Stripe API Recieving Full CC Numbers

crazycoolcam · 7 March 2024 12:47

Yesterday I received this email from Stripe:

We noticed that you passed a customer’s full credit card number to Stripe’s API. To keep your customer’s information safe, we don’t process charges that include full card numbers.

To continue processing payments with Stripe, use one of our official client integrations to collect payment information securely. These integrations ensure that sensitive card data never needs to touch your server.

We strongly discourage passing full card numbers to our API because it:

Can expose your customers’ sensitive data to bad actors

Requires you to meet complex PCI compliance requirements.

Makes it harder for Radar, Stripe’s fraud protection tool, to protect your business

In very rare cases, you might need to pass full card numbers. If this applies to you, you can allow it in your integration settings.

This is only a first-time notification; we won’t email you about this again in the future. If you have questions, you can contact us via our support site.

Has anyone else seen this. I looked and could not tell if there was any settings along these lines in the Stripe section of S2Member. Thoughts?

clavaque · 10 March 2024 02:44

s2Member doesn’t send the card, it doesn’t even get it. We use the Stripe.js Element for the card, that’s all in an iframe of theirs, and they take the card details.

Are you using your Stripe account with any other plugin or service that could be doing it wrongly?

Do you have a log entry in your Stripe account, of one of those attempts Stripe is messaging you about? Do you see anything related to s2Member there?

For now, please also keep s2’s logging enabled in case it helps. Wp Admin > s2Member Pro > Log Files

I look forward to any other details and insight you could provide.

crazycoolcam · 10 March 2024 13:38

What you described is exactly what I thought. The more I look into this issue, the weirder it appears.

Unfortunately I didn’t have S2 Logs enabled when this happened. However, my membership site isn’t the most active and I did not think I had any payment activity during that time.

In my Strip settings, I have the Tokenizing charges set, which is what I believe Stripe prefers.

The Stripe logs clearly show that an IP account tried to post a card number, but when I do an IP lookup for the attached IP address, it comes back as being an Amazon.com IP address, not my site. I think it is very unlikely that Amazon is trying to sign up for my membership site…but maybe?

My current thought now is that this isn’t S2Member, but perhaps some time of Amazon Integration that I don’t remember creating (but this will be the next place I look).

Thanks for the reply and unless I post further, we can mark this as “not S2member”, which is nice.

~Cam

clavaque · 11 March 2024 01:46

Thanks for the update! I hope you can get to the bottom of it easily.

thesimarchitect · 14 March 2024 05:33

Isn’t this the case of changing the keys? Maybe there was a breach and someone might use @crazycoolcam’s account to test cards?

My brain isn’t functioning well now, I am going to bed, but please do your best to get to the bottom of it. Check if your server is safe as well and if your WordPress installation wasn’t compromised.

Keep us posted.

crazycoolcam · 15 March 2024 11:35

That is an interesting thought. I am unaware of any breach on my site at this time, but that doesn’t mean that somehow my keys were leaked or exposed.

If I regenerate my keys on Stripe and replace the new keys in s2Member, will that affect any of the current members/subscriptions that are in effect. (I just want confirmation one what level of hassle regenerating keys will have and/or if there are any details I should be aware of when doing this.)

On a positive note, I only received this error once and I do not see any failed attempts since then.

Thanks for advising.
~Cam

thesimarchitect · 15 March 2024 12:07

It should not interfere (Stripe support can confirm it, they’re nice and fast via chat).

Check your Stripe Logs to see if you can notice anything suspicious or with a different than usual pattern.

Have a security plugin with good reputation installed on your WordPress and only ever install things on your site from very reliable sources.

Keep your server up to date etc.

I hope I am wrong, I felt like commenting just in case as it’s always better to be safe than sorry.

Keep us posted.

clavaque · 15 March 2024 23:54

The change of API keys shouldn’t make any difference on how s2 handles the Stripe notifications, s2 doesn’t check if the keys are the same used when the subscription got created, and different API keys certainly won’t affect the subscriptions on Stripe.

You can save the keys for a while and test new ones in s2, keep s2’s logging enabled, and see if it mentions ignoring any payment or end of subscription notifications for a subscriber from your site. WP Admin > s2Member Pro > Log Files

You can create a test subscription for 50 cents/day, then end the subscription, check the s2 log entries.