

How to setup Stripe payments with node.js - pkrumins
http://www.catonmat.net/blog/stripe-payments-with-node/

======
tomx
In examples like this, is the web page containing the payment form within PCI
scope?

I would hope you are at least required to perform PCI level security testing
on the page, to ensure it doesn't contain any dodgy Javascript and the like
(<script src="some-js-I-didn't-audit-which-steals-stripejs-card-data"...).

Likewise, as there's a webserver serving the page, presumably it must have
some level of testing, to ensure it is unlikely to be serving compromised web
pages?

As I understand the form in the example, if the user's browser has Javascript
disabled, then the form submits the credit card number to the server - putting
it in PCI scope(?)

<form action="/plans/browserling_developer" method="POST" id="payment-
form">...<input type="text" size="30" autocomplete="off" class="card-
number"/>...</form>

It would be interesting to know the PCI process for such a setup.

~~~
zrail
In Stripe's official examples the credit card form elements don't have names
so they don't submitted. According to them, the only thing you need to do for
PCI compliance is use stripe.js in the browser over HTTPS.

~~~
pilif
which is actually crazy, because if I were to design a malicious ad that gets
included on the page where you have your stripe form on, it would be as easy
for me to extract the values the user has entered as it will be for stripe.js.

So - even if PCI compliance doesn't require it, I would make sure that the
page that the form is on doesn't have any JS dependency that is hosted on a
server I don't control.

Longer term, it would probably wise for stripe to host the form in an iframe.

~~~
zrail
Oh definitely, for my purposes stripe is on a separate page that only has
stuff that I host within my app.

------
horgx8
My 2 cents...

Among other, one of the main benefits of using Stripe is actually freeing
users (developers) from the burden of having to get PCI complaint.

Once you have a "payment token", there is no need whatsoever to POST ALL the
form data back to "your" server (along with the appended token attribute). At
this point all you need is the payment token (and the last 4 digits of the cc
for having a weak reference (though enough) to the cc currently being used).
This would potential mislead a few users out there who have no idea about the
security implications of such action.

To recap, a good Stripe example shall not include any assumptions about having
server being PCI complaint. Also, in regards to this example (and the form
example in the Stripe docs), there is no mention about the implications of
POSTing the form data safely (and not in plain text as one would assumed from
the code) e.g. using SSL. Though, this might be trivial to some of you,
examples should make this point clear and leave no assumptions behind.

~~~
zrail
FYI once you have the token you can ask for the last 4 digits using the API.
There's no need to move that around either.

------
mark_l_watson
A little off topic, but: I just started to use Stripe this week - a very well
implemented and well documented system. Recommended!

I put a link to Stripe.com just below the entry form with an explanation that
the credit card information never touches my servers, just Stripe.

