I looked into the question of PCI compliance when using Stripe. It looks like all that’s required is to never use the “name” attribute on the <input> tags for sensitive credit card data. That prevents them from ever being sent to your site’s server.
But it looks like these <input> tags in the WP-Stripe plugin (1.4.0) do have a “name” attribute:
<input type="text" name="wp_stripe_cardn" autocomplete="off" class="card-number" placeholder="<?php _e('Card Number', 'wp-stripe'); ?> *" required />
So this is a bug, unless I’m mistaken.
Sorry to bear bad news,
Here are some references:
See the comments here:
Especially this part:
“In the demo code, take notice that none of the credit-card-based form fields have a “Name” attribute. This ensures that, should anything go wrong, no credit card information will ever be submitted to our server – unnamed form fields are never submitted with the HTTP POST. The only relevant values that get submitted to our server are the purchase amount and the one-time-use token returned by the Stripe API.”
And this response from Stripe when I emailed them to ask about it:
“That blog post is correct – because no name attribute is set on the
form elements with sensitive data, they aren’t posted to your server.
As long as you hold to this model and only deal with the tokens that
stripe.js creates, you don’t need to be worried about PCI compliance.”
- The topic ‘[Plugin: WP Stripe] PCI compliance, Stripe, and "name" attribute on input tags’ is closed to new replies.