[dave_sullivan]

Can you give an example of what specific considerations need to be taken into account re: pci compliance and stripe? My understanding is that there are more stringent requirements if storing CC numbers, and using stripe helps to shift that burden. Are there any other major non-obvious (eg, using ssl) considerations re: pci compliance if using stripe to handle recurring billing?

[qeorge]

Securing your network / software is perhaps non-obvious, and doesn't always make the lists.

Example: you're not keeping the server up to date, and someone injects Javascript into your payment page. You could be liable.

As I understand it (admittedly not well), PCI is kind of like HIPPA/OSHA, in that there's some explicit no-no's (e.g. not using SSL, leaving patient info lying around, or not wearing hardhats) but the more important point is about maintaining a "culture of compliance".

[sdepablos]

Taking a look to https://support.stripe.com/questions/what-exactly-do-i-need-... it looks like you only need to use stripe.js and SSL and you're ok.

[thehammer]

Regulations are set by the card brands, not the gateways. Here are Visa's requirements for merchants that want to accept their cards:

http://usa.visa.com/merchants/risk_management/cisp_merchants...

Requirements scale with processing volume, and are generally minimal for merchants processing under 20k Visa transactions annually.

Many gateways use tokenization to dramatically reduce PCI scope for their merchants. It's fairly standard, actually. Even with tokenization, merchants have compliance obligations. The required network scans, for example, protect consumers from merchant websites being compromised ahead of the tokenization step.

[sdepablos]

Interesting. I thought you only needed PCI compliance if your server touched the card, no the front-end, but it makes sense. Nevertheless here in Spain we'll need to wait to have tokenization. There's only one gateway - unless you choose Ogone or Adyen - and hell will freeze before it innovates.