Stripe Elements why does the vendor have exposure to PCI compliance?

Stripe Elements why does the vendor have exposure to PCI compliance?(stripe.com)

2 points by textman 3 years ago | 5 comments

textman 3 years ago |

From the stripe website: "a payment field that originates directly from our PCI DSS–validated servers. With safer card acceptance methods like these, we’ll populate the PCI form (SAQ) in the Stripe Dashboard, making PCI validation as easy as clicking a button."

Since the credit card payment data never touches my server, why is PCI compliance a part of the conversation? With Fastpring I don't deal with PCI because credit card payment is done on their server and it sounds like that is equally true with Stripe Elements. So what am I missing here?

textman 3 years ago | |

OP here. think what happens is stripe embeds the payment element in a cross-domain Iframe which means it is impossible for me(my server code) to access that data. And that seems to be the whole issue with PCI compliance, namely, my website is not in fact collecting CC data. From there I infer that stripe got certified PCI Service Provider Level 1 which allows them to handle just about all of the PCI processing and the vendor(me) just has to click an approval button annually to be PCI compliant. Does all this seem correct?

dbalatero 3 years ago | | |

I used to work on Stripe Checkout and your interpretation sounds like what my understanding of the situation was at the time I was there, yes. Basically Stripe provides everything, isolates the code as you said, and for 99% of merchants you just hit a button and get on with your day. I think for the other 1%, from reading the docs you linked, it sounds like for particularly large businesses it might cause a couple days of work, but orders of magnitude less than rolling it yourself?

wdb 3 years ago | |

Do you also embed Fastpring into the your site? I think Stripe allows you to do that

textman 3 years ago | | |

No, user is redirected to fastspring.com. I guess it depends on whether my server code can access the CC data. I somehow got the impression that it cannot. So how is the payment element actually connected to stripe?