I'm a happy org-mode user who usually just lurks on the list, but I have some
expertise of note to share on the issue of taking donations and proprietary
Javascript.
I've spent much time over the last 25 years working for and/or helping to run
various non-profit organizations related to FOSS. I've worked on the problem
of “how do you take donations while limiting the amount of proprietary
software both the donors and NPO staff have to use?” extensively.
To my knowledge, the current answers to these questions are:
(0) You cannot take online donations by credit/debit card or ACH without
either:
(a) handling PCI-compliance rules yourself, which is a high burden and
out of reach for most small organizations. (I have researched this
extensively, and am pretty sure that the level of self-PCI
compliance that would be required for this would mean the
organization would need to employ at least one person who will
spend almost full-time working on PCI compliance.)
(b) having the donor run some proprietary Javascript [0].
(1) It is impossible for an organization to take credit card donations
without its staff sometimes using non-FOSS (usually in the form of
proprietary Javascript). It's very difficult to take ACH donations of
any kind without the staff occasionally using proprietary software.
I'd be glad to discuss how I've come to these assessments in more detail if
that's useful to the discussion. (However, I won't have time to check back
into this thread until Tuesday due to a deadline.)
I generally recommend PayPal to projects that want to minimize proprietary
Javascript because you cn often make it all the way through a PayPal
transaction (if you already have a PayPal account with a credit card attached
and you're in the USA) with Javascript fully turned off. That's not saying
much, but it's better than other processors. I retest that every 3-6 months;
the last time I tested it was November.
Comparatively, Stripe is particularly bad because they mandate that you load
their proprietary Javascript on your own page (see below in footnote for
more) if you want them to handle the PCI compliance.
[0] Someone mentioned liberapay — but it simply uses Stripe and/or PayPal
underneath for the donations. I just double checked this and noticed
that the payment page has:
<script src="https://js.stripe.com/v3/";></script>
which is what Stripe requires if you want them to handle the PCI
compliance.
-- bkuhn
