If my MysQL database is stolen for example, can a thief use the Stripe customers ids to charge them?
Should I store these Ids in my database or not? Store them but encrypt them?
Thanks.
The Customer resource is a core entity within Stripe. Use it to store all of the profile, billing, and tax information required to bill a customer for subscriptions and one-off invoices.
All sensitive information coming from the account id requires your Stripe Secret Key (or that of the account, for Connect accounts). That being said, if access to those keys is compromised, having the account ids readily available just makes it that much easier for an attacker.
Just use the following line of code you will get the customer id. $customer = $stripe->customers()->create([ 'email' => $_POST['stripeEmail'], 'source' => $_POST['stripeToken'], 'plan' => trim($plan) ]); echo $customer['id'];
The customer id (cus_XXXX
) can be used to charge a customer's card but only with your account's Secret API key (sk_live_XXX
).
Someone getting their hands on your database in that situation wouldn't be able to do anything with the information unless they also stole your API keys.
It's safe to store anything that Stripe returns via the API in your own database as they wouldn't be returning those values in the first place otherwise. It's also partially covered in the documentation here about PCI compliance.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With