search

payjp / payjp-go

`beta` ブランチに移行期間中です。`master` ではなくそちらをご利用ください。
MIT License
21 stars 18 forks source link

Direct token generation fails without 'X-Payjp-Direct-Token-Generate' #10

Open vibridi opened 5 years ago

vibridi commented 5 years ago

We have some calls to this method func (t TokenService) Create(card Card) (*TokenResponse, error) which suddenly fail with the following error:

{
  "error": {
    "code": "unsafe_credit_card_param",
    "message": "Sending credit card numbers directly to the API is generally unsafe. Use Checkout or payjp.js.",
    "param": [],
    "status": 400,
    "type": "invalid_request_error"
  }
}

This is my dependency:

[[constraint]]
  branch = "master"
  name = "github.com/payjp/payjp-go"

Unfortunately I wasn't able to really grasp your documentation because I couldn't find an English version. However, it appears that it's possible to work around this by adding the "X-Payjp-Direct-Token-Generate": "true".

However the Go client library doesn't provide access to the http request, so I can't directly set this header. Please let me know if there's anything you can do. Thank you for your consideration.

chris-x86-64 commented 5 years ago

Hi, I'm Christopher. I work for PAY.JP as a security engineer (but not as a translator, sorry.)

My apologies for the inconvenience. The reason we absolutely had to make this change to our server-side API is that it is soon to be required by the Japanese law for online merchants to not handle credit card information by themselves, unless they are PCI DSS compliant. We announced the details the other day, however, only in Japanese. http://payjp-announce.hatenablog.com/entry/2017/11/10/182738

To enable consumers to submit CC details, we now generally recommend our merchants to use our Checkout.js module which is a JavaScript hosted at https://checkout.pay.jp/ . You can include it in your website's checkout form like the following sample page https://payjp.github.io/sample/checkout/ This provides a safe way for you to process CC information as it frees you from storing CC details on your system.

Lastly, about the X-Payjp-Direct-Token-Generate HTTP header-- generally this can be only used for testing purpose. If you absolutely want to use this feature in production (which is strongly discouraged,) you will need to ask us for approval by presenting us your PCI DSS compliance certificate.

Stripe has a detailed document about all of this. Comparing "Checkout/Elements" and "API Direct" described in their docs might give you a hint. https://stripe.com/docs/security#validating-pci-compliance

I hope this helps.

Christopher

vibridi commented 5 years ago

Hi Christopher, thank you for your reply. Luckily this change broke only a few or our legacy integration tests. We are not directly creating tokens in production this way. It sounds like we are using the X-Payjp-Direct-Token-Generate header just as intended.

It would be great if your Go API could somehow allow the option to set this header for retro-compatibility, though I understand that the use case is not particularly compelling.

Thank you for your time

ghost commented 5 years ago

Hi, I'm Christopher. I work for PAY.JP as a security engineer (but not as a translator, sorry.)

My apologies for the inconvenience. The reason we absolutely had to make this change to our server-side API is that it is soon to be required by the Japanese law for online merchants to not handle credit card information by themselves, unless they are PCI DSS compliant. We announced the details the other day, however, only in Japanese. http://payjp-announce.hatenablog.com/entry/2017/11/10/182738

To enable consumers to submit CC details, we now generally recommend our merchants to use our Checkout.js module which is a JavaScript hosted at https://checkout.pay.jp/ . You can include it in your website's checkout form like the following sample page https://payjp.github.io/sample/checkout/ This provides a safe way for you to process CC information as it frees you from storing CC details on your system.

Lastly, about the X-Payjp-Direct-Token-Generate HTTP header-- generally this can be only used for testing purpose. If you absolutely want to use this feature in production (which is strongly discouraged,) you will need to ask us for approval by presenting us your PCI DSS compliance certificate.

Stripe has a detailed document about all of this. Comparing "Checkout/Elements" and "API Direct" described in their docs might give you a hint. https://stripe.com/docs/security#validating-pci-compliance

I hope this helps.

Christopher

Hi chris-x86-64, I am a web developer. Could you answer for me question: In env production, if i have approval by presenting you, my PCI DSS compliance certificate. I don't need X-Payjp-Direct-Token-Generate in header ? Sorry , My English not good. Please answer me. Thank you.