i did some reading on PCI compliance and it's a quagmire! There are multiple levels of PCI requirements depending on what you do with the data. as best i can tell (without being an expert), a javascript only solution that posts directly to swipe and one where you post data to your server and then to stripe would fall under the exact same category of PCI requirements (the lowest level)
some things to note: - i believe that web2py itself can be PCI compliant. the problem is more about how the server is secured then the web2py code itself. - ensure that no matter what no data related to the credit card gets logged - this is easy to do on success, but be careful when there is an error with an auto-generated ticket - don't write and of the credit card info to the DB or memcache - use 2-factor authentication to get to your server - there are a bunch of other requirements for OS and software upgrades and testing. note that to be 100% compliant your particular install and management processes will have to be audited by a 3rd party auditor. good luck! cfh On Sunday, January 13, 2013 11:16:28 AM UTC-8, Massimo Di Pierro wrote: > > I do not know if it is PCI compliant. The provided code requires that your > application handles (although not stores) credit card info. > > Massimo > > On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: >> >> Hello all, I'm looking into using stripe.com as a payment processor for >> web2py. It looks like web2py provides a nice and easy way for this, but I >> am a bit worried about pci compliance. >> >> On this site shows an example: >> http://web2py.com/books/default/chapter/29/14#Stripe.com >> >> But no where on the site does it say whether it is pci compliant or not. >> I would rather not have my server handle any of the customer credit card >> data. Stripe does provide a nifty stripe.js which enables us to not touch >> any of that data, but then the form creation and submission will be handled >> entirely by javascript and not by web2py's nice library. >> >> I guess in particular, if I do it just using stripe.js, I don't have to >> give the form input tags any name. That way, web2py can never grab the data >> from the dictionary(since I don't know the name of the input tag) that is >> returned and so the server will never actually touch the data. However, the >> example link on web2py seems to indicate that this naming is necessary in >> order to pass the data to the stripe.charge() (since we have to grab the >> data somehow from the form and feed it to the stripe.charge()). This >> suggests that the server has the ability to access that data. >> >> Could someone clarify this issue? Many thanks! >> > --
