[gtaylor]

I guess you could say Stripe gives you the shotgun, but you have to decide whether you want to use it properly, or blow your foot off.

So basically: Be smart about what goes on your sensitive, mission-critical payment-receiving pages, as you should be. It's not extremely difficult. A little bit more responsibility in turn for more flexibility.

[lsh123]

Someone already said in this discussion that PCI compliance is a legal term :) To some degree, it is a deal between you and your QSA (or you again if you are doing self-assessment). I heard about a few businesses that accept credit card numbers w/o bothering to do anything about security at all. You will need to decide for yourself the acceptable risk for your business in various "things gone bad" scenarios and how much you want to invest in protecting against scenarios that are bad for your business.

We've designed WePay solution to make it "out-of-the-box" as secure as possible for both our partners and WePay. We plan to offer more customization options in the future to improve usability while keeping it simple and secure to use. Doing security right is hard. We believe that WePay can help with it and make our partners life easier.