On Tue, Jul 11, 2017 at 01:42:34AM +0300, fr33domlover wrote:
> On Mon, 10 Jul 2017 14:18:53 -0700 Aaron Wolf wrote:
> > The real long-term solution is what CrowdSupply does: They accept
> > the financial details on their front-end using only free software
> > and then have the server send the information to Stripe using
> > Stripe's API and without *ever* storing the info. This still means
> > touching the financial details, so it comes with security overhead
> > that we haven't been able to handle at this time with our limited
> > resources. But this is the solution.
> Sure, I never intended to imply otherwise, I agree it's better than
> needing to store the sensitive data ourselves. But yes, it would
> turn Snowdrift into a *transmitter* of card data, which right now it
> isn't (afaik).

In other words, we would still need to achieve PCI compliance, but by
following CrowdSupply's lead we'd have a fair chance at doing it right
the first time.

That still sounds like something we only want to do with a lawyer on
retainer, and ideally with at least one full-time project member on
hand to deal with time-sensitive issues.

Attachment: signature.asc
Description: Digital signature

Discuss mailing list

Reply via email to