Migrate to Stripe Elements Implementation
Stripe have implemented a new integration method which supersedes the current Stripe.js method. The new integration is called "Elements" and is based upon hosted input methods.
A new module should be created (or the existing module re-written) to support this new implementation method.
Details are located here: https://stripe.com/docs/elements
The PCI compliance requirements of the Stripe.js implementation method have recently been increased, requiring the completion of an SAQ A-EP evaluation and increasing the costs of compliance. Switching to an Elements implementation would restore back to the simplest Pre-filled SAQ A form: https://stripe.com/docs/security
In addition Stripe have stated that the Stripe.js implementation is depreciated, however no cessation date has been set: https://stripe.com/docs/stripe.js/v2
+1 on this. This would also make it unnecessary to implement descriptive errors from this idea:
https://requests.whmcs.com/topic/display-stripe-errors-to-clients
Stripe are now asking me to complete a PCI Compliance audit as WMCS is using old Stripe API.
"Upgrade your integration for easier PCI compliance
We strongly recommend that you migrate your checkout flow to Stripe Elements, Checkout, one of our mobile libraries, or one of our partner platforms in order to minimize your PCI scope. If you upgrade, Stripe pre-fills your PCI documentation for you. With your current setup, you'll need to provide your own documentation in the next step."
Hey Richard,
WHMCS utilises the Checkout method currently that you linked to here - this is implemented in the Client and Admin area when using Stripe. The Stripe API is only used when updating the client details, and if card details are already stored in your WHMCS installation (perhaps from a previously used module).
We are investigating currently migrating to the Elements method.
Andrew
Thanks for the speedy reply Andrew.
Thank you for the update @Andrew. We too are looking forward (with great anticipation) to the Stripe Elements implementation.
+1 for this
And might be handy if this could be included into the module https://requests.whmcs.com/topic/stripe-options
+1 for Stripe Elements.
This would simplify a lot the PCI compliance process.
+1. I hope you can launch this as soon as possible as I'm in the same situation and Stripe says that it doesn't appear we're using Checkout.
+1 this will be a massive help with PCI Compliance commitments
+1 It would be useful because Stripe is now asking the SEQ-A form for PCI compliance.
+1, stripe is asking for SEQ-A..
+1 need Stripe Elements..
+1 - Definitely needed!
+1, Stripe are asking us for SEQ-A questionnaire now.
I switched from a 3rd party Stripe module for WHMCS in favour of the Stripe module supplied directly by WHMCS believe it would be better supported. I am now regretting that move!
Seriously, payment methods should be priority over other small features! Come on WHMCS Team, we know you can do this :). Everyone who uses Stripe is affected by this and we need a resolution/update asap :).
This is a badly need improvement.
WHMCS is a billing management software and Stripe is one of the most popular online payment processors. I'm sure many many companies rely on them now face the dreaded SEQ A-EP. Please make this integration a TOP level priority.
+1 Stripe are advising users to upgrade asap as stripe.js has been deprecated.
+1 This will be a non-starter for WHMCS and Stripe if this is not implemented correctly.
+1 - This is esential!
+1 We need this!
This is a must. I just finished talking to Stripe about this yesterday and they said they had not heard from WHMCS regarding this.
Need this, second time for me they are asking.
I can't believe nothing has been done since this was reported 11 months ago.
I've now reverted back to the previous Stripe add-on I was using https://mostripe.com/whmcs/checkout/
Stripe are now happy with compliance again.
I can't do recurring billing but that's not such an issue as we encourage Direct Debit payments for regular payments anyhow.
Thank you, Neil, for the link. I'll keep it in case I receive a Stripe notification about this.
I am highly disappointed with WHMCS's behavior about this, even though I really like using WHMCS.
They don't seem to realize that payment gateways are more important than other small features.
I use WHMCS, WooCommerce, aMember, Ozcart, and the last 3 always update their payment gateways. In fact, I've seen lots for various payment gateways in the last months, lots.
