Also note for stripe... https://stripe.com/us/help/faq#pci-compliance
Anyone accepting credit card payments must be PCI compliant—but with > Stripe, it's easy: > > - Serve your payment page over SSL <https://stripe.com/help/ssl>, > i.e., the page's web address should begin with "https", not "http". > > > - Use Stripe.js <https://stripe.com/docs/stripe.js> as the only means > by which you accept payment information and transmit it directly to > Stripe's servers. > > By taking these steps, you completely avoid handling sensitive card data, > and keep your systems out of PCI scope. On Monday, January 14, 2013 11:05:04 AM UTC-7, Derek wrote: > > If your application handles credit card information, it must be audited > for compliance. So it may or may not be compliant, an audit will determine > that. > What most companies do is avoid the audit by not handling credit card > information. If you use authorize.net (as an example) you can use the > "Server Integration Method" where all credit card information is collected > by authorize.net and your application gets a postback from > authorize.netconfirming that a payment was made. > > http://developer.authorize.net/api/howitworks/sim/ > > You'd want to read the PCI SAQ (Self Assessment Questionnaire) to > determine if an audit is needed. > > > https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs > > > On Sunday, January 13, 2013 12:16:28 PM UTC-7, Massimo Di Pierro wrote: >> >> I do not know if it is PCI compliant. The provided code requires that >> your application handles (although not stores) credit card info. >> >> Massimo >> >> On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: >>> >>> Hello all, I'm looking into using stripe.com as a payment processor for >>> web2py. It looks like web2py provides a nice and easy way for this, but I >>> am a bit worried about pci compliance. >>> >>> On this site shows an example: >>> http://web2py.com/books/default/chapter/29/14#Stripe.com >>> >>> But no where on the site does it say whether it is pci compliant or not. >>> I would rather not have my server handle any of the customer credit card >>> data. Stripe does provide a nifty stripe.js which enables us to not touch >>> any of that data, but then the form creation and submission will be handled >>> entirely by javascript and not by web2py's nice library. >>> >>> I guess in particular, if I do it just using stripe.js, I don't have to >>> give the form input tags any name. That way, web2py can never grab the data >>> from the dictionary(since I don't know the name of the input tag) that is >>> returned and so the server will never actually touch the data. However, the >>> example link on web2py seems to indicate that this naming is necessary in >>> order to pass the data to the stripe.charge() (since we have to grab the >>> data somehow from the form and feed it to the stripe.charge()). This >>> suggests that the server has the ability to access that data. >>> >>> Could someone clarify this issue? Many thanks! >>> >> --
