[count]

There are an effectively unlimited number of potential vulnerabilities in every possible way to accept payment over the Internet.

These are not covered as part of the PCI compliance requirements, as they're not compliance related - there's no way to effectively prove you have mitigated an "unknown unknown" (to quote Mr. Rumsfeld).

In Stripes instance, YOUR servers and systems never handle or see a CC number, and so they are outside of the scope of what PCI covers. Stripes software and servers, on the other hand, ARE covered by PCI, and it's THEIR job to be compliant, etc.

[ceejayoz]

> These are not covered as part of the PCI compliance requirements, as they're not compliance related - there's no way to effectively prove you have mitigated an "unknown unknown" (to quote Mr. Rumsfeld).

PCI's reasoning behind requirements to prevent cross-site-scripting and similar attacks aren't really "unknown unknowns".