PCI Compliance - Does this lib implement tokenization on the client ?

[0xpatrickdev]

Hey folks,

Thanks for your great work on this library.

I have a question you could hopefully help with. In Stripe's Integration Security Guide, they outline 3 steps that are required for a business using Stripe to be PCI Compliant:

• Use Checkout, Stripe.js and Elements, or our mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through your servers
• Serve your payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS
• Review and validate your account’s PCI compliance annually

The 2nd and 3rd items are not in the scope of this library, but I am curious as to how you view the 1st item.

I do not believe this library uses Elements or the Mobile SDK, so it seems one of these two sections would be relevant to users of this library:

In /src/common/stripe.js#L3, I see a reference to https://api.stripe.com/v1/tokens.

As such, I would assume this means that users of this library are posting payment details directly to the stripe API?

If that's correct, it seems that people using this library outside of a testing environment would need to fill out this lengthy document SAQ A-EP, on an annual basis, which is described by Stripe as, "the most onerous of all the SAQs, with over 40 pages of requirements you must implement to remain PCI compliant."

Have you explored using Stripe.js v2? If so, are there issues using it in a RN app?

Thanks in advance !

[richardgill]

I think you're correct. An upgrade to v2 sounds like it would make sense.

[tirsoh]

Any plans to update this to v2?