On 07/10/2017 01:53 PM, fr33domlover wrote: > Hello everyone, > > > I found a nice website with human readable info about PCI compliance: > > <https://www.pcicomplianceguide.org/pci-faqs-2/#5> > > I'm bringing this up especially because right now Snowdrift is using Stripe's > proprietary JS, which will surely raise eyebrows sooner or later, and > regardless of that, I suppose we need this PCI thing. Anyone has thoughts > about > it? > > My thoughts are: > > - What does PCI compliance affect? If we don't have it, who will it bother > etc.?
In short: there's no value in considering going without it, it's required. It's a severe legal liability to ignore such things. > - How does the FSF handle it? They take donations without a single bit of > proprietary JS. And they are in the US too (except they are legally an > official non-profit organization). Maybe we can check how they do it? > I think they do it by actually getting credit card info and then using a card-processing service. This means they have overhead and liability in handling those things. Also, this only works because they process single, large charges. In our case, we would be an illegal money transmitter if we held funds. We can't otherwise charge tons of times for multiple small charges per patron for each and every project they support. Stripe allows us to do single charges per patron and single payouts per project, combining it all. There's a free-software replacement for Stripe's JS that pushes all the compliance issues onto us, but we really don't want that risk and overhead. The real long-term solution is what CrowdSupply does: They accept the financial details on their front-end using only free software and then have the server send the information to Stripe using Stripe's API and without *ever* storing the info. This still means touching the financial details, so it comes with security overhead that we haven't been able to handle at this time with our limited resources. But this is the solution. (Incidentally, I wrote an issue or something about eventually following Crowd Supply's example, but I'm not sure where that lives now… does anyone know how to find it. I searched Taiga and didn't find it. Maybe it's there somewhere though, or…?) > --fr33 > >
Description: OpenPGP digital signature
_______________________________________________ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss