undefined | Better HN

0 pointsgauravk9214y ago0 comments

Stripe does this really well using a js lib. The sensitive data thus never hits your servers and it's a much better experience for devs who don't want/have to deal with PCI compliance.

0 comments

ceejayoz14y ago

I'm not convinced using Stripe or similar services gets you out of PCI compliance.

The vast majority of PCI compliance requirements - those relating to server security - would seem to still apply. If someone hacks your server, they could easily add an additional bit of JavaScript that sends the CC field to a second, malicious server.

gauravk92OP14y ago

That's a worst case scenario and things could be worse if they hacked your production code base.

All data should be 256bit ssl encrypted for point to point security and asset tampering protection. After that, i doubt stripes js lib is much of a problem, it communicates in a secure tunnel from the client to stripe.

They as well say you don't have to worry about PCI compliance then because you are never handling financially sensitive data directly, only indirectly.

j / k navigate · click thread line to collapse