Closed ghost closed 9 years ago
matthewarkin
commented
9 years ago Even under PCI DSS 2.0 card details should have never been sent to your server, as soon as card numbers touch your server, the PCI compliance issues are the same for DSS 2.0 and DSS 3.0
ghost
commented
9 years ago Ah, interesting. I thought the 2.0 rule was that you could transmit card details but you couldn't store them.
matthewarkin
commented
9 years ago Nope, the main difference between 2.0 and 3.0 is the addition of SAQ A-EP which is for people who use a direct post or javascript to send card details from their html to the server of their credit card processor. Stripe.js was upgraded to use an iframe to do the transport and Stripe's QSA (basically their PCI auditor) said this method would still allow for merchants to qualify for SAQ A (which is the SAQ you'd use if you used an iframe or linked to the processor's site for credit card handling). Either way no credit card details should touch your network.
ghost
commented
9 years ago Cool, thanks for clarifying!
See README for this:
https://github.com/tyler-johnson/stripe-meteor
Now with Stripe.js (not just Checkout), you can create a token on the client and pass to the server so that no credit card details are transferred to the server. This is due to the new PCI DSS 3.0 rules.
https://support.stripe.com/questions/what-about-pci-dss-3-0