Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Stripe vs Braintree?


TomB01

Recommended Posts

I'm building a replacement web store based on 2.3.4 (not going to try the upgrade route from 2.2).  All of the extra capability over 2.2 is exciting, but it's confusing, too.

 

I've been using simple Paypal for the last 7 years with great success, but would love to start taking credit cards.  Both Stripe and Braintree have what I'd like:

  • simple fees per transaction only, no monthly charges or other extras, and
  • credit card acceptance totally contained on my store site - no switching to another site and back again.

So, what are the advantages/disadvantages of either one?  Is there another one out there that's better given the preferences above?

 

I have noticed that Braintree is already inserting random adds on my regular web surfing, so I'm not sure I like an outfit that appears to be that aggressive with marketing.  I only visited their site once!?

Link to comment
Share on other sites

Be careful. If the customer enters their credit card information while on your site, that means that your site must be PCI-DSS compliant. That can be quite expensive to pay for the security audits and such. It's far more than just having SSL. Check the fine print as to who is liable for any fraud or breach of security.

 

Is Braintree your host? Are they free or very low cost, and thus the ads? Do they promise that they will not put any additional ads onto your pages? I think that if you're running a money-making store, it's worth 5 to 10 dollars a month in hosting fees to not subject your customers to someone else's ads, and to have complete control over the site content. With the improved customer experience, you should make up those fees and more.

Link to comment
Share on other sites

Be careful. If the customer enters their credit card information while on your site, that means that your site must be PCI-DSS compliant. That can be quite expensive to pay for the security audits and such. It's far more than just having SSL. Check the fine print as to who is liable for any fraud or breach of security.

 

Is Braintree your host? Are they free or very low cost, and thus the ads? Do they promise that they will not put any additional ads onto your pages? I think that if you're running a money-making store, it's worth 5 to 10 dollars a month in hosting fees to not subject your customers to someone else's ads, and to have complete control over the site content. With the improved customer experience, you should make up those fees and more.

 

1. I didn't know that there were additional security standards to maintain lack of liability.  The 2.3.4 demo site simply showed the choices of credit card capability just previous to the checkout page and then had a form credit-card entry right on the checkout page. 

 

None of this was implied on the Stripe website, either.  In fact, they offer simple code examples for accessing their service.

 

It sounds like you're stating that trying to have credit-card-capability is a fool's errand unless it transfers to their site (like simple Paypal does).  Pardon my ignorance, but why would it be a security issue if the form code of an OsCommerce checkout page sends it directly to the credit card service server?

 

2. I think you misunderstood.  There are no ads on my OsCommerce store.  I simply meant that random ads on other sites that I visit - the kind based on user link history - are now showing many Braintree ads on my web browser.  I only visited the Braintree site once - that was what I meant by "aggressive marketing."  

Edited by TomB01
Link to comment
Share on other sites

Here's a reference on the Stripe website:

 

<form action="" method="POST" id="payment-form">  <span class="payment-errors"></span>  <div class="form-row">    <label>      <span>Card Number</span>      <input type="text" size="20" data-stripe="number"/>    </label>  </div>  <div class="form-row">    <label>      <span>CVC</span>      <input type="text" size="4" data-stripe="cvc"/>    </label>  </div>  <div class="form-row">    <label>      <span>Expiration (MM/YYYY)</span>      <input type="text" size="2" data-stripe="exp-month"/>    </label>    <span> / </span>    <input type="text" size="4" data-stripe="exp-year"/>  </div>  <button type="submit">Submit Payment</button></form>

 

Fairly standard. Note how input fields representing sensitive card data (number, CVC, expiration month and year) do not have a "name" attribute. This prevents them from hitting your server when the form is submitted. We're also including a data-stripe attribute on the relevant fields, which we'll discuss later in the tutorial.

 

Your life becomes easier if sensitive cardholder data does not hit your servers. You no longer need to worry about redacting logs, encrypting cardholder details, or other burdens of PCI compliance.

