@stripe I'm not sure how your Stripe.js + Elements is SAQ A as labeled in your documentation. "If any element of a payment page originates from the merchant’s website, the implementation is not eligible for SAQ A." http://goo.gl/EU3qF5
-
Show this thread
-
Replying to @lisa_m_woodruff
We serve Elements directly iframes, which ensures that no card data touches the Stripe users server. There's some extra explanatory information here, if that's helpful!https://stripe.com/docs/security#validating-pci-compliance …
1 reply 0 retweets 0 likes -
Replying to @stripe
right, but the information is still collected from a page on the merchant's site which is subject to other potentially malicious code, particularly if they've been told they don't need to worry about security because they're SAQ A.
1 reply 0 retweets 0 likes -
Replying to @lisa_m_woodruff @stripe
your security page says "Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. " so i assume somehow it works, i'm just unclear as to how, since it seems to conflict with the definition of SAQ A.
1 reply 0 retweets 0 likes -
Replying to @lisa_m_woodruff @stripe
i guess PCI compliance best practices says: "If an attacker has compromised the merchant’s website...they can create alt content for the frame...Merchants should consider...additional security controls to reduce...risk, even if such controls are not stated as required by SAQ A."
1 reply 0 retweets 0 likes -
Replying to @lisa_m_woodruff @stripe
so even if iframes via javascript are *technically* SAQ A, they should still be considered higher risk than completely outsourcing/redirecting for payment processing. https://www.pcisecuritystandards.org/pdfs/best_practices_securing_ecommerce.pdf …
1 reply 0 retweets 1 like -
Replying to @lisa_m_woodruff @stripe
sorry for the long thread, i just don't generally take on non-SAQ A projects, so i want to be able to reason exactly. :)
1 reply 0 retweets 0 likes
Absolutely! And I definitely commend the rigour here, good to see that keeping customers information safe is a priority :) To save long twitter threads, would you mind dropping us a line directly? We can certainly provide more depth this way https://support.stripe.com/email
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.