WP Stripe
[resolved] PCI compliance, Stripe, and "name" attribute on input tags (3 posts)

  1. PaulMorris
    Posted 4 years ago #

    I looked into the question of PCI compliance when using Stripe. It looks like all that's required is to never use the "name" attribute on the <input> tags for sensitive credit card data. That prevents them from ever being sent to your site's server.

    But it looks like these <input> tags in the WP-Stripe plugin (1.4.0) do have a "name" attribute:

    <input type="text" name="wp_stripe_cardn" autocomplete="off" class="card-number" placeholder="<?php _e('Card Number', 'wp-stripe'); ?> *" required />

    So this is a bug, unless I'm mistaken.

    Sorry to bear bad news,

    Here are some references:

    See the comments here:

    And this blog post:

    Especially this part:
    "In the demo code, take notice that none of the credit-card-based form fields have a "Name" attribute. This ensures that, should anything go wrong, no credit card information will ever be submitted to our server - unnamed form fields are never submitted with the HTTP POST. The only relevant values that get submitted to our server are the purchase amount and the one-time-use token returned by the Stripe API."

    And this response from Stripe when I emailed them to ask about it:

    "That blog post is correct - because no name attribute is set on the
    form elements with sensitive data, they aren't posted to your server.
    As long as you hold to this model and only deal with the tokens that
    stripe.js creates, you don't need to be worried about PCI compliance."


  2. Noel Tock
    Human Made
    Plugin Author

    Posted 4 years ago #

    Thanks, good catch Paul, I'll push a fix for that today.

  3. PaulMorris
    Posted 4 years ago #

    Wow, that was fast! Thanks! -Paul

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • WP Stripe
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic