[patcheudor]

Alex, thank you for your response. I don't think my original observations about the wording of a support doc falls into a vulnerability disclosure. That doc has since been updated with enhanced guidance which addresses my original concern. As I think we all understand, the merchant must be responsible for ensuring the integrity and security of the HTTP response containing the reference to Stripe.js. After that they are absolved of the requirements surrounding the transmission, processing, and storage of the card data. As the PCI DSS states, they are ultimately responsible for their PCI compliance as the merchant.