Stripe / PCI compliance
This topic contains 4 replies, has 2 voices, and was last updated by 
-
Posts
-
Hi Stephen,
We’ve previously purchased numerous pro licenses, and also a Stripe licence.
We’re looking at setting up another client with both pro and Stripe, so really need an answer on this before purchasing when you get a minute please.
Please see my earlier unanswered post here: https://wp-event-organiser.com/forums/topic/stripe-add-on-pci-compliance/
In summary – the Stripe add-on doesn’t look like card details are entered through small iframes as we see on e.g. Woo implementations.
Not sure if I’ve missed something with your implementation, or missed a simple checkbox in settings or something, but needing PCI compliance is a blocker. I’m just not 100% sure the Stripe add-on is operating in a fashion where PCI compliance isn’t needed? If you could kindly advise one way or the other, I’d appreciate it.
Thanks in advance.
Chris Dunst
Hi Stephen, hope you’re well.
Sorry to press you, but do you have any guidance on the Stripe / PCI compliance question please? We’re looking at going live next week, so will be purchasing a pro and stripe licence if all is well.
If the Stripe implementation requires PCI compliance as I suspect (although I note your extension sales page says it doesn’t), we might have to look at another solution to our needs.
If you’re able to explain why PCI compliance isn’t needed, even though the form fields don’t use stripe iframes, that’d put my mind at ease? Have I missed a setting for this? Or is there an option to link off to Stripe’s own site?
Thanks in advance, and happy Easter.
Chris.
Hi Chris,
Apologies again for the delay in getting back to you. I’ve posted a reply to your question on PCi compliance.
To clarify the Stripe extension uses the Stripe Elements library and no card data is handled by your servers. Stripe have provided details on PCI compliance here: https://docs.stripe.com/security/guide#validating-pci-compliance
My understanding is that you will need to complete a short questionnaire (SAQ A)
Stephen Harris
Thanks Stephen, I’m eternally grateful for your response, however my understanding is that with Stripe Elements, it uses small iframes, so when you key in card data, you’re keying it in on a Stripe page within the iframe.
With your plugin, I can’t see the iframes – when the booking form is submitted, it’s being submitted to the same client server, along with the card data. Similarly a compromised site might have a js file that can read the card data keyed on the same site (as opposed to being unable to read data keyed into a small iframe).
I’m sure you’d want to ensure this is handled the right way too – can I email you the site address so you can take a look? Could it be that our site has failed to load iframes, and fallen back to regular input fields?
Thanks in advance,
ChrisHi Stephen, please ignore this thread now, it was my mistake.
We were looking at an older version of the Stripe plugin on a different client’s site, and it didn’t have the iframes.
We purchased another licence for the recent client, and this one does have the iframes as one would expect, so all good.
Thanks for your help.