

Tarsnap now takes credit cards (switching from Paypal to Stripe) - cperciva
http://www.daemonology.net/blog/2012-08-13-tarsnap-credit-cards.html

======
e1ven
I love your implementation of the payment iframe!

I've wanted to implement stripe on a project of mine for a while, but I've had
the same objection -- I don't want to allow any foreign-loaded Javascript
that's not in an iframe.

Will you be releasing the iframe-generator by any chance?

Not that I don't trust you, but I'd feel more comfortable running it on my own
HW... For instance, if you went evil, you could replace the iframes generated,
rather than really delivering the Stripe code. Alternatively, you might decide
that the payment iframe isn't worthwhile, and shut it down, leaving me and my
users out of luck.

~~~
cperciva
I think you wanted to post this over here -->
<http://news.ycombinator.com/item?id=4376192>

But while I'm replying, I might as well answer the question... I didn't think
anyone would want the frame-generator code, since (a) you'd need to host it
yourself and set up your own new domain to do it in, and (b) you wouldn't need
the flexibility of specifying a target URL and API key at run-time.

But if people want the code I'm happy to provide it -- send me an email to
remind me to put it up somewhere.

~~~
e1ven
Sorry, didn't see you posted that separately, I found it linked through this
post.

I'll send you an email -- It'd be useful for for piece of mind for me, anyway.
Throwing an additional Linode up isn't that bad, and it lets me know that the
stack isn't going to change.

Thanks again for writing this, I'm consistently amazed at the quality of work
you do! ;)

------
aristidb
I feared you might have removed Paypal, because Paypal allows using local
payment methods (like direct debit).

Fortunately it seems like both Stripe and Paypal are supported now. Phew!

~~~
cperciva
Yes, when it comes time to make a payment you can click on either the "Make
credit card payment" button (which loads the payment iframe) or the "Send
payment via paypal" button (which sends you off to Paypal).

There's a lot of people outside of North America who don't have credit cards,
and I certainly don't want to exclude them from using Tarsnap.

------
ineedtosleep
Thank goodness. I was considering Tarsnap a few months ago, but I had to
reconsider it because of the Paypal requirement. Stripe is a welcomed
alternative, though any non-PayPal method would work as well, and I'm likely
going to finish my account setup this week.

~~~
DASD
I've always been curious about comments similar to yours with regard to
avoiding a service that uses Paypal. Is that because of not wanting to use
Paypal at all? Or is that because you think using Paypal means not being able
to pay with credit card(they do and a Paypal account is not required)? Thanks.

~~~
ineedtosleep
I believe you can specify the amount you're depositing into your account,
though someone correct me if I'm wrong. My issue is with just not trusting
PayPal. I do use them every now and then when I absolutely must, but I just
don't store credit cards or bank accounts with them any longer.

~~~
DASD
Sorry if I'm not clear. I mean you can make a purchase using Paypal and a
credit card without having an account. This is separate than having a Paypal
account, funding it and then purchasing via transfer("purchase") to another
Paypal account.

~~~
cperciva
Usually true, but not always -- for people in "high risk" countries Paypal
sometimes refuses to accept a credit card unless you create a Paypal account
first.

~~~
DASD
Got it. Thank you. But isn't this a separate issue and more to card issuance
by Visa/Mastercard/Diner's etc? Won't Stripe likely have the same restrictions
to cover themselves...or in time after they've been burned enough as well?

~~~
cperciva
Stripe doesn't need to "cover themselves" as much as Paypal, since they have
more information about their merchants and hold on to money for a week.

------
DASD
Colin,

With the iframe implementation, is the burden of PCI compliance back on you(or
someone who implements a similar function on their own hardware)?

I totally understand the need for safety with regard to external javascript
but I thought one of the selling points for Stripe was less PCI headaches
since they handle the "sensitive" parts for you?

~~~
cperciva
The PCI rules only apply to systems which touch credit card data -- not to a
system which serves up a credit card form.

~~~
DASD
Sorry if I misunderstand. Aren't you(paymentiframe) processing the form which
is touching the data and then passing the data onto Stripe via their API?

~~~
cperciva
The iframe uses Stripe's javascript to send the card details directly to
Stripe's servers -- the only thing which hits the tarsnap server is a token
which Stripe returns (and nothing at all goes back to the server hosting the
iframe).

~~~
flatline3
This approach of Stripe's has always seemed like a bit of a shell game to me,
but I can only assume it's been deemed PCI compliant.

~~~
cperciva
As I point out in my blog post, what the networks care the most about is
ensuring that there aren't months or years worth of cards stored anywhere
which might leak out. Having a site get compromised and a few days of cards
stolen is orders of magnitude less important.

~~~
harshreality
I think the point was frustration over the disconnect between PCI rules and
reality, that there's no difference in security between self-hosting the form
action (over ssl, sending the cc info to the payment processor, and getting a
confirm that way), compared to hosting an iframe and "not touching" credit
card data. A compromised webserver means the iframe can be compromised so that
the card details do hit your server.

~~~
Ralith
There is a difference: If the data never touches your server at all, it is
impossible for you to inadvertently record it.

~~~
sp332
If the iframe that you host is compromised, you have no idea where that info
is being recorded. The fact that it doesn't touch your server doesn't ensure
that your site isn't leaking numbers.

~~~
Ralith
Certainly. But it does ensure that access to your server does not entail
access to historical numbers.

~~~
flatline3
Unless the compromise is a long-term one.

Part of what PCI attempts to address is limiting _legitimate_ access to
servers, as well as preventative measures against compromise.

I personally think that Stripe may be within the letter of the law, but not
necessarily the spirit.

------
gleb
Colin, are automatic renewal payments coming?

~~~
cperciva
Yes. I needed to get credit card processing working first before I can start
to work on storing cards to charge later.

~~~
SoftwareMaven
The Stripe API for this was marvelously simple to work with. All told, I had
around 20-25 lines of code for dealing with subscriptions.

~~~
cperciva
Yes, the work needed is on Tarsnap's side, not the Stripe-interfacing bits. I
need to attach Stripe IDs to accounts, find out when and how much people want
their accounts to be automatically recharged (and store those parameters),
write code which checks each account to see if it needs to be recharged, etc.

~~~
weaksauce
This is welcome news. I like tarsnap but really don't like the possibility of
losing all my tarsnap backups because I am not around to recharge it within
the small window. I might be out on an mountaineering trip and be away from
the email alert or something else like that.

------
withjive
This means Stripe is coming to Canada _very soon_. I'm ecstatic!

