zlacker

[parent] [thread] 5 comments
1. agwa+(OP)[view] [source] 2020-04-21 18:28:37
This is a good reason to use a technique like cperciva's payment iframe: https://www.paymentiframe.com/

It lets you use stripe.js (thus getting the PCI compliance benefits) without Stripe being able to spy on your visitors.

replies(2): >>Znafon+78 >>ricard+pi
2. Znafon+78[view] [source] 2020-04-21 19:15:11
>>agwa+(OP)
While I trust him, how can we be sure that paymentiframe.com starts serving an iframe that steals the credit cards in the future?
replies(1): >>Kaze40+9c
◧◩
3. Kaze40+9c[view] [source] [discussion] 2020-04-21 19:41:29
>>Znafon+78
From the page:

> Why should I trust you?

> [...] If you're worried about both, consider this a proof-of-concept which you should replicate on your own server (using a separate domain name from the rest of your site).

replies(1): >>tgtwea+IR
4. ricard+pi[view] [source] 2020-04-21 20:25:33
>>agwa+(OP)
That is so ridiculously insecure I'm surprised the author has published it without a massive disclaimer.

Do NOT use an unknown third-party, without PCI qualification, to whom you have no contractual relationship, in between you and your payment provider.

replies(1): >>jedber+Er
◧◩
5. jedber+Er[view] [source] [discussion] 2020-04-21 21:33:07
>>ricard+pi
It says at both the top and bottom of the page not to trust him, and at the bottom it says to implement it yourself if you care about security.

Seems fairly "disclaimed" to me.

◧◩◪
6. tgtwea+IR[view] [source] [discussion] 2020-04-22 01:39:10
>>Kaze40+9c
Yeah nobody should be embedding this verbatim to process payments that will fail any pci audit.
[go to top]