bruno-elements | Stripe Developers | Page 1

echo warren Sep 25, 2021, 12:51 PM

#

just tbc, "custom form with credit card fields" means stripe js v2? where you'd create your own <input> fields, pull the raw credit card number from the input, then pass it to the stripe js library?

lilac trellis Sep 25, 2021, 12:55 PM

#

No, "custom form with credit card fields" means a "no javascript" html form that is submitted to the backend. The backend then forwards that data to stripe via stripe's ruby client

echo warren Sep 25, 2021, 12:55 PM

#

got it

#

this is primarily about the PCI compliance scope

#

https://stripe.com/docs/security/guide

Integration security guide

Ensure PCI compliance and secure communications between your customer and your server.

#

PCI is a set of rules laid out by the card networks governing businesses that accept credit card payments

#

broadly speaking, the more access you have to the raw card data, the more rigorous the audit requirements become

#

elements falls under SAQ A, which is the least onerous, because you have no direct access to in-scope card data

#

stripe can auto-generate a form demonstrating compliance, and you more or less click a button confirming that it's accurate

#

a no-js form that sends credit card details to your backend falls under the most restrictive SAQ, SAQ D

lilac trellis Sep 25, 2021, 12:59 PM

#

Huh, oh really?

echo warren Sep 25, 2021, 12:59 PM

#

which is like a 40 page annual self-audit, with a bunch of fairly onerous reqs

#

https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf

#

oh wow it's up to 80 pages now

#

the PCI SSC must have really eaten their wheaties or something

lilac trellis Sep 25, 2021, 1:01 PM

#

I always thought the PCI rules apply only if you store the credit card data...

#

But thanks for the heads up

echo warren Sep 25, 2021, 1:01 PM

#

no, it's done by carveout

#

SAQ A has a bunch of requirements at the top

#

https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2_1-SAQ-A.pdf?agreement=true&time=1632574976920

#

SAQ A merchants confirm that, for this payment channel:
▪ Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions;
▪ All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service
providers;
▪ Your company does not electronically store, process, or transmit any cardholder data on your
systems or premises, but relies entirely on a third party(s) to handle all these functions;
▪ Your company has confirmed that all third party(s) handling storage, processing, and/or
transmission of cardholder data are PCI DSS compliant; and
▪ Any cardholder data your company retains is on paper (for example, printed reports or receipts),
and these documents are not received electronically.

#

the various other SAQs have similar carveouts

#

SAQ D is the everything-else SAQ

lilac trellis Sep 25, 2021, 1:05 PM

#

This answers my question, thank you for your help!

#bruno-elements