[chris_wot]

According to Stripe, they require evidence you comply with PCI-DSS. I'm interested, did they ask you for this?

[ceejayoz]

As long as you're using their JS solutions so credit card data never ever goes through your servers (even temporarily), PCI-DSS compliance on Stripe just means serving the payment page over SSL.

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

[nerdy]

Except this article says it is not served over SSL. There's even a huge graphic with an arrow pointing it out.

https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...

[jessedhillon]

That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.

[shkkmo]

The last four digits are still plenty sensitive enough to make serving them over http blatantly irresponsible.

[chris_wot]

It's not just that - it allows you to update your credit card over unencrypted http.

[ceejayoz]

Yes. That's a problem, certainly. I'm just pointing out that Stripe's "are you PCI compliant" process is pretty low-key.