6

Implementing remember me with Stripe, while not using their Checkout (not supported on PhoneGap), seems to be fine using the path:

First time:

  1. Request token on the client side using card info.
  2. Create customer on server side using token.
  3. Upon confirm, charge customer.

Second time:

  1. Check if current user is Stripe customer by requesting the info from our server.
  2. If is Stripe customer, show "use credit card on file" instead of regular CC form.
  3. Upon confirm, charge customer.

However, there is one important convenience items missing--last four digits of card number. Most sites inform you of the card you're using before making the payment, pretty important in case you have to switch out cards.

I have seen that you can retrieve charges which would allow me to get the last four digits. Is it bad practice to pull that and display it?

Are there alternative solutions anyone has in mind?

durron597
  • 7,590
  • 9
  • 37
  • 67
Matt
  • 293
  • 3
  • 10
  • May I suggest using [this particular Google search](https://www.google.com/search?btnG=1&pws=0&q=%22last4%22+site%3Ahttps%3A%2F%2Fstripe.com%2Fdocs&gws_rd=ssl#filter=0&pws=0&q=%22last4%22+site:https://stripe.com/docs)? – Hernán Erasmo Aug 23 '14 at 14:50
  • I have plenty of experience with payment systems but I am not familiar with that specific implementation. Does the token provider not include any card info? Even the credit card type (Visa, MC, etc)? I understand tokenization is used to remove those details from the merchant's information systems and thereby shifting liability, but I would think at the time of purchase that some basic info would be available to help tell cards apart. –  Aug 23 '14 at 19:01
  • You can grab a list of customer cards from the Stripe API?: https://stripe.com/docs/api#list_cards Why not just return the last four from there? – Andy Aug 21 '14 at 09:34

1 Answers1

3

I've implemented something very similar to what you describe. Any time the user wanted to fund his/her account, he/she had the option of either providing a credit card number, or, if applicable, re-using the last credit card.

In this implementation, I just stored the last four digits of the "default" card at Stripe locally, in my own database table. When building the credit card entry form, the server looked for this stored value, and, if present, the server rendered a checkbox back to the browser, labeled something like "Use Credit Card XXXX XXXX XXXX 1234". If the user checked the box, then my code would submit a transaction to Stripe indicating that the default card should be used.

Three factors led me to this design:

1) We wanted to be able to list funding transactions (both successful and failed) for our users. These listings needed to show the last four digits of the credit card number, to give the user necessary context information about each funding attempt. Perhaps we could have queried Stripe transaction by transaction when building this listing for the user, but that seems like a lot of back-and-forth. So we really wanted to store "last four digit" info anyway.

2) Storing the last 4 digits of the credit card did not seem like a big security risk. It's customary to show the last 4 digits in less secure situations. So, while we did not want to store full credit card numbers in the database, we thought that storing the last 4 digits of certain cards was acceptable.

3) It was simple. There was no need to manage a list of card numbers for each user, but the vast majority of use cases for something like that were (in my estimation) addressed anyway.

Presumably, if someone got the last 4 digits from our database, and then intercepted Stripe traffic from our site, they might have some sort of head start on decrypting this traffic. But this is a far smaller risk than storing real credit cards would be.

user1172763
  • 916
  • 1
  • 7
  • 16