The http://js.recurly.com/ site doesn't link to or mention recurly.com (or that it's a payment provider service) anywhere. As a result, I was pretty confused when the intro video started mentioning the "Recurly API" - I was also wondering how an open source JavaScript form library could possibly handle payments.
Suggestion: add the text "a JavaScript library for the Recurly payments API" (or equivalent) somewhere on the page!
PCI compliance is about maintaining a secure network, transmitting information securely, logging access in case of a breach, and access controls. Recurly.js minimizes your compliance scope because the sensitive data does not pass thru your network.
You are still required to maintain a secure network so that malicious code does not end up on your site. This means protecting your site from cross-site scripting. If your site is running untrusted Javascript code, your users could end up being redirected to a phishing site regardless of how you implement your order form (including linking offsite to a hosted page). As long as your server is secure, Recurly.js is secure.
The one scenario that is being pointed out here is from a malicious merchant. We work to make it easier for a merchant to be PCI compliant. If they are malicious and want to defraud their own customers, there are easier ways to post the credit card numbers straight to your server without our software.
If you're going to advertise Recurly as a secured payment product, then you need to do everything you can to prevent third parties and the merchant from peeking at your credit card form.
On any given web page, it can easily bring in 10 or more external JS libraries. So the chance of one of them getting compromised can only go higher. You need to make sure that your product can survive a cross site scripting attack.
And you need to protect your product against your own merchant because those misbehaved merchants can give your business a bad name. Let them steal their users' credit card, but just don't let them steal it from Recurly's credit card form...
You could have solved these two security issues if you spend a little more effort and put the credit card form inside Recurly owned iframe. But I guess your engineering team took a short cut. :)
First of all, the biggest concern is attack surface. If credit cards went through your server, any complex web application would have a number of locations where the CC would be logged in plaintext. In this case a compromise would not only make it possible to collect new credit cards as they are entered into the system, but also past credit cards in logs. Any of the three options: iframes, hosted pages, and recurly.js, reduce this attack surface, because credit cards never pass through your backend to be logged, and the Recurly backend being PCI level 1, clearly prevents them from ever being logged.
Now, if say your web application was vulnerable to a XSS attack on one of your payment pages, it would be just as easy to replace the iframe src, and spoof the CC processor's hosted page, as it would be to drop in some js that reads the value of input fields and tunnels them out to the attacker. On that note... even an integration as seemingly foolproof as linking to a third party hosted page is vulnerable to the same attack, by replacing the href of the link.
The takeaway is that Recurly.js removes as much of the PCI scope as we possibly could without us building and hosting your entire website. Also, watch out for XSS attacks, and don't let your server get rooted.
Yes in fact the iframe is the only way of doing it securely with the current web specs. ...and it can in fact be done almost completely seamless for the end user, with lil bit of hacking.
It's not impossible though. One method of doing that is to use the trick where an iframe can communicate with its parent document by altering the #fragment URL, which can be read by both parties. It's dirty but it works. The new HTML5 postMessage API can be used as an alternative for browsers that support it.
haha, yes that too. I was refering to secure payments where the host site can affect he layout of payments but not the secret details. Yes you can do that if being creative. :)
At Merchii we have solved this in similar fashion, but we actually don't need to care if the host site is secure or not - we take care of that too (completely secure).
You're exposing credit card number on the input field of the original publisher's HTML page. This means that the publisher can pick up the credit card number himself, or an included third party javascript library(like google analytics).
I think this is absolutely true, but my understanding is that the PCI powers-that-be are OK with it. If the credit card numbers are by design not hitting your server, you don't need an audit. Yet another reason why we've avoided doing PCI stuff.
The Recurly.js library dramatically reduces PCI compliance scope because the sensitive cardholder data does not pass thru your servers. There's a lot of additional PCI compliance issues when the credit card numbers pass thru your server, even if it only resides in memory during the request. Instead, the data is sent directly from the web browser to Recurly, who is PCI Level 1 Compliant.
