Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Direct token generation fails without 'X-Payjp-Direct-Token-Generate' #10

Open
vibridi opened this issue Nov 30, 2018 · 3 comments
Open

Direct token generation fails without 'X-Payjp-Direct-Token-Generate' #10

vibridi opened this issue Nov 30, 2018 · 3 comments

Comments

@vibridi
Copy link

vibridi commented Nov 30, 2018

We have some calls to this method func (t TokenService) Create(card Card) (*TokenResponse, error)
which suddenly fail with the following error:

{
  "error": {
    "code": "unsafe_credit_card_param",
    "message": "Sending credit card numbers directly to the API is generally unsafe. Use Checkout or payjp.js.",
    "param": [],
    "status": 400,
    "type": "invalid_request_error"
  }
}

This is my dependency:

[[constraint]]
  branch = "master"
  name = "github.com/payjp/payjp-go"

Unfortunately I wasn't able to really grasp your documentation because I couldn't find an English version. However, it appears that it's possible to work around this by adding the "X-Payjp-Direct-Token-Generate": "true".

However the Go client library doesn't provide access to the http request, so I can't directly set this header.
Please let me know if there's anything you can do. Thank you for your consideration.
@chris-x86-64
Copy link

Hi, I'm Christopher. I work for PAY.JP as a security engineer (but not as a translator, sorry.)

My apologies for the inconvenience. The reason we absolutely had to make this change to our server-side API is that it is soon to be required by the Japanese law for online merchants to not handle credit card information by themselves, unless they are PCI DSS compliant. We announced the details the other day, however, only in Japanese. http://payjp-announce.hatenablog.com/entry/2017/11/10/182738

To enable consumers to submit CC details, we now generally recommend our merchants to use our Checkout.js module which is a JavaScript hosted at https://checkout.pay.jp/ . You can include it in your website's checkout form like the following sample page https://payjp.github.io/sample/checkout/
This provides a safe way for you to process CC information as it frees you from storing CC details on your system.

Lastly, about the X-Payjp-Direct-Token-Generate HTTP header-- generally this can be only used for testing purpose. If you absolutely want to use this feature in production (which is strongly discouraged,) you will need to ask us for approval by presenting us your PCI DSS compliance certificate.

Stripe has a detailed document about all of this. Comparing "Checkout/Elements" and "API Direct" described in their docs might give you a hint. https://stripe.com/docs/security#validating-pci-compliance

I hope this helps.

Christopher

@vibridi
Copy link
Author

vibridi commented Nov 30, 2018
edited
Loading

Hi Christopher, thank you for your reply.
Luckily this change broke only a few or our legacy integration tests. We are not directly creating tokens in production this way.
It sounds like we are using the X-Payjp-Direct-Token-Generate header just as intended.

It would be great if your Go API could somehow allow the option to set this header for retro-compatibility, though I understand that the use case is not particularly compelling.

Thank you for your time

@ghost
Copy link

ghost commented Jul 16, 2019

Hi, I'm Christopher. I work for PAY.JP as a security engineer (but not as a translator, sorry.)

My apologies for the inconvenience. The reason we absolutely had to make this change to our server-side API is that it is soon to be required by the Japanese law for online merchants to not handle credit card information by themselves, unless they are PCI DSS compliant. We announced the details the other day, however, only in Japanese. http://payjp-announce.hatenablog.com/entry/2017/11/10/182738

To enable consumers to submit CC details, we now generally recommend our merchants to use our Checkout.js module which is a JavaScript hosted at https://checkout.pay.jp/ . You can include it in your website's checkout form like the following sample page https://payjp.github.io/sample/checkout/
This provides a safe way for you to process CC information as it frees you from storing CC details on your system.

Lastly, about the X-Payjp-Direct-Token-Generate HTTP header-- generally this can be only used for testing purpose. If you absolutely want to use this feature in production (which is strongly discouraged,) you will need to ask us for approval by presenting us your PCI DSS compliance certificate.

Stripe has a detailed document about all of this. Comparing "Checkout/Elements" and "API Direct" described in their docs might give you a hint. https://stripe.com/docs/security#validating-pci-compliance

I hope this helps.

Christopher

Hi chris-x86-64, I am a web developer. Could you answer for me question: In env production, if i have approval by presenting you, my PCI DSS compliance certificate. I don't need X-Payjp-Direct-Token-Generate in header ? Sorry , My English not good.
Please answer me. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chris-x86-64 @vibridi