A reader pointed out this merchant services provider to me, so I checked it out. I ran into some concerns as I reviewed their documentation that I want to share with you all so that you have a better understanding of what Stripe does and provides.
The first thing that I want to point out is why you need to carefully read a service provider’s Web site and understand what is what. If you look at the Stripe General Questions page there is a discussion of PCI compliance. Stripe states that they are a PCI certified Level 1 service provider. What that means is that Stripe’s backend processing of card payments is PCI compliant. This statement has nothing to do with their Javascript program or any other services that Stripe offers.
But, you say, Stripe provides a Javascript program for processing payments. What about its PCI compliance? Good question. Here is a gray area with PA-DSS compliance of applications. Because Stripe is not technically selling its Javascript file (it is provided free), I am sure they believe that the Javascript does not have to be certified. However, the General Questions page is very clear that “Use Stripe.js as the only means by which you accept payment information and transmit it directly to Stripe’s servers.” To me I would think the required use of the program would imply that the Javascript is required to be PA-DSS certified since developers have no choice but to use it.
That brings up how is Stripe’s Javascript maintained? What ensures that someone does not change the script and now it starts securely communicating with another server as well as Stripe’s? This is why PA-DSS certification is necessary for applications because there is too much risk if those applications are not properly maintained and controlled. All it takes is a single successful attack and every one of Stripe’s customers will pick up a new Javascript that will do whatever the attacker desires.
The next concern I have regarding Stripe is their statement that by using their process, “you completely avoid handling sensitive card data, and keep your systems out of PCI scope.” Wait a minute. Stripe states just above that that you need to, “Serve your payment page over SSL.” That implies that their Javascript runs on your server. This gets confirmed on their SSL page where they state that their Javascript only communicates with their backend servers over an SSL connection. It may be their code, but it is executing on your server and that means that your server is in-scope for PCI compliance.
The PCI SSC really needs to get on top of service providers and their claims. It troubles me that this service provider is making claims that are totally incorrect. It is these sorts of claims that get good people into trouble. Most developers and their organizations do not have the necessary detailed understanding of the PCI standards and therefore trust service providers to be the experts which, in the case of Stripe, they are obviously not experts and are just as clueless.
