I may be misunderstanding but if it's significant effort it makes a lot of sense to me to go without it until ready to switch off stripes js. On mobile and haven't looked at the guide yet.
On Mon, Jul 10, 2017, at 02:18 PM, Aaron Wolf wrote: > On 07/10/2017 01:53 PM, fr33domlover wrote: > > Hello everyone, > > > > > > I found a nice website with human readable info about PCI compliance: > > > > <https://www.pcicomplianceguide.org/pci-faqs-2/#5> > > > > I'm bringing this up especially because right now Snowdrift is using > > Stripe's > > proprietary JS, which will surely raise eyebrows sooner or later, and > > regardless of that, I suppose we need this PCI thing. Anyone has thoughts > > about > > it? > > > > My thoughts are: > > > > - What does PCI compliance affect? If we don't have it, who will it bother > > etc.? > > In short: there's no value in considering going without it, it's > required. It's a severe legal liability to ignore such things. > > > - How does the FSF handle it? They take donations without a single bit of > > proprietary JS. And they are in the US too (except they are legally an > > official non-profit organization). Maybe we can check how they do it? > > > > I think they do it by actually getting credit card info and then using a > card-processing service. This means they have overhead and liability in > handling those things. Also, this only works because they process > single, large charges. > > In our case, we would be an illegal money transmitter if we held funds. > We can't otherwise charge tons of times for multiple small charges per > patron for each and every project they support. > > Stripe allows us to do single charges per patron and single payouts per > project, combining it all. > > There's a free-software replacement for Stripe's JS that pushes all the > compliance issues onto us, but we really don't want that risk and > overhead. > > The real long-term solution is what CrowdSupply does: They accept the > financial details on their front-end using only free software and then > have the server send the information to Stripe using Stripe's API and > without *ever* storing the info. This still means touching the financial > details, so it comes with security overhead that we haven't been able to > handle at this time with our limited resources. But this is the solution. > > (Incidentally, I wrote an issue or something about eventually following > Crowd Supply's example, but I'm not sure where that lives now… does > anyone know how to find it. I searched Taiga and didn't find it. Maybe > it's there somewhere though, or…?) > > > --fr33 > > > > > > _______________________________________________ > Discuss mailing list > Discuss@lists.snowdrift.coop > https://lists.snowdrift.coop/mailman/listinfo/discuss > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) _______________________________________________ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
