Clarification on Stripe Method and PCI

drastik / com.drastikbydesign.stripe

CMS Independent Stripe payment processor for CiviCRM 4.x

Other

35 stars 48 forks source link

Clarification on Stripe Method and PCI #163

Closed shaigluskin closed 7 years ago

shaigluskin commented 7 years ago

Does the CiviCRM Stripe extension use a Stripe method that employs an iFrame for SAQ-A PCI Compliance eligibility?

I know for sure that "Stripe Checkout" uses an iFrame. "Stripe.js" may also, but I'm not sure.

Thanks.

drastik commented 7 years ago

No iFrame that I am aware of. Uses their JS that sends card details directly to Stripe, not to your server.

shaigluskin commented 7 years ago

When you say "their JS," the script itself is hosted on their server? Also, is it your understanding about which PCI SAQ this method qualifies for? Also, which version of their API does the CiviCRM Stripe extension use?

drastik commented 7 years ago

Yes, the script is remote, on Stripe's server.
Regarding SAQ-A (card not present, no card data touches merchant's machine):
- This is what should be occurring. You can see in our custom JS where it removes the card number details before the form is submitted to CiviCRM. As long as those selectors still target the proper fields, the CC details should not touch the CiviCRM-hosting server.
It uses v2 of their stripe.js API.