Stop passing credit card info to the server in core

[kennyadsl]

Passing credit cards information (number, expiry, cvv, etc) to the server is not a good practice unless your store is PCI compliant.

Modern payment methods like Braintree or Stripe do not require this to happen. Click to see more. 💳

This is how they handle payments:

• encrypt credit card data directly in the frontend, using a key that they provide, and only they can decrypt
• return a secure token (nonce) that represents the payment authorization to the frontend
• the frontend sends this nonce to the server, which will be used to perform the credit card operations

That said, we'd like to explore removing any reference of this way of making payments, if your store is PCI compliant it would not be hard to reimplement a form and add the JS library that you prefer to reimplement this.

Proposed Solution

I'd love to keep having the solidus sandbox/demo with a credit card payment method which we would not have If we just deprecate/remove the related code.

This is the path that I'd like to implement:

• Add seeds to solidus_stripe in order to be able to add Stripe as a payment method in sample data if that gem is included in the bundle. ✅with Allow creating seeds with the install command solidus_stripe#6
• Add solidus_stripe to the sandbox & remove seeds for bogus credit card payment method
• Deprecate using the credit card code that is currently implying passing credit card data to the server, still allowing to be used by PCI compliant stores.
• Remove specs around bogus credit cards

Additional context

Also, we are having flaky specs around adding credit cards information filled by Capybara, in combination with a JS plugin (payments.js) that we use to format credit card information correctly when you type them. That PR is a dirty fix that works but raised some concerns in the Core Team since we are wasting time fixing this kind of problem around a feature that is never used in production, since gateways provide their own JS library to do the same. This should be a concern of the store itself, or the extension of that specic gateway at least.

[tvdeyen]

Thank you.

This is way overdue and also a great opportunity to refactor the payment source in something that is not a credit card.

A token/nonce l and a identifier field should be sufficient for most use cases nowadays.

[stevenheffner]

@kennyadsl How are you doing this now? I have the solidus_stripe gem installed and configured. Do I have to set a payment source class? Also, what does an example request body look like? Im trying to create a payment but the POST orders/{order number}/payments api expects a credit card number, month, year, etc. Im assuming It needs to take the place of the credit card number, but it still expects all the other values. If I set the source class to Spree::PaymentMethod::StripeCreditCard, It seems to have an issue with the parameters.