Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You really need to read the PCI-DSS standard before you make comments like that.

Rather than me point out exactly why what you just said was completely wrong, I suggest you download it from here:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1....

At the very least, read requirement 4. The simple fact is that they were allowing customers to enter their credit card details and submit that data over HTTP.



If they were using stripe how did they pass details through onto HTTP? as far as I remember their webhook won't even communicate with an unsecure page. They must be using some other payment gateway.


I sure hope they don't gather the data via calls to Stripe's API then push it out via HTTP (and vice versa!)


Oh brother - surely they weren't storing that data themselves?!?


Got it, thanks for the link.


It was in my original post!


I didn't follow every link you included, and didn't expect to argue about this – also, I didn't realize this was your post, my bad!

You can ignore my comment about the /payments page, I'll assume you checked that, so yeah, that's insane if you can update payment information on an insecure page.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: