Is there a safer way to use Stripe and ActiveMerchant together? Ruby on Rails

Question

I'm trying to use Stripe for payments in my rails app. I remember at one internship I had, we used the active merchant gem to abstract the process by using gateways. Although, at the internship, we used Authorize.net. We didn't use Stripe. For this particular application, I would like to use Stripe and ActiveMerchant together.

Looking at the documentation on the Active Merchant GitHub page, I found that I could connect to Stripe using the StripeGateway provided by the Active Merchant gem. This is how I did it:

ActiveMerchant::Billing::Base.mode = :test

# Create a new credit card object
credit_card = ActiveMerchant::Billing::CreditCard.new(
  :number     => '4242424242424242',
  :month      => '8',
  :year       => '2022',
  :first_name => 'Tobias',
  :last_name  => 'Luetke',
  :verification_value  => '123'
)

if credit_card.valid?
  gateway = ActiveMerchant::Billing::StripeGateway.new(
    login: Rails.application.credentials.development[:stripe_private_key]
  )

  # Authorize for $10 dollars (1000 cents)
  response = gateway.authorize(1000, credit_card)

  if response.success?
    # Capture the money
    gateway.capture(1000, response.authorization)
  else
    raise StandardError, response.message
  end
end

However, this is a problem. Whenever I run this, I get a strange error:

StandardError (Sending credit card numbers directly to the Stripe API is generally unsafe. We suggest you use test tokens that map to the test card you are using, see https://stripe.com/docs/testing.)

I understand that this is a security issue, but I don't understand how to ago about fixing it using Active Merchant. I tried using Stripe's documentation for ruby on rails, but the form was very simple. It only had a credit card number, expiration data, and CVC entry, as well as email. But i need a billing address as well. This is my reasoning for using Active Merchant. It's very simple to use and abstracts a lot of the fluff out while still being able to create custom forms. But, I keep getting this error here with Stripe, and I don't know how to fix it.

Any help is appreciated!

Answer 1

Using the Stripe gateway, ActiveMerchant's purchase and authorize methods should take either a card object, as you are passing above, or a token value (a string)

#   purchase(money, card_hash_or_token, { ... })

https://github.com/activemerchant/active_merchant/blob/master/lib/active_merchant/billing/gateways/stripe.rb#L96

Instead of passing raw card details, for PCI compliance reasons, you could create a token on your client-side using Stripe's Checkout or Elements libraries, pass the source/token id to your backend (it should look like tok_xxxyyyzzz or src_xxxyyyyz), and then pass that value into the second card_hash_or_token parameter of your authorize request.

response = gateway.authorize(1000, params[:stripeToken])

Answer 2

https://dashboard.stripe.com/account/integration/settings

Handle card information directly We strongly discourage passing card information directly to Stripe’s API, as it means your integration is directly handling sensitive card information. Learn more. (https://stripe.com/docs/security#validating-pci-compliance)

I'm not advising that you do this but this is how you would get ActiveMerchant to work they way you want and remove that error. It greatly increases the PCI compliance you're required to handle.

Answer 3

Not recommended but you can turn off this requirement in the Stripe Dashboard. Can be handy for testing purposes.

https://dashboard.stripe.com/settings/integration