Stripe's API supports sending both typed and swiped card data. Typed data is recorded when your customer enters their card details on your site and the data is sent to Stripe either by Stripe.js or through the Stripe API:
https://stripe.com/docs/api#create_charge
Swiped data is sent to Stripe when you have your own card swipe that reads the magnetic card strip on the back of your customers' cards. The raw output of the card swipe can then be submitted to the Stripe API.
The data contained on the magnetic strip of a card contains similar details to those embossed on the card but with some additions and repetitions. Details on the magnetic strip data can be found here:
http://en.wikipedia.org/wiki/Magnetic_stripe_card
The output of your card swipe is usually ASCII text. If your reader behaves differently, please feel free to get in touch at [email protected].
The output of the card swipe can then be sent to Stripe as a sub-parameter called swipe_data on the card parameter, and will look like:
POST /v1/charges:
curl https://api.stripe.com/v1/charges \
-u [STRIPE_API_KEY]: \
-d "card[swipe_data]=%25B4242424242424242%5ETESTLAST%2FTESTFIRST%5E1505201425400714000000%3F%3B4242424242424242%3D150520142547140130%3F" \
-d amount=100 \
-d currency=usd \
-d "description=Swiped card for [email protected]"Response:
{
"id": "ch_3zXyvXxnXrAHkY",
"object": "charge",
"created": 1399483858,
"livemode": false,
"paid": true,
"amount": 100,
"currency": "usd",
"refunded": false,
"card": {
"id": "card_3zXye0v30jXWaU",
"object": "card",
"last4": "4242",
"type": "Visa",
"exp_month": 5,
"exp_year": 2015,
"fingerprint": "mmHLRwIMq5ZaaAK4",
"customer": null,
"country": "US",
"name": "TESTLAST/TESTFIRST",
"address_city": null,
},
"captured": true,
"balance_transaction": "txn_3zXydumMQzCbx0",
"failure_code": null,
"description": "Swiped card for [email protected]",
"dispute": null,
"metadata": {},
"statement_description": null,
"fee": 33,
"fee_details": [
{
"amount": 33,
"currency": "usd",
"type": "stripe_fee",
"description": "Stripe processing fees",
"application": null,
"amount_refunded": 0
}
],
"disputed": false
}Currently swipe data can only be submitted by US-based Stripe users for Visa, MasterCard, American Express, Discover, and Diners Club cards.
Ordinarily when using Stripe.js, your servers aren't involved in the storage, transmission, or processing of cardholder data. This helps reduce your obligations under the Payment Card Industry (PCI) Data Security Standards (DSS) [1].
If you're using a card swipe however, you are involved in the transmission of cardholder data. As such, your obligations change.
Depending on how many transactions [2] you have annually, your requirements will vary from assessing your own compliance with the DSS, to engaging with an external Qualified Security Assessor [3] to verify your compliance.
If you havee fewer than six million transactions annually, ordinarily you'll assess your own compliance with a Self Assessment Questionnaire (SAQ), and have quarterly network scans performed by an Approved Scanning Vendor (ASV) [4].
In particular, you'll need to ensure:
- You only use card swipes and other hardware that have been validated against the PCI Payment Application Data Security Standards (PA DSS):
- You do not store the magnetric strip data. You're allowed to store parsed details of the data but in particular, not the CVV1 or the raw tracks.
- https://www.pcisecuritystandards.org/security_standards/
- http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp
- https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php
- https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php