Hacker News new | past | comments | ask | show | jobs | submit login

How does Stripe mitigate PCIDSS requirements?



The card number never hits the merchant's web server, so currently they do not have to be compliant.

There is talk in the industry that this will be changing actually; as the card number is still vulnerable to javascript that run's in the merchant's web page. So if the merchant is hacked and their website is compromised then CC numbers are vulnerable. So it is likely at least some of the applicable PCI DSS requirements (and auditing of them) will eventually be required.


Anyone who takes credit card payments must be PCIDSS compliant. How the payment's taken is irrelevant.

Presumably Stripe reduces this to the level of completing the SAQ A?


That's the right way to explain it Yes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: