Stripe seems more complex, but encourages more secure coding than Paypal
I spent today comparing Stripe and Paypal's Checkout products and my conclusion is that Stripe seems a bit more complex than Paypal to set up, but is also more secure, and encourages more secure coding. Here's a few of my notes:
-
Paypal's checkout uses client-side JS to specify the price of the item. This can be tampered with, and a malicious user can reduce the price and pay less. However, this is trivially easy to get going with, and they even have a button html generator tool. [1]
-
Stripe's client side just has an opaque Price ID, which is tamper proof, but involves more setup (creating the Product/Price in the backend) [2]
-
With Paypal, you can verify a transaction via order ID using the Orders API, but if you want to prevent replay attacks, you need to manually track that you only ever process an order ID once. [3]
-
Stripe has a webhook for confirming if a transaction is successful, which naturally helps preventing replay attacks because the backend will only get a webhook event for a transaction once. [4]
-
Paypal does not redirect, and triggers a Javascript callback on the same page when a transaction is successful.
-
Stripe triggers a redirect to a success_url if a transaction is successful.
For my application, Stripe's forcing of a redirect prevented me from cutting corners in an insecure way. I was considering using the Paypal callback to toggle CSS visibility of data that you should only get after paying, which simplified a lot of things, but would allow people to avoid paying with a bit of Web Inspector.
[1] https://developer.paypal.com/docs/checkout/integrate/#4-set-up-the-transaction
[2] https://stripe.com/docs/payments/checkout/client#generate-checkout-button
[3] https://developer.paypal.com/docs/checkout/reference/server-integration/get-transaction/#on-the-server
[4] https://stripe.com/docs/payments/checkout/client#payment-success
EDIT: Kalesh Kaladharan kindly pointed out on Twitter that Paypal does support webhook and redirects. The docs for these features were a little harder to find which is why I didn't come across them during my limited research time, which I think does say something about Paypal.
https://developer.paypal.com/docs/checkout/integration-features/add-webhooks/
redirect: https://developer.paypal.com/docs/archive/checkout/how-to/customize-flow/#
Hi Mark,
We have solutions to help you easily integrate Stripe and PayPal payment gateways into your ASP.NET WebForms or ASP.NET Core MVC Web Applications, please check out our demos:
I imagine Paypal has better solutions than you used (e.g. paypal encrypted buttons, paypal webhooks) but that kinda touches on my stumbling with PayPal. I think it has everything there and more (and the brand recognition is compelling) but it can be difficult to find exactly what you want; layers of legacy systems seem to be supported and becomes confusing.
The big downside of stripe is that the user needs to enter their credit card number while with PayPal they just need to press a button, i hope this changes with more people using Apple Pay and google pay (even if it will take years)
I agree, the convenience and brand recognition of Paypal is really nice.
This comment was deleted 5 years ago.