[slexaxton]

(Stripe Developer) - tl;dr -- This claims that Stripe.js runs on the merchant's server environment, causing the server to be subject to PCI DSS. In reality, Stripe.js is served from Stripe's servers, and runs only in the browser, and this has always been the case.

[patcheudor]

In order to get Stripe.js to execute within the same origin of the merchant environment the merchant must include code like this: <script src='//stripe.com/Stripe.js> within their HTTP response. This can be modified by a criminal on the merchant server to go to <script src='//badguy.com/mystripe.js> if the merchant has not implemented proper controls as outlined in the PCI DSS. The same can happen if they implement weak crypto. At the end of the day the merchant is responsible for this PCI related component because it's executing within the context of their merchant domain.

Adding a bit more to be crystal clear here. The merchants customer will only see the address in the address bar for the merchant and will be able to validate the merchants public cert. No customer I know of would view the source to make sure that the reference to Stripe.js is in the source.

Additional edit to address Silhouette's point. Yes, an attacker can modify the <a href to go to their site as well, but unlike an embedded script the customer does have a chance to call BS and back out of the transaction after growing concerned by the domain transfer & doing a Google search to see if it's legit. They don't have any chance in the case of an embedded script. Now if we go back to my original concern, it's that merchants are being told that they simply need to implement Stripe.js & enable HTTPS. Modifying that statement to something like this would be far better:

"Stripe minimizes the scope of PCI DSS by removing the need to implement and audit security controls surrounding the transmission, processing, and storage of card-holder data. This does not; however, absolve Merchants from compliance with the PCI DSS & in order to assist with that we offer the following..."

[Silhouette]

This can be modified by a criminal on the merchant server to go to <script src='//badguy.com/mystripe.js>

And then the merchant won't be following one of Stripe's two basic rules for staying PCI DSS compliant any more, will they?

That aside, of course you want to keep your server secure. But if you can't, as a matter of practical security and protecting cardholders in the real world, how would it be any better to have your site intended to transfer entirely to a payment service on their own domain rather than just loading JS from that domain? An attacker who has compromised the security of the files on a merchant's server can change an <a href='...'> that should transfer to the payment service so it goes to a hostile site just as easily as they can change a <script src='...'> that should load JS from a payment service so it loads JS from a hostile site.