+1 Need this, we have changed to Mostripe module now.
We pushed this very hard through a support ticket and initially an attempt was made several times (as usual) to fob us off with the standard "it is a feature request, so open one on this portal". When told there was already one, was then told to open a thread on the community forums to which they were told that this also already existed - both of which had been around for a very long time with a reasonable amount of support. Wouldnt hold your breathe people !
Thanks havenswift-hosting for the update. We can deal with all the other feature requests being pushed behind, but if we cannot get paid properly because of this, our business cannot continue.
This is necessary in my opinion - I cannot continue to do business with some of our customers without it.
Hi all,
Thanks for your votes and comments. My main takeaway from this discussion is that the ability to process credit cards via Stripe and make charges at-will - whilst maintaining the easiest Pre-filled SAQ A compliance burden - is your main priority.
Stripe offers two solutions which are marketed to address the desires of this feature request. At this time we are reviewing both to see how well they meet these desires and judging the practicality of implementation.
Thanks for your feedback thus far, it’s helpful to distil the main aim of the change being discussed here. I can also address some of the other points raised.
I appreciate the interest in the other features that Stripe provides, we can consider these on their own merits. Please add your votes to these specific requests or open new ones as appropriate:
I feel it is important to note that work is already well underway and approaching completion on our next feature release. Therefore any changes to the Stripe integration can be expected, not in the immediate upcoming release, but likely in the next release following that. In the meantime, there are 3rd party solutions available via the WHMCS Marketplace or there are alternative gateways such as Authorize.net/EVO Accept.js Payments that do not have as strict SAQ requirements.
Thank you WHMCS John, I would like to add that it is not that Stripe imposes stricter requirements on their merchants than others, it is a requirement of PCI Compliance; in order to maintain PCI compliance at the easiest level a PCI DSS-A form is required which is only available to merchants if they use Hosted Checkout, which is what is talked about here by Steve West and others.
The purpose of Hosted Checkout is to avoid the storage of customer card data in part or whole on our respective WHMCS environments, in order to achieve a greater level of security but also for those requiring certain compliance rates (like PCI) to achieve them without hours an hours paperwork and audits that cost tens of thousands of dollars.
Thanks Kris, that was our understanding too. I've clarified the wording in my message above.
Hello @WHMCS John,
Thank you for you work on this case. I'd also like to suggest to add the 3D Secure feature which is very important for hosters to avoid payment opposition :
https://requests.whmcs.com/topic/stripe-3d-secure
This feature has been added by Stripe over one year ago and we don't have any news from WHMCS about that.
Regards,
Has any progress been made on this? This is really an essential feature for those of us who use Stripe.
I also just got a notice inside the Stripe dashboard regarding SAQ -A form.
At the moment the only way to do this is through 3rd party plugins to WHMCS. Given that many of us have migrated from 3rd party to the built in, on the belief that it's better supported, I would expect a quicker turnaround for this payment gateway change to be made.
I think we would all breath a collective sigh of relief if this could be updated sooner rather than later please!
This is Urgent. Actually, any feature request related to a popular payment gateway should be on top of your dev list.
Also, make sure to support 3D-Secure when you update this module.
What is the process to get this escalated? Please explain to management. If we can't get paid we can't pay WHMCS.
There is nothing in the MarketPlace to help with this PCI compliance issue which is To have the browser when entering in credit card send the information directly to Stripe to create a token. this keeps the cc information from ever touching our servers. And eliminating our need to complete 40 pages of documentation Once a Year. As you can see below Stipe sees that we are using Stripe.js v2 from WHMCS to request payments. see requirements below.
What is the update on this I too am receiving notices that I have "Action Needed" in my Stipe > PCI Compliance
This is what I am getting.
