[ceejayoz]

Has there been any actual confirmation of that? i.e. an official ruling from the PCI standards council?

Other than the long-term storage of credit card numbers stuff, most of it focuses on security measures I'd want someone using Stripe to have implemented.

After all, if someone hacks the server, they're going to have an easy time adjusting the flow to save the CC# that's supposed to only be going to Stripe.

[corin_]

But on the other hand, if anyone hacks any server, they're going to have an easy time putting up a page with a form asking for credit card numbers. For example say somebody hacked HN and added a "pay for premium membership" form, that just mailed off credit card numbers to the hacker...

Just thinking out loud really, I know nothing about PCI compliance or law.

[jtheory]

I've written more on this elsewhere, but you're generally right.

PCI compliance rules are designed to test the serious risks that can be tested.

If the credit card data doesn't pass through your servers, then it doesn't pass through your servers.

Stripe complies the same way as PayPal; it just looks different to the user.

It's also worth noting that there's a big difference between data at rest and data in motion. If your site is hacked tomorrow and starts redirecting CC info, then all of the CC info between tomorrow and the day someone stops the hack is compromised.

If CC data is stored on your server in any way -- and this if it passes through your server, this may be the case even if you aren't putting it in a database -- then when someone hacks your server tomorrow, it's quite possible that all CC info entered since 2003 (or whenever you started) is compromised. That's a much greater risk.