| I work at Stripe. In examples like this, is the web page containing the payment form within PCI scope? PCI is often misunderstood, and mostly orthogonal to security itself. Overall security, and things like embedded third-party code, are obviously very important -- you can cripple your security pretty easily no matter what payment system you use if you end up having malicious JavaScript on your page -- but most of these security questions are not PCI issues. Ultimately, PCI simply tries to prevent the most common mistakes that people make when storing and transmitting card numbers. With stripe.js, cardholder information is submitted directly to Stripe -- it never touches your server. If you use stripe.js and serve the associated form over SSL, Stripe handles PCI compliance for you -- you don't have to do anything else. If you don't use stripe.js, and have card details traverse your server, then you're within the scope of PCI, and will probably have to fill out a PCI "self-assessment questionnaire". The no-JavaScript point is a good one. We recommend (see https://stripe.com/docs/tutorials/forms) that you omit the "name" attribute on form elements in order to prevent them from being included if the form is submitted. |