(mtlynch.io)

1134 points mtlynch | 2 comments | 21 Apr 20 17:01 UTC | HN request time: 0.416s | source

Show context

agwa ◴[21 Apr 20 18:28 UTC] No.22937839[source]▶

>>22936818 (OP) #

This is a good reason to use a technique like cperciva's payment iframe: https://www.paymentiframe.com/

It lets you use stripe.js (thus getting the PCI compliance benefits) without Stripe being able to spy on your visitors.

replies(2): >>22938342 #>>22938980 #

Znafon ◴[21 Apr 20 19:15 UTC] No.22938342[source]▶

>>22937839 #

While I trust him, how can we be sure that paymentiframe.com starts serving an iframe that steals the credit cards in the future?

replies(1): >>22938592 #

1. Kaze404 ◴[21 Apr 20 19:41 UTC] No.22938592[source]▶

>>22938342 #

From the page:

> Why should I trust you?

> [...] If you're worried about both, consider this a proof-of-concept which you should replicate on your own server (using a separate domain name from the rest of your site).

replies(1): >>22941169 #

2. tgtweak ◴[22 Apr 20 01:39 UTC] No.22941169[source]▶

>>22938592 (TP) #

Yeah nobody should be embedding this verbatim to process payments that will fail any pci audit.

↑

Stripe records user movements on its customers' websites