I want to use the Stripe.com on the server-side. When I try to create card token via
curl https://api.stripe.com/v1/tokens \
-u sk_test_qMabFX3j5ApELqUH8mEy6NDp: \
-d card[number]=4242424242424242 \
-d card[exp_month]=12 \
-d card[exp_year]=2019 \
-d card[cvc]=123
or via
Stripe.apiKey = "sk_test_qMabFX3j5ApELqUH8mEy6NDp";
Map<String, Object> tokenParams = new HashMap<String, Object>();
Map<String, Object> cardParams = new HashMap<String, Object>();
cardParams.put("number", "4242424242424242");
cardParams.put("exp_month", 6);
cardParams.put("exp_year", 2019);
cardParams.put("cvc", "314");
tokenParams.put("card", cardParams);
Token.create(tokenParams);
I see the message in my dashboard: "We saw nnn requests in the last m days with raw credit card numbers"
My questions are: 1) Can I safely use the Java API to create a card token? If yes, how to avoid such messages? 2) Or I have to use Stripe elements and one of their scripts for this?
If you create card tokens server-side in Java, this means that your servers received raw card details. Even if you don't save the information in your database, you still fall under a higher level of PCI compliance which would be a lot of work to comply with.
Instead, you should tokenize client-side, using Elements or Checkout. This would let you create a card token securely client-side and then send that token to your server. This would also let you fall under SAQ-A which is the easiest level for PCI compliance. You can read more about the differences in Stripe's docs here.