What does the Stripe security requirements 'change' mean
Josh got this email from Stripe - what does it mean for us?
================================================================================= Thanks again for taking the time to meet with us and discuss the CiviCRM plugin and ways that we can deepen our partnership. As we mentioned on the call, Stripe is heightening our security standards by requiring all plugin developers and merchants to use a Stripe Apps supported authentication method.
There are 2 ways CiviCRM can achieve these new security requirements: by implementing either OAuth or Restricted API key (RAK) authentication via a Stripe App, and/or migrating to standard Connect. Please review the technical onboarding guide and documentation for OAuth Apps and RAK Apps.
All plugin developers using unrestricted API keys must complete the security upgrade by June 2024 in order to avoid any impact to your plugin. Below is a high level timeline of this deprecation:
- April ‘24 - Stripe will send a security risk notification to all merchants using non-secure plugins and will add a security flag on all non-secure plugins in the Stripe Dashboard.
- August ‘24 - Stripe will begin to deprecate the use of non-secure plugins.
Upgrading to Stripe Apps will not only help you meet these security requirements, but can also help you increase your plugin’s distribution. As part of the update, we are offering all developers a Stripe App Marketplace listing, plugin analytics dashboards, and an invitation to Stripe’s Partner Program.
In addition, the Stripe Apps marketplace and our new, more secure framework do not support legacy integrations. As such, we will require all plugins in the Stripe Apps marketplace to be on non-legacy UIs (Card Element) in order to ensure the best user and merchant experience. By implementing Stripe's Optimized Checkout Suite (payment elements, payment methods, and Link) CiviCRM can leverage our newest checkout products and drive revenue.
Please let us know once you've had a chance to review with your team. We would like to schedule a follow up call later this week or next to help you scope your upgrades, discuss Connect revshare opportunity, and answer any technical questions.