I\'ve noticed current credit card gateways like stripe and wepay encourage sendi

Question

I've noticed current credit card gateways like stripe and wepay encourage sending the credit card number via their js framework (which would use some iframe jsonp magic to pass the data).

To my knowledge this way you don't need to worry about much of PCI compliance other than using SSL.

I understand that storing it can lead to many issues, from how it's stored (strength of encryption) to protect from employees access to the database, to protecting the database from SQL injection etc. But if it's not being stored, how could the data be compromised? If I'm worried about someone getting into my server and modifying the files to direct the data to themselves, then it won't make a difference what my code is.

My question is, what indeed are the security risks by having my server send the cc info (even without storing it) over having it sent by the browser/client?

Explanation / Answer

The risks are more on the client end of things than your server side. What I mean by that is as a consumer I do not want my data going to your server for "processing" which then gets sent over to stripe/wepay. I dont know how you're transmitting the data or whether or not you're not storing it the way you say you are. Also from the consumer side of things if you're not PCI compliant I wouldnt go near your systems.

If you did however want to do the processing you'd have to find a server side library (of which ive not looked into) and make sure the data being passed is sent securely from the client to you and from you to the transaction handler.

The risks are the same on both sides, MITM. If I know my connection to the service is safe why would I risk using your system as a MITM?

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.