Submitting credit card info through Stripe and validating

Question

I am following Ryan Bates' Railscast on submitting payments to Stripe. He removes the name attribute of the credit card info so that no credit card info gets submitted to the server, only to Stripe through an ajax call.

This doesn't play well with jQuery Validation since it requires a name attribute.

I finally decided to go back to using the name attribute but set it to null in the Stripe callback.

My question is whether this is still a good, secure practice.

Answer 1

The reason we recommend not putting the name attributes in the form fields, is so that you can be sure that the inputs will never be submitted to your server. This could happen, for example, if there was a JavaScript error in your client-side code capturing the form submit event.

Having said that, it's just a precaution, not a requirement.

Answer 2

For PCI complacency submitting card details via ajax is not recommended. I deal with card processing quite a lot ant the best course of action is:

1. make sure that the page on SSL connection (HTTPS)
2. use the normal form POST method
3. make sure your server configurations follow the PCI compliance requirements
4. never store card details

you can read more about PCI compliance here: http://www.cisco.com/en/US/netsol/ns625/index.html

do note if you follow the proper PCI compliance requirements the company that processes card details will have no problem becoming PCI compliant. A lot of Banks are already started enforcing their clients to follow PCI compliancy as necessary requirement.