Will you be releasing the iframe-generator by any chance?
Not that I don't trust you, but I'd feel more comfortable running it on my own HW... For instance, if you went evil, you could replace the iframes generated, rather than really delivering the Stripe code. Alternatively, you might decide that the payment iframe isn't worthwhile, and shut it down, leaving me and my users out of luck.
But while I'm replying, I might as well answer the question... I didn't think anyone would want the frame-generator code, since (a) you'd need to host it yourself and set up your own new domain to do it in, and (b) you wouldn't need the flexibility of specifying a target URL and API key at run-time.
But if people want the code I'm happy to provide it -- send me an email to remind me to put it up somewhere.
I'll send you an email -- It'd be useful for for piece of mind for me, anyway. Throwing an additional Linode up isn't that bad, and it lets me know that the stack isn't going to change.
Thanks again for writing this, I'm consistently amazed at the quality of work you do! ;)
Fortunately it seems like both Stripe and Paypal are supported now. Phew!
There's a lot of people outside of North America who don't have credit cards, and I certainly don't want to exclude them from using Tarsnap.
Some reasons why this is annoying, that I can think of: (1) It makes the process more complex. Some people just close their window when forced to log into something. (2) It makes writing tutorials/documentation harder. 'Just fill in your credit card details' becomes a long sentence listing the different things that can happen. (3) I have had some customers who complained that they had forgotten about their PayPal account and had to go through the "forgot password" sequence in order to pay. I imagine that the percentage of people who didn't complain but simply closed the tab is higher.
This is not true. I have a long unused PayPal account that hasn't been canceled, and on the occasion that I do end up buying something from someplace that only accepts PayPal, upon entering my information they ask if I would like to sign in and pay with a large "YES" button, or a very small "No, continue without signing in" link which acts the same as not having an account with them at all.
Edit: see Colin's child remark to the parent comment of yours. this may only happen in non-high-risk countries that allow payment without accounts.
If you know of a site where I can trivially test this (ie., small amount, no signup or shipping required), I would be happy to test. I am not in a position to test my own stuff as it is currently all based on recurring payments (which requires a PayPal account).
With the iframe implementation, is the burden of PCI compliance back on you(or someone who implements a similar function on their own hardware)?
Even for merchants that use third-party hosted payment forms, it's still common to need to complete SAQ A (a short self-assessment questionnaire) and have quarterly network scans. For example, with PayPal: "Our hosted solution takes a lot of the work out of meeting these standards. The only remaining requirements are a Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans."
According to MasterCard: "All merchants that store, process, or transmit cardholder data must be PCI compliant." It's subjective whether using Stripe.js could be considered transmitting cardholder data.
Visa holds Acquirers responsible for ensuring their merchants are PCI compliant. Requirements vary depending on processing volume: "In addition to adhering to the PCI DSS, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants." Notice that for Level 4 merchants, validation only may be required, although those merchants should still be adhering to the PCI DSS.
Stripe has several PCI requirements in their terms of service, and their FAQ does seem to indicate that merchants have some responsibility for PCI compliance. According to the TOS "It is your responsibility to comply with these standards." and according to the FAQ: "Most Qualified Security Assesors (QSAs) will want to talk through many of the implementation details before giving an opinion"
Disclosure: I work for Braintree.
Disclaimer: This response is my opinion; I'm not speaking for Braintree.
Part of what PCI attempts to address is limiting legitimate access to servers, as well as preventative measures against compromise.
I personally think that Stripe may be within the letter of the law, but not necessarily the spirit.
More people should write about obvious security holes so clearly and logically correct like you do