Payments and SSL

Can I just check some basics, regarding self hosted:

Are any payment details (e.g. credit cards etc) ever stored locally?

(I ask because if they are, I am told an OV SSL certificate would be required (rather than the cheaper DV type).)

Are all payments processed off the local website via gateways etc, with no need for PCI compliance?

Many Thanks,

PS: I guess my question is particularly with Stripe and Braintree in mind, as I understand those payment pages are actually on the localhost, but also for any other payment methods available within Invoice Ninja.

We don’t store the full card number, we store the token provided by the payment gateway.

Thanks Hillel.

Do you, or anyone eles reading this, know if we need to be PCI compliant if only storing the token as you describe (and presumably the last few digits of the card number)?

My question really relates to what sort of SSL certificate is required. I think I see here that only uses a DV (domain validated) one rather than the OV (Organisation validated) or EV (extended validation) one, is that correct?

I am hoping I’m ok to use the cheaper DV ssl certificate to host if possible.

Also, Hillel, I am trying to see what the payment page looks like for Braintree or Stripe before setting one up. Which does your system use on the white label payment page? (or does it look the same for both).

Are all functions with both gateways the same (e.g. can you refund payments within Invoice Ninja using either gateway?

My decision then comes down to which is cheaper and faster to transfer payments to me(!)


And also if either of them say their name in the bottom of the payments page (which I don’t want).

The payment page looks the same for both.

Stripe supports ACH whereas Braintree supports PayPal.

Correct me if I’m wrong but the fields on the payment page are hosted fields from the payment gateway. Meaning all data put into there is being directly routed to the payment processor. This keeps the PCI requirements to a minimum since you only (self-hosted) store only the payment processors token (reference number). This also aids in the ability to use something like cpanel certs or let’s encrypt to make sure the site is encrypted completely without needing the expensive SSL. Obviously this depends on your use case and if you think people will care or even realize your using a free SSL cert and that the fields are hosted by the payment processor.

You can verify the above by going to the payment page and opening up developer tools in Chrome browser. Then go to “network” tab (you might need to refresh the page or hit f5). It will populate with what the site has loaded. From there look for something that said “hosted fields”. Click on it and chrome developer tools should show a preview on the right, click over to headers tab on that new section.

From the headers section you’ll see the “request URL” that will probably be your payment processor/gateway. The “remote address” will also be something different than your webserver. As a reference point look over to the file list and click on one of the loaded CC logo images and you’ll see the header matches your actual webserver (your hosting the CC logos not your payment processor).

I’m sure there is an easier way to verify this but I think people should be familiar with chrome’s very powerful developer tool in verifying and troubleshooting their site.

It depends on the gateway, they all work a bit differently.

We advise to always use an SSL certificate if you’re accepting online payments.