GDPR and why we like the popup

  • Resolved jomo

    (@jonathanmoorebcsorg)


    6 years, 11 months ago

    I read and understand the reasons for breaking the modal popup by adding an extra non-functional page first. In considering an alternative, please understand what is the merchant objective here.

    – The average small vendor using free software is not employing full time IT staff to manage their security etc. The small vendor should not have to take legal responsibility for the safe storage of the credit card data and its handling according to data protection legislation.
    – The customer should not trust the small vendor with their credit card details, so should not pay using the inline credit card form which should not be “the preferred method”.

    Instead, when the customer should be presented with a paypal or stripe branded page and have confidence that they are only providing credit card data to the payment provider.

    This ties in with @gingeralfie comments on GDPR compliance and cookies – the store should not be managing the payment and related cookies etc, Stripe should be managing the payment, as is the case with paypal etc.

    Instead of the inline credit card form or the now broken modal popup flow, the third option needed (which may be legally required in Europe from May) is for the customer to transfer to a Stripe screen for payment and enter the card details there, as happens with paypal etc.

Viewing 8 replies - 1 through 8 (of 8 total)

  • Just a quick one in response: I am only using the Stripe plugin as it currently appears to be the only way to accept Apple Pay via woocommerce. This is all I want it for. I get the Paypal and Apple Pay buttons but I am not managing the payments: no credit card forms my end.

    Moreover, in my instance, Apple Pay is obviously only available on supported devices. Yet where Apple Pay is not supported, such as firefox on windows 7, my site still serves four Stripe cookies even though the button does not appear!

    As you indicate, my ideal solution would be that Stripe cookies are only set once the Apple Pay button is pressed.

    Thread Starter jomo

    (@jonathanmoorebcsorg)

    @gingeralfie
    you can suppress the stripe scripts on the product pages though that’s not a complete solution.

    Something like this though I haven’t checked the latest updates:

    
add_action('wp_enqueue_scripts', 'dequeue_scripts', 1000);
function dequeue_scripts()
{
    if (is_woocommerce_activated()){            
	if ( ! is_cart() && ! is_checkout() && ! isset( $_GET['pay_for_order'] ) && ! is_add_payment_method_page() ) {
            wp_dequeue_script('stripe');
            wp_dequeue_script('woocommerce_stripe');
            wp_dequeue_script('woocommerce_stripe_apple_pay_single');
            wp_dequeue_style('stripe_apple_pay');                        
        }
    }
}
    Plugin Contributor royho

    (@royho)

    @jonathanmoorebcsorg – that is the wrong assumption. The new technology IS the inline/embedded CC fields and is hosted on Stripe’s server. No CC data ever touches your site and therefore has PCI liability shift. Please read more about it here https://stripe.com/elements

    Thread Starter jomo

    (@jonathanmoorebcsorg)

    gosh yes it is an iframe, or even 3 iframes. Wow. That’s good.

    There’s no obvious visual indication that would give the customer a clue that that is the case – I guess one can try to clarify in the payment description, but it might be nice to have the option of a stripe logo and branding around that area of the form.
    Since it appears as one form with one button which submits all the data, and since it is presumably waiting for woocommerce to validate the order details before submitting the payment, it is natural to assume that all the data is sent to the same website.

    Plugin Contributor royho

    (@royho)

    @jonathanmoorebcsorg – that assumption would only be true if all your purchasing customers are developers or highly tech savvy. Most would not even know what Stripe is. And the user experience people usually expect is for the form to be on your site and not be redirected to another page OR a popup which is actually quite scary as you don’t really know if that popup is an injection or not..etc.

    • This reply was modified 6 years, 11 months ago by royho.

    @jonathanmoorebcsorg Thanks. Tried in different places on functions.php but couldn’t make it work. A bit beyond me to alter the code

    @royho Agree with you about people not knowing about Stripe – particularly so, here in the UK. As somewhat tech-savvy, I hadn’t encountered it until my need for Apple Pay

    Thread Starter jomo

    (@jonathanmoorebcsorg)

    @gingeralfie my code example was out of date, all you need is this from the documentation page:

    Can I hide the Payment Request button on the single Product page?
    You can remove the Payment Request button from the Product page with this filter: add_filter( 'wc_stripe_hide_payment_request_on_product_page', '__return_true' );
    https://docs.woocommerce.com/document/stripe/

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘GDPR and why we like the popup’ is closed to new replies.