I think it's fairly clear that judging by the comments, the design and use of the word "Stripe" make this seem like a Stripe product. You could well be infringing on their trademark.
"Connect your bank account to Wirize in just a few clicks (2-minute flow via Stripe)."
This reads to me like it's based on Stripe. And in that case, I don't think it's incorrect to call it "Stripe Checkout." However, I would like this called out at the top of the linked page.
Hi tom169, thank you for reporting it. It wasn't our intention to create confusion among the products! Wirize isn't a Stripe product, so we're going to perform some copy changes to clarify it.
Card data isn’t the only data that is covered by PCI SSC standards.
Card holder PII is also covered and is even considered more important these days since CC numbers are easy to rotate but your identify isn’t.
Also even if the PoS doesn’t sees the card details it is part of the payment acceptance process and if it’s compromised the payment process can be affected even with P2PE devices.
If the PED is complete separated from the payment process e.g. those in which the vendor has to type in the amount separately and the PoS doesn’t take any any any customer PII ever you may be able to get away with using something like ReactOS on it.
If the pos is system is regarded similarly as a cc accepting website that proxies cc data to an endpoint, then the os shouldn't be a variable of pci compliance
Most (European) terminals don't even proxy to computer, they're completely independent devices connected to wifi that communicate directly with bank. The connection to computer is used only for "1 EUR" and "OK"/"FAIL" kind of messages and are completely optional.
Even on P2PE terminals the PoS is in scope of the PCI-DSS if not the PA-DSS certification (alright I’m not sure how any PoS vendor will fly without PA) as they do (or can) pass some CHD through it even if it’s not the card numbers or the track data.
CHD under the PCI standards also covers PII card holder information which does reaches the PoS for handling refunds, managing promotions, club membership etc.
Even vPOS applications like those tiny card readers that hook to an iPAD as the PoS do a lot of leg work despite of them being P2PE.
They check for root, they check for iOS version (security update) they check for proxy etc. That’s all part of the PA-DSS certification for the application developer.
While it’s possible that a retailer who’s big enough so VISA can’t say we won’t gonna allow you to take payments with our cards, and the fines are smaller than the cost of adopting compliance to use these.
I wouldn’t imagine any PoS vendor even going with that since it would essentially put them at huge risk from both the PCI standpoint and general reputation damage.
As for certifying these there isn’t a single PA or PCI-DSS QSA out there that would accept ReactOS as a useable operating system because if something goes wrong the QSA is liable if they certified something they shouldn’t have.
No, you don't understand me. The terminals I'm talking about are completely independent, a computer is a peripheral to them, not the other way around (that's how it is with the ones you're talking about).
These are specifically marketed by banks as not requiring any certifications of the PoS.
Those are P2PE terminals which can be used in this manner but it’s not upto the banks who offer them to define that.
If the acquirer bank and the QSA accepts that your use of these terminals is sufficient then sure go a head but that means you don’t intake any PII via the PoS and you don’t use the credit cards to identify members and don’t use those terminals to scan non CC based membership cards, and you have no PII at all which means handling things like refunds and warranty is also not done via the PoS.
It's not, it's meant for cases where people need entirely different custom hostnames. Subdomains are quick and easy, but people have become quite a bit more demanding about how their stuff is branded, and tend to want it all on mydomain.com (instead of me.service.com).
Actually I lied, it's probably a little easier than a wildcard cert. :D But not enough to matter. People who just need wildcard subdomains might want to use us for other reasons. We handle all load balancing, global SSL termination, etc. These things are stuff you'd use even if you were just using a wildcard cert.
