|
|
|
|
|
|
by ceejayoz
5280 days ago
|
|
|
Submission is only one part of the problem. A malicious script included on the same page - MITMed Facebook like buttons, poorly understood copy-paste minified code, a rogue developer - could easily access those fields and make a request to a third-party server with the credit card information as URL parameters. I'd be interested in what the PCI Council has to say about Stripe's claim that using their service absolves you of all PCI compliance requirements. |
|
|
These are not covered as part of the PCI compliance requirements, as they're not compliance related - there's no way to effectively prove you have mitigated an "unknown unknown" (to quote Mr. Rumsfeld).
In Stripes instance, YOUR servers and systems never handle or see a CC number, and so they are outside of the scope of what PCI covers. Stripes software and servers, on the other hand, ARE covered by PCI, and it's THEIR job to be compliant, etc.