Closed znarf closed 1 month ago
According to Stripe https://docs.stripe.com/security/guide
Out-of-scope card data that you can safely store
Stripe returns non-sensitive card information in the response to a charge request. This includes the card type, the last four digits of the card, and the expiration date. This information isn’t subject to PCI compliance, so you’re able to store any of these properties in your database. Additionally, you can store anything returned by our API
This project was initially based on the following table from the PCI "Self-Assessment Questionnaire A and Attestation of Compliance"
However, this table was not precise enough, one should look at "PCI DSS Section 2, PCI DSS Applicability Information, for further details.". Which state:
The primary account number (PAN) is the defining factor for cardholder data. The term account data includes: the full PAN, any other elements of cardholder data that are present with the PAN, and any elements of sensitive authentication data.
If cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN, or are otherwise present in the CDE, they must be protected in accordance with the PCI DSS requirements applicable to cardholder data
Translated to simple language, that means without the full credit card number, expiry date or cardholder name are note sensitive data subject to PCI DSS compliance.
We're generally all for storing as few data as possible, but in this case this would result in lost engineering time and worse user experience.
Closing this project.
While we avoid full PCI compliance by never seeing or storing credit card data, we're currently reviewing Stripe and PCI policies and want to improve in a few areas.
Coda link (private): https://coda.io/d/Make-Open-Collective_dnHLKv7oLV0/Currently_suSgoFhs#CurrentProjects_tuTeF75U/r268&view=modal