Stripe PCI Validation



From time to time, Stripe will ask you to validate your PCI compliance. This is a requirement that sounds scary and rather hard to do, but the good thing is that its a lot easier to do than it sounds!

Post-September 2019 any newly created Donorfy Stripe Web Widgets and standard Donorfy Campaign pages are SCA compliant and are designed to not transmit, process or store credit card details on computers or other devices owned by either Donorfy or the yourselves.

Specifically, someone making a donation via a Web Widget or the standard Donorfy Campaign page would type their card details into their browser on their computer which is then sent directly to Stripe - i.e. not back to Donorfy and not back to your own web server.


Stripe provides a Knowledge Base article about integration security and within the article is a link to a Self-Assessment Questionnaire (SAQ) that the Web Widget or the standard Donorfy Campaign page would fall within. So, it would be a case of just completing the questionnaire. 


For the older style Web Widgets (pre-September 2019) these will require additional compliance validation as per the Stripe documentation paragraph below:

"If you continue to use Stripe.js v2, you’ll be required to upload your SAQ A-EP annually to prove your business is PCI compliant. As this is more complex, we recommend you work with SecurityMetrics if you require additional assistance in completing your SAQ A-EP. "


This is a lot harder and requires a lot more work to do, so we would suggest upgrading your existing Web Widgets to the newer version so that the PCI requirements are easier to comply with. The added benefit is that the new Web Widgets are SCA compliant too! See the article Updating Your Web Widgets to Use Strong Customer Authentication (SCA) to updating existing Widgets, or just create a new one.



Please sign in to leave a comment.
Powered by Zendesk