#stripe

a bunch being the players? or the transactions

it's a free to play video game. it's kind of the nature of the beast

transactions

anywhere from 1 to 20 transactions

i actually work for http://www.kongregate.com

Ah... so you know the deal :)

My buddies have a mobile game with you

our solution is to have players pre-load their account

oh yeah?

which game?

Synapse

Tyrant Unleashed

ah, tyrant

good game. not my thing, but it's a powerhouse

anyway

They are champs

the least friction way to do that is to maybe do it how apple does it

although you know i don't know if authorized charges show on a card

you could just authorize a big amount on their first purchase of the day and then as long as their total amount doesn't go over that, just capture what they purchased

ya'll around stripebros?

I've certainly never see an authorization on my card

zrail: any thoughts on capping players at 100 a day

that depends entirely on your business

kong has spending caps like that for sure

i don't think i can tell you what ours are, and they change based on player history anyway

I'm thinking maybe first charge, we authorize $20, assume they're good up to 100, and roll them dice

definitely seems like a workable first draft

ha, k thanks for the help

are you devops at kongregate?

jsonperl: no, i'm a developer

What's the requirements to be PCI compliant while doing everything through the API instead of Stripe.js ?

depends entirely on how your integration is structured, but this may be helpful Killswitch http://www.pcicomplianceguide.org/pcifaqs.php#5

zrail: I'm not sure what you mean by that.

there's no general answer to your question. you need to be PCI compliant, and depending on how big your transaction volume is you'll need to do a self survey or get an actual auditor

and there are general requirements, as well as merchant-type-specific requirements

zrail: well what's the difference between using Stripe.js vs just doing it all through the API?

if you use stripe.js card numbers never hit your server

meaning your compliance requirements are *significantly* easier to deal with

Basically we're having issues where stripe is blocked by our customers company filters so they are getting errors when trying to checkout because stripe.js is failing, so we have to find a workaround and doing all through the API server side is our only option

that sucks

Yeah

because it's a significant burden to add when card numbers hit your server

is there any way to get your customers' companies to whitelist stripe.com?

Doubt it.

why would they ever block that?

Keywords.

...

I don't know, I can't call every business a customer of ours works at who tries to buy our products from their internet and ask why Stripe is blocked. :P

right

but if you are forced to have them enter CC on your site, you'll have to be PCI compliant

so what is more, the income from them, or the cost of PCI complaince?

So our only work around that I can think of is 2 things. Either go strictly through the API serverside, or find a payment processor who isn't being blocked by our customers employment filters.

they should be able to change the filter...

We can't tell them what to do.

And their income is more important to us considering our business is built on them buying stuff from us.

"my app requires that you be able to hit stripe.com"

then you need to become PCI complaint..

compliant*

Exactly, and that's what I was asking, what do we need to do to be completely compliant using Stripe on our server... Heh.

also, you said "keywords"

...what keyword? like in the domain?

I don't know.

because it is Https, they shouldnt be reading the content

Whatever filters the company uses is blocking stripe.

webdestroya: lots of companies MITM https

thats pretty scary

i still dont understand why someone at the company cant say "hey, we are using app X at our company, IT people, can you please allow access to stripe.com"

Because that's an unreasonable request.

er

ok...

I take it you've never worked at a company that has filters and blocks on their internet that block for example Facebook.

is your application a business application?

No.

ah.

well.

Us contacting the company requesting them to unblock stripe could get us blocked. ;)

That's detrimental to OUR business.

i *have* worked with companies that do that

i worked for a school district, and i went to the head of the IT and explained what my app did, and what it needed

and they added an exception to the district filter

wait.. your app isnt a business sanctioned app?

Our app is an ecommerce app. If I knew my employees were using company internet and time to buy things online, I'd block them too. ;)

oh

well in that case, they should be used to shit like that being blocked

they can use their phone/do it at home..?

but, i still find it weird they are blocking "stripe"

since that can be used for very legitimate business things...

The problem is Stripe.js doesn't return anything so it's breaking our app because stripe.js is 403ing to them... So they don't know it's happening.

you should be able to catch that

and say "whoops looks like stripe is being blocked"

..a 403?

Yes we have to check to see if the Stripe object is defined, if not we disable our app period.

But once again, that's detrimental to our business. Processing everything through the API where our users never hits Stripe, but our app does.

can they use their phone?

or tablet?

making a mobile page to process payments would probably be much less costly than doing PCI complaince

lol yeah, sure if we want to disable our core business.. Once again, we cannot allow our users to make requests to stripe themselves. We have to do it all on our end.

There is no other options.

then it sounds like you have a solution?

what is your site?

I already had a solution. And my solution is making sure we're PCI Compliant with Stripe doing everything through the API and not use Stripe.js

its going to suck if you get PCI compliance, and the company figures out your site, and just blocks your site directly

like etsy?