[jtdowney]

One thing the article mentions that is not correct is that "there's no need to be PCI Compliant as Stripe handles this whole process for you." While it is true that Stripe bundles the merchant account, you do still need to be PCI compliant. They even say as much in their Terms of Service (section 8): "You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI-DSS) and the Payment Application Data Security Standards (PA-DSS), as applicable."

It is very dangerous to think that just because you use a service you are not responsible for PCI compliance. Any business that accepts credit card payments needs to be sure and research what their exact relationship is with PCI.

(Disclosure, I work for Braintree)

[dave_sullivan]

Can you give an example of what specific considerations need to be taken into account re: pci compliance and stripe? My understanding is that there are more stringent requirements if storing CC numbers, and using stripe helps to shift that burden. Are there any other major non-obvious (eg, using ssl) considerations re: pci compliance if using stripe to handle recurring billing?

[qeorge]

Securing your network / software is perhaps non-obvious, and doesn't always make the lists.

Example: you're not keeping the server up to date, and someone injects Javascript into your payment page. You could be liable.

As I understand it (admittedly not well), PCI is kind of like HIPPA/OSHA, in that there's some explicit no-no's (e.g. not using SSL, leaving patient info lying around, or not wearing hardhats) but the more important point is about maintaining a "culture of compliance".

[sdepablos]

Taking a look to https://support.stripe.com/questions/what-exactly-do-i-need-... it looks like you only need to use stripe.js and SSL and you're ok.

[thehammer]

Regulations are set by the card brands, not the gateways. Here are Visa's requirements for merchants that want to accept their cards:

http://usa.visa.com/merchants/risk_management/cisp_merchants...

Requirements scale with processing volume, and are generally minimal for merchants processing under 20k Visa transactions annually.

Many gateways use tokenization to dramatically reduce PCI scope for their merchants. It's fairly standard, actually. Even with tokenization, merchants have compliance obligations. The required network scans, for example, protect consumers from merchant websites being compromised ahead of the tokenization step.

[sdepablos]

Interesting. I thought you only needed PCI compliance if your server touched the card, no the front-end, but it makes sense. Nevertheless here in Spain we'll need to wait to have tokenization. There's only one gateway - unless you choose Ogone or Adyen - and hell will freeze before it innovates.

[jusben1369]

If you work with credit cards you must be PCI Compliant. It's not a "You can avoid it" However, the critical thing is that there are degrees of PCI Compliance. By utilizing a newer gateway you're dramatically reducing your PCI Compliance scope. Most likely you'll therefore only need to complete a SAQ-A (self assessment 1 page questionnaire). So i) Yes, you must be PCI Compliant no matter whom you use. ii) If you use a modern gateway like Stripe you'll dramatically reduce your scope around CC data and thus only need to do a SAQ-A (which you keep handy in case you're ever asked for it) to be "PCI Compliant". Now the caveats here are that you don't do silly things like integrate to Stripe but when a customer is having trouble take their credit card over the phone and input it for them manually etc (now you're handling data and expanded your scope) Avoid doing things like that and the SAQ-A will work.

[sdepablos]

Could you expand on this? I was on the assumption that with Stripe you could circumvent PCI compliance almost completely. I thought that you only need to comply with PCI if your SERVER touched the credit card data in any way - i.e. capturing the info from your frontend and sending to your payment gateway - and as with Stripe your server never sees it - their JS sends the info to Stripe servers directly - you are ok.

In fact in their site https://support.stripe.com/questions/what-exactly-do-i-need-... they state

"As for the explicit requirements you need to meet PCI compliance requirements:

* When accepting payments using Stripe, you have to use Stripe.js * Serve your payment page over SSL"

[pbreit]

The commenter is technically correct n that very merchant does needed need to be "PCI compliant". But I can see how that coming from a competitor may look unseemly in this context. What the OP probably means is that Stripe takes out a great deal of the pain and money of becoming compliant.