- Are there any good packages for doing payments?
- Do I need SSL if I use a Paypal standard.
- Will a single domain SSl certification cover sub-domains like urlname/posts.com or just the home domain urlname.com?
I have never done payments before so.
I have never done payments before so.
Stripe is the way to go for me too.
As you can see the overwhelming response to what to use is Stripe. As for packages there are a number of them for stripe, however I will shamelessly recommend my stripe-sync package as its kept up to date with the stripe-node project and enables you to use the synchronous style that is inherent in Meteor.
For an answer about paypal standard and ssl see here.
To provide ssl to subdomains you will need what is known as a wild card certificate. If you purchase non wilde card certificate it will generally be issued for domain.tld and www.domain.tld but other subdomains will not verify. Hopefully all of the mess and hassle around SSL will soon be rectified by Lets Encrypt
Yes, I’m fairly excited. I can’t recall for sure but I think there was mention by @arunoda about including Let’s Encrypt support in MUP
Do I need ssl with Stripe
Yes, Stripe requires you to use an encrypted connection, mostly to mitigate man in the middle attacks when transferring stripe tokens between your clients browser and your server.
Ah, stripe-sync! I knew there was an alternate package, I just forgot the name. Yes, use that.
Does stripe-sync support Stripe Connect API too? I’ve tried a couple of packages mainly because I needed the ‘managed-accounts’ feature and realised not all support it by default. So I used https://github.com/benjick/meteor-stripe-native in which its specifically mentioned it supports Stripe Connect.
It looks like Stripe-Sync is more comprehensive and supports all stripe methods until the latest version. Just need a confirmation. Thanks!
Yes, connect is supported… The package is 1 release behind at the moment so top level refund methods which were added in 3.7.1 are not included yet, but I should be able to get around to this today or tomorrow.
Stripe. Stripe is fantastic.
Well, who wants to put information as sensitive as their credit card information under insecure connections? I check certificates whenever I put in any level of information.
I noticed a lot of people mentioning Stripe. I’m inclined to mention Braintree Payments. Braintree is not only more robust, but they will take greater risk to make money with you.
Stripe can be more limiting depending on what you want to do. If they don’t like your business model, they will outright reject working with you - and their customer service is very poor. Even if your model is sound, they may reject it because of past failures.
If you’re doing something simple and not too “strange”, you should be OK with Stripe. Otherwise, they will not take the risk with you as they are severely limited by their financial partners.
I’ve seen the exact opposite from stripe… I’ve found their customer service to be exemplary.
As far as them not working with you unless they like your business model… 6 months ago I had a customer that needed an application built that was adult in nature. Normally payment integration for this type of business is a nightmare and you end up using a horrible solution such as ccBill. After almost turning down the project because I didn’t want to go though that much hassle, I read through all of Stripe’s terms and found nothing limiting this type of business. I suggested they apply for an account and be completely honest when filling everything out. They did just this and were accepted. They’ve been using Stripe for several months now and have had absolutely no issues.
That Stripe is inconsistent with their customer service is further reason to not use it - I’ve had much better experience with Braintree. Dealing with businesses that are good but unpredictable can be worse than dealing with ones which are bad but predictable. Not to say Braintree is bad – it is actually great, but more importantly, you know what you are getting.
The problem with Stripe for me is simple. If you’re going to have an API which can support 100 patterns, don’t restrict 95 of them by your compliance rules. Engineers will be inclined to come up with creative uses of the API, only to find that most of them are actually against the “rules”. Stripe should make more of an effort with their financial partners to allow for innovate solutions.
As for your example, I’m sure their business model is simple, regardless of the fact that it involved pornography - it comes down to how money is getting transferred. The moment you try to get into network/peer-to-peer oriented “sharing economy” models, they will stonewall you - and it’s very apparent. I know this from experience - I’ve been trying to use Stripe for months. My business model was too risky - not from an economic point of view, but from a compliance point of view. They have very specific deals with their financial partners, and even if they could exploit the rules to effectively engage in money-transmission, they won’t because they are trying to play it safe with the regulations imposed by their partners and the governments, etc.
This directly goes against my own philosophy; it inhibits creative solutions which are possible, albeit risky, but can be made to be compliant.
I prefer Stripe’s API to Braintree’s. Braintree’s is a bit of a head-scratcher at moments. Not to mention they were behind the times getting up to date on the latest PCI standards (SAQ A/A-EP), when you could no longer transmit credit card numbers to a server, even if via HTTPS. Stripe was the first one to implement this properly, and Braintree took quite some time to follow suit. That concerns me.
IMO, the only benefits of Braintree over Stripe:
They also have Bitcoin, Apple pay and Android pay.
Both Stripe and Braintree do Apple Pay and Android Pay.
Why are we talking about PCI compliance? PCI compliance is a matter of when, not a matter of if, and anyways, Braintree is fully PCI compliant. PCI compliance is a homework set, your business model is a PhD thesis. I am not sure why the issue of PCI compliance was brought up - when I said “compliance” I was getting at more the legal (and perhaps political) agreements that payments processors have with their bank partners, which seems to be an orthogonal issue.
I’ve used both services and I switched to Braintree. Why? Because Stripe refused to work with me. Braintree’s API is a bit weird, I gotta concede that. Let’s forget about engineering for a second.
Braintree and Stripe both have to follow rules, as they are nothing without their bank partners. This means that Braintree and Stripe can only allow you to use their API if you comply with their usage rules (determined by their bank partners). Braintree’s usage rules from my experience are lax. Stripe has negotiated pretty restrictive usage rules with the banks. There could be a ton of reasons for this. Stripe has less money (?), they don’t have the PayPal brand, etc.
Anyways, the point is that if you’re trying to be innovative when it comes to payments or your business model, Braintree is the way to go. If you need a quick payments solution and don’t plan on doing anything too involved, Stripe is suitable for that. Of course the problems of bank compliance are not visible to developers who are not doing something which is on the edge of what’s considered acceptable or legal. But when you start pushing a bit, these are very real things to worry about. Figuring out what business models are considered legal and not legal is far more complicated than something like PCI compliance, because of loopholes, how you convey your service, etc.
I spent months back-and-forth with Stripe trying to convince them that what I am doing is legal. But imagine Stripe’s position. Stripe has to follow rules. The bank’s rules. If they want to push the boundaries of their agreement with their bank partners, it will cost them money. Right now, Stripe does not support anything which is along the lines of “sharing economy”. Imo, something pivotal like this is far more worrisome than keeping up with some standard protocol like PCI compliance which is independent of your idea and business model.
It’s important to consider what your business model is before you decide on a payments platform as they might kick you off if it does not comply with their standards…