On Tue, Jul 11, 2017 at 01:42:34AM +0300, fr33domlover wrote: > On Mon, 10 Jul 2017 14:18:53 -0700 Aaron Wolf wrote: > > > The real long-term solution is what CrowdSupply does: They accept > > the financial details on their front-end using only free software > > and then have the server send the information to Stripe using > > Stripe's API and without *ever* storing the info. This still means > > touching the financial details, so it comes with security overhead > > that we haven't been able to handle at this time with our limited > > resources. But this is the solution. > > Sure, I never intended to imply otherwise, I agree it's better than > needing to store the sensitive data ourselves. But yes, it would > turn Snowdrift into a *transmitter* of card data, which right now it > isn't (afaik).
In other words, we would still need to achieve PCI compliance, but by following CrowdSupply's lead we'd have a fair chance at doing it right the first time. That still sounds like something we only want to do with a lawyer on retainer, and ideally with at least one full-time project member on hand to deal with time-sensitive issues.
signature.asc
Description: Digital signature
_______________________________________________ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss