PCI DSS Compliance

[verbomania]

Hi

Under it's PCI DSS Guidelines, Stripe says that

As long as you serve your payment pages over TLS, and use either Checkout or Elements as the only way of handling card information, Stripe automatically creates a combined SAQ A and Attestation of Compliance (AOC) for you.

Could you confirm that this is indeed the case for this extension and that therefore we can use the SAQ A?

Thanks

Steve

[drastik]

Sorry, I can't say with 100% certainty. This CiviCRM Stripe extension uses javascript to emtpy the card details field before form is submitted to the webserver running CiviCRM. In this way, the card details should not reach your server; however, this is delicate, and customized situations might prevent this behaviour. You should inspect values, set debugs, watch the logs to see what data is coming through in your particular case.

Wish I had an easier answer for you, but I don't want to be responsible for giving you a green (or red) light!

[verbomania]

Thanks for the prompt response.

[twomice]

Hi Josh. The possibility of using SAQ-A seems very attractive. Any thoughts on what it would take to use Elements or Checkout instead of Stripe.js v2?