Updated Stripe Connector Rollback: What It Means for You
At FormAssembly, it is our mission to be good stewards of the data entrusted to us. With that, we are continuously working to improve our features and accessibility. The rollout of Stripe Connector improvements for SCA (Strong Customer Authentication) compliance in June 2021 was an expression of that.
However, this update made FormAssembly a target for malicious actors seeking to exploit our customers’ Stripe payment forms. To avoid any unintended harm to our customers’ businesses and reputation, our best course of action is to roll back the recent changes to our Stripe Connector immediately and work on building a better option for SCA-compliant payments. The rollback will take place today, Friday, September 3, 2021.
Why We’re Rolling Back
We recently became aware of the fact that threat actors were exploiting a public API key in the Stripe Connector by testing credit cards at a mass scale. Credit card testing is an unfortunate but common practice of malicious actors that we have no tolerance for when it begins to affect our customers. This issue, combined with a number of other reported issues with our updated, SCA-compliant Stripe Connector, is the reason we need to roll back.
Our initial response was to put in mitigating controls to prevent any damage and stop the malicious actors. However, we came to the conclusion that a rollback was the most reliable way to bring an end to the credit card testing. We want to stress that at no point was any data collected via FormAssembly or Stripe determined to be exposed or breached.
What This Means for You
While we rebuild the connector, the rollback means Stripe will not be a SCA-compliant option for your FormAssembly forms. If you continue to use the connector, payments from European users may be declined if their banking institution requires 3DS (3D Secure).
If you need to support SCA for your forms, there is an option to update your forms to leverage our PayPal Connector. If you are able to operate without having SCA compliance on your forms temporarily (or if SCA does not apply to you), you will not need to take any action. However, depending on your situation, you may want to relay a message to your customers that this option is temporarily disabled.
If you have an upcoming event that could be highly impacted by this change, please reach out to our support team for assistance.
We understand that rolling back features is never ideal. However, as stewards of your data, we feel strongly that this is the best decision we can make. Our product team is working hard to expedite a SCA-compliant Stripe Connector to deliver to the market. In the meantime, we recommend exploring our PayPal Connector for your SCA compliance needs.