How to fortify Stripe Payments with Stripe Elements for PCI DSS Compliance?

In my previous article, the benefits and use cases for the Stripe Payment Intent API flow were covered. Now, I dive deeper into enhancing this custom payment flow's security using Stripe Elements. Discover how to leverage Stripe's pre-built UI components to create a secure and seamless payment experience.

Stripe Elements Overview

• Description: A set of pre-built UI components that allows you to create your own payment form with Stripe's security features.
• Features: 1. Highly customizable payment form. 2. Built-in client-side validation and formatting. 3. Supports various payment methods. 4. Provides more control over the user experience compared to Stripe Hosted Checkout.
• Complexity: Medium. Requires more coding and customization.
• Use Case: Suitable for businesses that need a custom payment form integrated into their website while still leveraging Stripe's pre-built secure components.

How Stripe Elements Assure Security and PCI/DSS Compliance

1. Usage of iframes for each secure field.
2. Tokenization
3. Secure Transmission
4. PCI Compliance
5. Security Features

Tokenized Data Flow

Tokenization is the process Stripe uses to collect sensitive card or bank account details, or personally identifiable information (PII), directly from your customers in a secure manner. A token representing this information is returned to your server to use. Use Stripe recommended payments integrations to perform this process on the client-side. This guarantees that no sensitive card data touches your server, and allows your integration to operate in a PCI-compliant way.

If you can’t use client-side tokenization, you can also create tokens using the Tokens API with either your publishable or secret API key. If your integration uses this method, you’re responsible for any PCI compliance that it might require, and you must keep your secret API key safe. Unlike with client-side tokenization, your customer’s information isn’t sent directly to Stripe, so you are responsible to handle or store it securely.

Usage of iframes in Stripe Elements

An iframe (short for inline frame) is an HTML element that allows you to embed another HTML document within the current document. This embedded document can be isolated from the parent document, providing a layer of separation that enhances security and prevents tampering.

How Stripe Elements use iframes:

1. Creation of Secure Input Fields:
2. Embedding iframes:

How iframes are isolated to prevent tampering

1. Cross-Origin Isolation:
2. Content Security Policy (CSP):
3. Isolation of Sensitive Data:
4. JavaScript Security:

Code example of using Stripe Elements to collect and tokenize card data

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>Stripe Payment</title>
  <script src="https://js.stripe.com/v3/"></script>
</head>
<body>
  <form id="payment-form">
    <div id="card-element"><!-- Stripe Elements will create input fields here --></div>
    <button id="submit">Pay</button>
  </form>

  <script>
    const stripe = Stripe('your-publishable-key');
    const elements = stripe.elements();
    const cardElement = elements.create('card');
    cardElement.mount('#card-element');

    const form = document.getElementById('payment-form');
    form.addEventListener('submit', async (event) => {
      event.preventDefault();

      const { error, paymentMethod } = await stripe.createPaymentMethod({
        type: 'card',
        card: cardElement,
        billing_details: {
          name: 'Cardholder Name',
        },
      });

      if (error) {
        console.error(error);
      } else {
        // Send the paymentMethod.id to your server
        const response = await fetch('/create-payment-intent', {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({ paymentMethodId: paymentMethod.id }),
        });
        const { clientSecret } = await response.json();

        // Confirm the payment on the client side
        const { error: confirmError, paymentIntent } = await stripe.confirmCardPayment(clientSecret);
        if (confirmError) {
          console.error(confirmError);
        } else if (paymentIntent.status === 'succeeded') {
          console.log('Payment succeeded');
        }
      }
    });
  </script>
</body>
</html>        

Key points of example:

• Implicit Tokenization: When you use stripe.createPaymentMethod or stripe.createToken, the card details collected by Stripe Elements are automatically tokenized under the hood and sent to Stripe’s servers securely.
• Secure Handling: Stripe Elements ensures that sensitive card details are handled securely, and the card data never touches your server, reducing your PCI DSS scope.
• Simplified Process: You do not need to call the Stripe Tokens API explicitly. The Stripe.js library takes care of the tokenization process when you create a PaymentMethod or confirm a Payment Intent.

And here is an example of how Stripe iframe code looks like after mounting to the DOM.

Conclusion

Stripe Elements uses iframes to securely collect and tokenize card details, ensuring that these details are isolated from your webpage and protected from tampering. This approach leverages the Same-Origin Policy, Content Security Policy, and robust encryption methods to provide a secure environment for handling sensitive payment information, thereby enhancing security and simplifying compliance with PCI DSS requirements.