutorial. Your life becomes easier if sensitive cardholder data does not hit your servers. You no longer need to worry about redacting logs, encrypting cardholder details, or other burdens of PCI compliance. With Stripe.js, you never have to handle sensitive card data. It's automatically converted to a token which you can safely send to your servers and use to charge your customers. Unless I'm misinterpreting, this is all stating that you can have the form input for the credit card directly on your OsCommerce checkout page - without incurring the liability mentioned above. Quote Link to comment Share on other sites More sharing options...
♥joli1811 Posted August 22, 2014 Share Posted August 22, 2014 I believe you are correct the newer paypal modules (paid) and Authorize.net AIM seem to use this method but I stand to be corrected on this. regards Joli Quote To improve is to change; to be perfect is to change often. Link to comment Share on other sites More sharing options...
MrPhil Posted August 23, 2014 Share Posted August 23, 2014 My understanding of the liability issues was that if the credit card information even merely passed through your server on its way to whoever handles the payment, you had to meet PCI-DSS standards (even if you stored or emailed none of the information). Maybe they've figured out a way to get around this, but I'd still be very, very careful, and get a legally binding written statement that Stripe (or whoever) accepts full responsibility for information security and indemnifies you against lawsuits. You may have to meet some requirements (such as using SSL of a certain level), but not have to meet full PCI-DSS with its expensive audits and such.This seems to say that there's some Javascript magic under the covers to really send the POST data to a Third Party URL (Stripe). So, you are sending form data directly to the processor rather than to your own site, and thus never handle it. I can only hope it's sent under SSL. I'm not sure why the code doesn't give that URL explicitly in the action attribute -- maybe it's security through obfuscation, maybe it's a genuine innovation. I don't know -- it seems to be a fairly new technique, and so I'm still a bit leery of it. Quote Link to comment Share on other sites More sharing options...
♥toyicebear Posted August 23, 2014 Share Posted August 23, 2014 PayPal Advanced/Hosted gives the illusion of the input being on your site by using a iframe solution, so the card info is directly inputted to the paypal server while still showing in your checkout. (For US merchants this is available for 5 USD a month) Quote Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
♥joli1811 Posted August 23, 2014 Share Posted August 23, 2014 (edited) Now again UK stand to be corrected but PayPal Website Payments Pro - Direct Payments as far as I can see seems to be on the website but is not Actually the first time i installed was like magic fitted the page and took the money I was sort of buff :wacko: how does this work?? No great install needed it does cost as far as I know about £20 UK price So USA wow $5.00 per month is a great price It just fits in with the payment page everything is coming from paypal so nothing hosted I believe authorize net has a similar set up now maybe Harald could clarify a bit I see no PCI compliance here Regards Joli Edited August 23, 2014 by joli1811 Quote To improve is to change; to be perfect is to change often. Link to comment Share on other sites More sharing options...
♥joli1811 Posted August 23, 2014 Share Posted August 23, 2014 Just had another look You’re about to get started with a PayPal Business account for £0/month. When you upgrade for £20 per month, you can also: Customise and host checkout directly on your website Get a merchant account and gateway from one payment provider Accept card payments by phone and mail order Quote To improve is to change; to be perfect is to change often. Link to comment Share on other sites More sharing options...
♥toyicebear Posted August 23, 2014 Share Posted August 23, 2014 (edited) It might be the 5 USD option has been discontinued for the US, I can't seem to locate it at their website anymore, it used to be available under the name PayPal Advanced. PayPal hosted (pro) countries and fees outside of the US. https://developer.paypal.com/docs/classic/products/website-payments-pro-hosted-solution/#availability-and-fees Edited August 23, 2014 by toyicebear Quote Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
♥toyicebear Posted August 23, 2014 Share Posted August 23, 2014 2checkout now also offer a solution where the customer does not leave your site, the payment info entry is done in a pop-up. Quote Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
AdmiralRedBeard Posted January 26, 2015 Share Posted January 26, 2015 Here is some verbiage from Stripe's website concerning security and PCI standards: No-hassle security & complianceBy using any of Stripe’s client libraries, such as Stripe.js for the web or the mobile APIs, you’re automatically compliant with the strictest PCI requirements. No sensitive data hits your servers, saving you hours of security headaches. I thought this might help you in making your decision. Tim Quote Link to comment Share on other sites More sharing options...
Bob Terveuren Posted January 26, 2015 Share Posted January 26, 2015 Hi all No experience of Braintree but I have written Stripe modules for various carts: 1) You should get an SSL https://stripe.com/help/ssl - their take is about half way down and my personal take is that I would not input card data on a page that was not SSL (stripe.js gets around the 'nothing hits your server' by working 100% within the clients' browsers and you should not have a name attribute on the form field) 2) OK - up to you on the SSL - Stripe are cheaper that payPal but they will 'sit' on your money for 7 days before passing it onto your bank account - if that causes problems for you then bear that in mind Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.