With Stripe.js, you never have to handle sensitive card data. It's automatically converted to a token which you can safely send to your servers and use to charge your customers.

 

Unless I'm misinterpreting, this is all stating that you can have the form input for the credit card directly on your OsCommerce checkout page - without incurring the liability mentioned above.

Link to comment
Share on other sites

I believe you are correct the newer paypal modules (paid) and Authorize.net AIM seem to use this method but I stand to be corrected on this.

 

regards

Joli

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

My understanding of the liability issues was that if the credit card information even merely passed through your server on its way to whoever handles the payment, you had to meet PCI-DSS standards (even if you stored or emailed none of the information). Maybe they've figured out a way to get around this, but I'd still be very, very careful, and get a legally binding written statement that Stripe (or whoever) accepts full responsibility for information security and indemnifies you against lawsuits. You may have to meet some requirements (such as using SSL of a certain level), but not have to meet full PCI-DSS with its expensive audits and such.

This seems to say that there's some Javascript magic under the covers to really send the POST data to a Third Party URL (Stripe). So, you are sending form data directly to the processor rather than to your own site, and thus never handle it. I can only hope it's sent under SSL. I'm not sure why the code doesn't give that URL explicitly in the action attribute -- maybe it's security through obfuscation, maybe it's a genuine innovation. I don't know -- it seems to be a fairly new technique, and so I'm still a bit leery of it.

Link to comment
Share on other sites

PayPal Advanced/Hosted gives the illusion of the input being on your site by using a iframe solution, so the card info is directly inputted to the paypal server while still showing in your checkout. (For US merchants this is available for 5 USD a month)

Link to comment
Share on other sites

Now again UK stand to be corrected but PayPal Website Payments Pro - Direct Payments as far as I can see seems to be on the website but is not

 

Actually the first time i installed was like magic fitted the page and took the money I was sort of buff :wacko:  how does this work??

 

No great install needed it does cost as far as I know  about £20 UK price 

 

So USA wow $5.00  per month is a great price

 

It just fits in with the payment page everything is coming from paypal so nothing hosted

 

I believe authorize net has a similar set up now

 

maybe Harald could clarify a bit I see no PCI compliance here

 

Regards

Joli

Edited by joli1811
To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

Just had another look

You’re about to get started with a PayPal Business account for £0/month.

When you upgrade for £20 per month, you can also:

    Customise and host checkout directly on your website
    Get a merchant account and gateway from one payment provider
    Accept card payments by phone and mail order

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

It might be the 5 USD option has been discontinued for the US, I can't seem to locate it at their website anymore, it used to be available under the name PayPal Advanced.

 

PayPal hosted (pro) countries and fees outside of the US.

 

https://developer.paypal.com/docs/classic/products/website-payments-pro-hosted-solution/#availability-and-fees

Edited by toyicebear
Link to comment
Share on other sites

2checkout now also offer a solution where the customer does not leave your site, the payment info entry is done in a pop-up.

Link to comment
Share on other sites

  • 5 months later...

Here is some verbiage from Stripe's website concerning security and PCI standards:

 

No-hassle security & compliance

By using any of Stripe’s client libraries, such as Stripe.js for the web or the mobile APIs, you’re automatically compliant with the strictest PCI requirements.

No sensitive data hits your servers, saving you hours of security headaches.

 

 

I thought this might help you in making your decision.

 

Tim

Link to comment
Share on other sites

Hi all

 

No experience of Braintree but I have written Stripe modules for various carts:

 

1) You should get an SSL https://stripe.com/help/ssl - their take is about half way down and my personal take is that I would not input card data on a page that was not SSL (stripe.js gets around the 'nothing hits your server' by working 100% within the clients' browsers and you should not have a name attribute on the form field)

 

2) OK - up to you on the SSL - Stripe are cheaper that payPal but they will 'sit' on your money for 7 days before passing it onto your bank account - if that causes problems for you then bear that in mind

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...