Obviously, you still have to maintain a secure web server regardless of how you collect payments. That means protecting your users from cross site scripting.
Madness. Are users expected to check the DOM tree before they type their credit card details in to make sure they're sending their info to the iframe they expect to?
The rule should be: if your app has a credit card form under its own banner, the whole thing is implicated for PCI assessments. But that's not the rule.
Recurly still supports hosted payment pages in which case the merchant doesn't need SSL.
As far as I know, Recurly and Stripe are the only two processors providing JavaScript libraries to tokenize credit card information such that merchants do not handle the credit card information that suscepts them to PCI compliance.
I'm the author. I'll be sure to put a notice at the top of the readme that it requires jQuery. Also, I agree with you. The jQuery dependency will be removed eventually. It was a time saver in the short term as we do a lot of DOM manipulation.
I'm a paying recurly customer, and I think depending on jQuery is totally fine; even if we had to include jQuery on a payment page when we didn't use it anywhere else on our site, that wouldn't be any trouble.
Please, use your precious development time on more pressing issues related to making payment's even easier to accept and integrate!
This is very nicely done. I would like to see a long-form explanation from Recurly about the safety implications of this, however. Maybe it really is brilliantly bullet-proof, but please explain.
Is this accessible for audio browsers? Screen readers navigating by form elements will be pretty lost without <label>s (and WAI-ARIA attributes for rich components, but one thing at a time).
Would hate to be the site that tried to simplify their billing but got an accessibility lawsuit[1] for their troubles.
Wow, thanks for linking that lawsuit. I had no idea there was a risk of getting sued just for not setting your site up perfectly for primadonna blind persons. That's really terrifying.
What a hateful, insensitive thing to say. Obviously the National Federation of the Blind isn't going to go after just any website, they are going to go after the larger ones that should know better. Big companies should absolutely be forced to accommodate people with disabilities, I would even say that is part of what makes the United States such a great country.
I just looked and wasn't able to find it. For one, CheddarGetter looks to be a hosted provider whereas Recurly and Stripe support buyers remaining on the merchant's web pages. But the main feature I was referencing was a JavaScript library that handles credit card information so that the merchant never sees a credit card number and thus need not worry about PCI compliance. That historically has not been provided in a way that allows the payer to remain on the merchant's web page.
I think Braintree does it, kind of: "By using our Transparent Redirect (TR) and Vault, merchants can achieve PCI Compliance in days. TR and the Vault will eliminate the handling, processing or storing credit card data so you can qualify for the Self Assessment Questionnaire A, the shortest of the four SAQs."
With Recurly.js and our Transparent Post, merchants only need to fill out the Self Assessment Questionnaire A.
We launched our own Transparent Post back in March 2011. We created Recurly.js to simplify performing client-side validation, pricing calculations (w/ coupons, VAT, add-ons), and proper error handling when a transaction is declined. It's 10x easier to implement than Transparent Post, and has a much better user experience for the customer.
Thanks for spelling that out for me. As for being simple - I have begun teaching myself somewhat recently while looking for a good match w/ someone more technical. I can really only handle html & css at this point - sad I know. Anyways, this was very easy for me to setup. I've already got it going on my site w/ sandbox account.
But, going to hold off for now and just use hosted payment pages for a bit. Will likely use this in the near future though - thanks to the Recurly team.
Ok, I see, so it's a bit different from Stripe's approach which to actually Ajax the cc# to stripe's server and return a token which the merchant then uses as a proxy for thee cc in normal API calls. I think they claim to obviate the self-exam for merchants despite it being materially similar to e transparent post.
It is indeed. Recurly has really improved over time, you have been doing a great job. It is so much easier to set up subscription payments today (with a solution like Recurly) than it was 2-3 years ago. Keep up the good work!
Suggestion: add the text "a JavaScript library for the Recurly payments API" (or equivalent) somewhere on the page!