- Are there any good packages for doing payments?
- Do I need SSL if I use a Paypal standard.
- Will a single domain SSl certification cover sub-domains like urlname/posts.com or just the home domain urlname.com?
I have never done payments before so.
Stripe is the way to go for me too.
As you can see the overwhelming response to what to use is Stripe. As for packages there are a number of them for stripe, however I will shamelessly recommend my stripe-sync package as its kept up to date with the stripe-node project and enables you to use the synchronous style that is inherent in Meteor.
For an answer about paypal standard and ssl see here.
To provide ssl to subdomains you will need what is known as a wild card certificate. If you purchase non wilde card certificate it will generally be issued for domain.tld and www.domain.tld but other subdomains will not verify. Hopefully all of the mess and hassle around SSL will soon be rectified by Lets Encrypt
6 Likes
for link to Letās Encrypt. Iād not seen that before - awesome news!Yes, Iām fairly excited. I canāt recall for sure but I think there was mention by @arunoda about including Letās Encrypt support in MUP
Do I need ssl with Stripe
Yes, Stripe requires you to use an encrypted connection, mostly to mitigate man in the middle attacks when transferring stripe tokens between your clients browser and your server.
Ah, stripe-sync! I knew there was an alternate package, I just forgot the name. Yes, use that. 
1 Like
Hi @copleykj
Does stripe-sync support Stripe Connect API too? Iāve tried a couple of packages mainly because I needed the āmanaged-accountsā feature and realised not all support it by default. So I used https://github.com/benjick/meteor-stripe-native in which its specifically mentioned it supports Stripe Connect.
It looks like Stripe-Sync is more comprehensive and supports all stripe methods until the latest version. Just need a confirmation. Thanks!
Yes, connect is supportedā¦ The package is 1 release behind at the moment so top level refund methods which were added in 3.7.1 are not included yet, but I should be able to get around to this today or tomorrow.
Stripe. Stripe is fantastic.
Well, who wants to put information as sensitive as their credit card information under insecure connections? I check certificates whenever I put in any level of information.
I noticed a lot of people mentioning Stripe. Iām inclined to mention Braintree Payments. Braintree is not only more robust, but they will take greater risk to make money with you.
Stripe can be more limiting depending on what you want to do. If they donāt like your business model, they will outright reject working with you - and their customer service is very poor. Even if your model is sound, they may reject it because of past failures.
If youāre doing something simple and not too āstrangeā, you should be OK with Stripe. Otherwise, they will not take the risk with you as they are severely limited by their financial partners.
Iāve seen the exact opposite from stripeā¦ Iāve found their customer service to be exemplary.
As far as them not working with you unless they like your business modelā¦ 6 months ago I had a customer that needed an application built that was adult in nature. Normally payment integration for this type of business is a nightmare and you end up using a horrible solution such as ccBill. After almost turning down the project because I didnāt want to go though that much hassle, I read through all of Stripeās terms and found nothing limiting this type of business. I suggested they apply for an account and be completely honest when filling everything out. They did just this and were accepted. Theyāve been using Stripe for several months now and have had absolutely no issues.
That Stripe is inconsistent with their customer service is further reason to not use it - Iāve had much better experience with Braintree. Dealing with businesses that are good but unpredictable can be worse than dealing with ones which are bad but predictable. Not to say Braintree is bad ā it is actually great, but more importantly, you know what you are getting.
The problem with Stripe for me is simple. If youāre going to have an API which can support 100 patterns, donāt restrict 95 of them by your compliance rules. Engineers will be inclined to come up with creative uses of the API, only to find that most of them are actually against the ārulesā. Stripe should make more of an effort with their financial partners to allow for innovate solutions.
As for your example, Iām sure their business model is simple, regardless of the fact that it involved pornography - it comes down to how money is getting transferred. The moment you try to get into network/peer-to-peer oriented āsharing economyā models, they will stonewall you - and itās very apparent. I know this from experience - Iāve been trying to use Stripe for months. My business model was too risky - not from an economic point of view, but from a compliance point of view. They have very specific deals with their financial partners, and even if they could exploit the rules to effectively engage in money-transmission, they wonāt because they are trying to play it safe with the regulations imposed by their partners and the governments, etc.
This directly goes against my own philosophy; it inhibits creative solutions which are possible, albeit risky, but can be made to be compliant.
I prefer Stripeās API to Braintreeās. Braintreeās is a bit of a head-scratcher at moments. Not to mention they were behind the times getting up to date on the latest PCI standards (SAQ A/A-EP), when you could no longer transmit credit card numbers to a server, even if via HTTPS. Stripe was the first one to implement this properly, and Braintree took quite some time to follow suit. That concerns me.
IMO, the only benefits of Braintree over Stripe:
- PayPal payments accepted
- Your first $50,000 in sales are exempt from fees
They also have Bitcoin, Apple pay and Android pay.
Both Stripe and Braintree do Apple Pay and Android Pay.
Why are we talking about PCI compliance? PCI compliance is a matter of when, not a matter of if, and anyways, Braintree is fully PCI compliant. PCI compliance is a homework set, your business model is a PhD thesis. I am not sure why the issue of PCI compliance was brought up - when I said ācomplianceā I was getting at more the legal (and perhaps political) agreements that payments processors have with their bank partners, which seems to be an orthogonal issue.
Iāve used both services and I switched to Braintree. Why? Because Stripe refused to work with me. Braintreeās API is a bit weird, I gotta concede that. Letās forget about engineering for a second.
Braintree and Stripe both have to follow rules, as they are nothing without their bank partners. This means that Braintree and Stripe can only allow you to use their API if you comply with their usage rules (determined by their bank partners). Braintreeās usage rules from my experience are lax. Stripe has negotiated pretty restrictive usage rules with the banks. There could be a ton of reasons for this. Stripe has less money (?), they donāt have the PayPal brand, etc.
Anyways, the point is that if youāre trying to be innovative when it comes to payments or your business model, Braintree is the way to go. If you need a quick payments solution and donāt plan on doing anything too involved, Stripe is suitable for that. Of course the problems of bank compliance are not visible to developers who are not doing something which is on the edge of whatās considered acceptable or legal. But when you start pushing a bit, these are very real things to worry about. Figuring out what business models are considered legal and not legal is far more complicated than something like PCI compliance, because of loopholes, how you convey your service, etc.
I spent months back-and-forth with Stripe trying to convince them that what I am doing is legal. But imagine Stripeās position. Stripe has to follow rules. The bankās rules. If they want to push the boundaries of their agreement with their bank partners, it will cost them money. Right now, Stripe does not support anything which is along the lines of āsharing economyā. Imo, something pivotal like this is far more worrisome than keeping up with some standard protocol like PCI compliance which is independent of your idea and business model.
Itās important to consider what your business model is before you decide on a payments platform as they might kick you off if it does not comply with their standardsā¦
2 Likes