Spark & PCI Complaince

greater minds than I will hopefully come along but your app using Stripe does not store or process credit card numbers but simply passes them onto Stripe & Braintree.

If you look at the data stored in your database it really is **** **** **** 1234 for the last four digits :)

Thanks Gorby, So no card data that's been submitted by the user will ever touch my server, only what's been processed by the payment provider and returned.

Correct. And the data is sent from the browser to stripe with ssl and encryption.

That's correct. When a payment form is submitted, the initial request with the credit card number, CVC and expiration date is sent to Stripe's servers, that data never touches yours.

Stripe returns a token that is then submitted to your server, if you dump the content of the $_POST request that actually makes it to your server, you'll see that there's no sensitive credit card info.

(that's how it generally works when working with Stripe, I don't use Spark but I don't see why it would be any different)

My apologies for resurrecting an older conversation but I have been having the same questions.

Surely a stored XSS within spark would be sufficiently able to steal card information as it is being entered in the input on the site before being submitted to stripe? That is the attack path that I would follow.

Given that this page is on the spark side I have to wonder how much, if at all, that PCI considered the site as a whole in scope as a result.

The only way around this to pull the site away from compliance would be better abstraction/segmentation. Something akin to PayPal's separate window or an embedded iframe.

Is there something else I am misssing here?