Open vibridi opened 5 years ago
Hi, I'm Christopher. I work for PAY.JP as a security engineer (but not as a translator, sorry.)
My apologies for the inconvenience. The reason we absolutely had to make this change to our server-side API is that it is soon to be required by the Japanese law for online merchants to not handle credit card information by themselves, unless they are PCI DSS compliant. We announced the details the other day, however, only in Japanese. http://payjp-announce.hatenablog.com/entry/2017/11/10/182738
To enable consumers to submit CC details, we now generally recommend our merchants to use our Checkout.js module which is a JavaScript hosted at https://checkout.pay.jp/ . You can include it in your website's checkout form like the following sample page https://payjp.github.io/sample/checkout/ This provides a safe way for you to process CC information as it frees you from storing CC details on your system.
Lastly, about the X-Payjp-Direct-Token-Generate
HTTP header-- generally this can be only used for testing purpose. If you absolutely want to use this feature in production (which is strongly discouraged,) you will need to ask us for approval by presenting us your PCI DSS compliance certificate.
Stripe has a detailed document about all of this. Comparing "Checkout/Elements" and "API Direct" described in their docs might give you a hint. https://stripe.com/docs/security#validating-pci-compliance
I hope this helps.
Christopher
Hi Christopher, thank you for your reply.
Luckily this change broke only a few or our legacy integration tests. We are not directly creating tokens in production this way.
It sounds like we are using the X-Payjp-Direct-Token-Generate
header just as intended.
It would be great if your Go API could somehow allow the option to set this header for retro-compatibility, though I understand that the use case is not particularly compelling.
Thank you for your time
Hi, I'm Christopher. I work for PAY.JP as a security engineer (but not as a translator, sorry.)
My apologies for the inconvenience. The reason we absolutely had to make this change to our server-side API is that it is soon to be required by the Japanese law for online merchants to not handle credit card information by themselves, unless they are PCI DSS compliant. We announced the details the other day, however, only in Japanese. http://payjp-announce.hatenablog.com/entry/2017/11/10/182738
To enable consumers to submit CC details, we now generally recommend our merchants to use our Checkout.js module which is a JavaScript hosted at https://checkout.pay.jp/ . You can include it in your website's checkout form like the following sample page https://payjp.github.io/sample/checkout/ This provides a safe way for you to process CC information as it frees you from storing CC details on your system.
Lastly, about the
X-Payjp-Direct-Token-Generate
HTTP header-- generally this can be only used for testing purpose. If you absolutely want to use this feature in production (which is strongly discouraged,) you will need to ask us for approval by presenting us your PCI DSS compliance certificate.Stripe has a detailed document about all of this. Comparing "Checkout/Elements" and "API Direct" described in their docs might give you a hint. https://stripe.com/docs/security#validating-pci-compliance
I hope this helps.
Christopher
Hi chris-x86-64, I am a web developer. Could you answer for me question: In env production, if i have approval by presenting you, my PCI DSS compliance certificate. I don't need X-Payjp-Direct-Token-Generate in header ? Sorry , My English not good. Please answer me. Thank you.
We have some calls to this method
func (t TokenService) Create(card Card) (*TokenResponse, error)
which suddenly fail with the following error:This is my dependency:
Unfortunately I wasn't able to really grasp your documentation because I couldn't find an English version. However, it appears that it's possible to work around this by adding the "X-Payjp-Direct-Token-Generate": "true".
However the Go client library doesn't provide access to the http request, so I can't directly set this header. Please let me know if there's anything you can do. Thank you for your consideration.