PCI compliance Action Needed: All businesses who accept cards need to validate PCI compliance annually.Learn more about PCI compliance
Your Stripe integration: Your integration with Stripe determines the documentation (if any) you need to provide to validate your PCI compliance. Our records show you mostly use Stripe.js v2 and Stripe's server-side APIs to collect card details.
Upgrade your integration for easier PCI compliance
We strongly recommend that you migrate your checkout flow to Stripe Elements, Checkout, one of our mobile libraries, or one of our partner platforms in order to minimize your PCI scope. If you upgrade, Stripe pre-fills your PCI documentation for you. With your current setup, you'll need to provide your own documentation in the next step.
PCI Requirements for Stripe.js v2 or SAQ A-EP
Requirement: SAQ A-EP
The PCI Security Standards Council has published a series of changes to eligibility requirements for SAQ A. These require that businesses use input fields hosted by a payments provider in order to be eligible for the simplest PCI validation method. We’ve designed both Checkout and Elements with these changes in mind so that you can continue to validate using SAQ A without losing much of the flexibility and customizability of a form hosted on your website.
You can refer to our Elements migration guide to learn how to migrate your checkout flow to Elements. If you continue to use Stripe.js v2, you’ll be required to upload your SAQ A-EP annually to prove your business is PCI compliant. As this is more complex, we recommend you work with SecurityMetrics if you require additional assistance in completing your SAQ A-EP.
Would be great if we could get an update, if this is planned or not, and possible ETA. If this is still a long time away, I need to know, so I can have my developer create our own custom payment module. It's taking too long for a simple integration like this.
Come on WHMCS.
Stop sitting on your hands.
Please implement this urgently!
What they told me via Disqus is that the Stripe upgrade is something they're looking at, *this year*, and that Stripe is one of, if not the most, popular payment gateway they have.
However, it doesn't excuse the fact that they could have resolved this last year in less than a month of us telling them the importance of this :).
I would like to thank the WHMCS team for the work they are doing on supporting Stripe, as it wasn't a first party option in the past.
I would like to also see congratulations on the 7.7 release, I am now eager to see the next one. Keep up the good work!
My hope is that in the next release a new Stripe implementation will be present, that also supports 3D Secure and the SEPA bank IBAN payment.
Obligatory update needed.
This feature request for upgrading would help us a lot.
Please consider adding 3DS as well.
You can comment and vore here https://requests.whmcs.com/topic/stripe-3d-secure
This is much needed feature, any update on when we could be seeing this hit our admins?
For those who are interested in testing a Beta Stripe Payment Gateway with Stripe.js Elements, see Stripe Payment Gateway -- Beta testers wanted
Hi,
Today I've logged into our Stripe account and have been given the following message:
Update your integration to prepare for SCA
On September 14, European regulation will mandate Strong Customer Authentication (SCA) for many online payments. When it goes into effect, a form of two-factor authentication will be required for many card payments. Unless you update your integration, your customers’ banks will decline many transactions.
It looks like not only does WHMCS need to update their Stripe integration ASAP, they also need to make sure it works with this new workflow.
https://stripe.com/gb/payments/strong-customer-authentication
We now have a deadline - What are WHMCS's plans?
Hi all,
Thanks for your continued votes and comments. I'm pleased to confirm that our Stripe module will be updated from Stripe.js v2 to Elements and Payment Intents (which is SCA-ready) in WHMCS version 7.8.
Keep an eye on https://blog.whmcs.com for pre-release announcements in the coming weeks, and how to help with pre-release testing.
Hi John,
it's Christmas in June with this announcement!
As the new Payments Intents API allows for SEPA payments, would it be possible to ask to throw that in?
Hi all,
Version 7.8 has now reached public beta, which includes this feature: https://preview.whmcs.com
The documentation for these new options has been published at https://docs.whmcs.com/Stripe#Payment_Workflow
Please join us during the pre-release testing period and provide your feedback in our dedicated beta community board: https://whmcs.community/forum/471-v78-beta-discussion/
Comments have been locked on this page!