[Evergreen-general] Stripe and OPAC Payments

Galen Charlton gmc at equinoxoli.org
Wed Dec 14 10:02:18 EST 2022 

Hi,

You're welcome. I should also mention that one of the points of using
Stripe is ensuring that credit card numbers never pass through the
Evergreen server, thereby significantly simplifying attaining PCI
compliance. The long list of domains to allow is part of the tradeoff.

Of course, nobody can guarantee that Stripe will never get subverted
to the point where their systems distribute malware that would affect
the OPAC stations, but Stripe has every motivation to work hard to
prevent that, as that would be the sort of mistake that would cause
existential problems for their business.

Regards,

Galen

On Wed, Dec 14, 2022 at 9:55 AM John Amundson <jamundson at cwmars.org> wrote:
>
> Thanks, Galen!
>
> That is very helpful.
>
> John
>
> John Amundson | Library Applications Supervisor | CW MARS
>
> jamundson at cwmars.org | 508-755-3323 x322
>
> https://www.cwmars.org
>
> he/him/his
>
>
>
> On Wed, Dec 14, 2022 at 9:53 AM Galen Charlton <gmc at equinoxoli.org> wrote:
>>
>> Hi,
>>
>> On Wed, Dec 14, 2022 at 9:40 AM John Amundson via Evergreen-general <evergreen-general at list.evergreen-ils.org> wrote:
>>>
>>> We have one library that wants to allow payments on OPAC-only computers but not have them fully open to the internet. We suggested allowing the entire *.stripe.com domain through. The library was not comfortable allowing the full domain, so I suggested adding the 30 or so domain names that Stripe suggests - https://stripe.com/docs/ips.
>>
>>
>> I don't think we have, or can have, any authoritative way to suggest a subset of Stripe's own list that can be guaranteed to not break the integration (or not interfere with technical measures that Stripe takes to detect or combat credit card fraud). The most I can suggest is asking Stripe directly whether any of the domains on that list (e.g., dashboard.stripe.com) are not strictly required for the payment integration itself, as opposed to the websites that the library would need to access in order to manage their Stripe account.
>>
>> Regards,
>>
>> Galen
>> --
>> Galen Charlton
>> Implementation and IT Manager
>> Equinox Open Library Initiative
>> gmc at equinoxOLI.org
>> https://www.equinoxOLI.org
>> phone: 877-OPEN-ILS (673-6457)
>> direct: 770-709-5581



-- 
Galen Charlton
Implementation and IT Manager
Equinox Open Library Initiative
gmc at equinoxOLI.org
https://www.equinoxOLI.org
phone: 877-OPEN-ILS (673-6457)
direct: 770-709-5581

More information about the Evergreen-general mailing list