On 07/10/2017 01:53 PM, fr33domlover wrote:
> Hello everyone,
> I found a nice website with human readable info about PCI compliance:
> <https://www.pcicomplianceguide.org/pci-faqs-2/#5>
> I'm bringing this up especially because right now Snowdrift is using Stripe's
> proprietary JS, which will surely raise eyebrows sooner or later, and
> regardless of that, I suppose we need this PCI thing. Anyone has thoughts 
> about
> it?
> My thoughts are:
> - What does PCI compliance affect? If we don't have it, who will it bother 
> etc.?

In short: there's no value in considering going without it, it's
required. It's a severe legal liability to ignore such things.

> - How does the FSF handle it? They take donations without a single bit of
>   proprietary JS. And they are in the US too (except they are legally an
>   official non-profit organization). Maybe we can check how they do it?

I think they do it by actually getting credit card info and then using a
card-processing service. This means they have overhead and liability in
handling those things. Also, this only works because they process
single, large charges.

In our case, we would be an illegal money transmitter if we held funds.
We can't otherwise charge tons of times for multiple small charges per
patron for each and every project they support.

Stripe allows us to do single charges per patron and single payouts per
project, combining it all.

There's a free-software replacement for Stripe's JS that pushes all the
compliance issues onto us, but we really don't want that risk and overhead.

The real long-term solution is what CrowdSupply does: They accept the
financial details on their front-end using only free software and then
have the server send the information to Stripe using Stripe's API and
without *ever* storing the info. This still means touching the financial
details, so it comes with security overhead that we haven't been able to
handle at this time with our limited resources. But this is the solution.

(Incidentally, I wrote an issue or something about eventually following
Crowd Supply's example, but I'm not sure where that lives now… does
anyone know how to find it. I searched Taiga and didn't find it. Maybe
it's there somewhere though, or…?)

> --fr33

Attachment: signature.asc
Description: OpenPGP digital signature

Discuss mailing list

Reply via email to