In Stripe's official examples the credit card form elements don't have names so they don't submitted. According to them, the only thing you need to do for PCI compliance is use stripe.js in the browser over HTTPS.
which is actually crazy, because if I were to design a malicious ad that gets included on the page where you have your stripe form on, it would be as easy for me to extract the values the user has entered as it will be for stripe.js.
So - even if PCI compliance doesn't require it, I would make sure that the page that the form is on doesn't have any JS dependency that is hosted on a server I don't control.
Longer term, it would probably wise for stripe to host the form in an iframe.
A malicious script included on the same page - MITMed Facebook like buttons, poorly understood copy-paste minified code, a rogue developer - could easily access those fields and make a request to a third-party server with the credit card information as URL parameters.
I'd be interested in what the PCI Council has to say about Stripe's claim that using their service absolves you of all PCI compliance requirements.
There are an effectively unlimited number of potential vulnerabilities in every possible way to accept payment over the Internet.
These are not covered as part of the PCI compliance requirements, as they're not compliance related - there's no way to effectively prove you have mitigated an "unknown unknown" (to quote Mr. Rumsfeld).
In Stripes instance, YOUR servers and systems never handle or see a CC number, and so they are outside of the scope of what PCI covers. Stripes software and servers, on the other hand, ARE covered by PCI, and it's THEIR job to be compliant, etc.
> These are not covered as part of the PCI compliance requirements, as they're not compliance related - there's no way to effectively prove you have mitigated an "unknown unknown" (to quote Mr. Rumsfeld).
PCI's reasoning behind requirements to prevent cross-site-scripting and similar attacks aren't really "unknown unknowns".
So - even if PCI compliance doesn't require it, I would make sure that the page that the form is on doesn't have any JS dependency that is hosted on a server I don't control.
Longer term, it would probably wise for stripe to host the form in an iframe.