leedurrant-browser-save | Stripe Developers | Page 1

visual summitBOT Dec 6, 2022, 6:11 PM

#

zinc island Dec 6, 2022, 6:12 PM

#

leedurrant-browser-save

#

Hey @cedar hamlet that's not something we (Stripe) have any control over unfortunately.

cedar hamlet Dec 6, 2022, 6:16 PM

#

Ah, that's what I thought. Do you agree though that it opens up the user to issues around pci compliance?

slate sorrel Dec 6, 2022, 6:18 PM

#

Hi @cedar hamlet 👋 jumping in for @zinc island. This isn't really something we can speak to in this channel. We focus on API integration issues and developer questions about Stripe products.

cedar hamlet Dec 6, 2022, 6:19 PM

#

okay

#

But in relation to stripe.js, can feature requests be made?

zinc island Dec 6, 2022, 6:20 PM

#

I can help, I'm still around

#

This is not something Stripe.js can control in this case.

#

And for PCI, technically Elements is made for collecting card details from customers. Usually when you do MOTO, you have to be PCI compliant yourself in a different way, in that case I personally would not use Elements for this

#

I would build my own form and handle PCI compliance on my own on my server

#

You can use Elements, but it's not really designed for "a call center when person A can enter dozens of card details by hand on the same device every day"

cedar hamlet Dec 6, 2022, 6:22 PM

#

Okay. Thanks for the response.

#

I was hoping that a "no-save" property could be made available that perhaps obfuscated the field names so that they didn't save as "card number" and "expiry date" making it not obvious to Edge that it was a credit card. But I take onboard your comments.

zinc island Dec 6, 2022, 6:23 PM

#

I'll still flag internally to see if we can improve this, but I'm dubious, and browsers are smart in their own way to detect what looks like a card number or an address

cedar hamlet Dec 6, 2022, 6:29 PM

#

Thats great. Many thanks. As far as I was concerned our solution is pci compliant as the data is entered via stripe.js and not stored. Obviously for the user of our solution if they write down the number on to a piece of paper on to a printed order form for processing later, then the company would need to ensure that they are pci compliant, but I felt assured that we added no issues around compliance.... until someone emailed me about Edge!

zinc island Dec 6, 2022, 6:32 PM

#

As far as I was concerned our solution is pci compliant as the data is entered via stripe.js and not stored.
I disagree with that statement. There are strict rules for MOTO and handling of card details over the phone. Just using Stripe.js is not enough. Stripe.js makes merchants PCI compliant because the card details are entered on the device of the customer but it's different at call centers.
I'm not a PCI expert though so my colleague was right that we can't give real advice on this. But really entering card details at a computer on a call center has different rules/regulations than normal online payments

cedar hamlet Dec 6, 2022, 6:46 PM

#

Okay, stating that it was pci compliant was the wrong wording. What I meant was that we weren't adding any issues to what they would otherwise have as a company that processes MOTO transactions.

zinc island Dec 6, 2022, 6:51 PM

#

gotcha. I don't really agree with this, but that's between you and them I would say in that case!

#

Going to archive this thread for now as there's unfortunately nothing we can advise in this situation 😦

cedar hamlet Dec 6, 2022, 6:52 PM

#

that's fine. Your responses have been very useful. Many thanks.

#leedurrant-browser-save