Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
chrismorgan 5 days ago

Credit card payments on the web are older than JavaScript, and I don’t think that anything even today actually requires JavaScript—all the fancy security things I know of could be done easily enough with additional form submissions and/or meta redirects (alas for multipart/x-mixed-replace, it was never reliable and its removal is almost complete). Unfortunately, PCI DSS makes it expensive now to direct things via your own server, so a typical business will be at the mercy of what their payment gateway provides: and I don’t know if any popular ones will support JavaScript-free operation any more, even though it’s theoretically pretty easy.

geokon 5 days ago | parent [-]

"makes it expensive now to direct things via your own server"

can you expand on this? why expensive..?

i figured Visa and company would mandate some JS monstrosity. However ive had some really ancient weird credit card online forms in Asia that i suspect have no JS

chrismorgan 5 days ago | parent [-]

The Payment Card Industry has a set of Data Security Standards: if you want to accept cards, you must comply with their rules, or they may ban you. There are different degrees of compliance requirements. If someone else handles everything (e.g. external link or iframe), you get the easiest time: Self-Assessment Questionnaire A. If the data is actually in your DOM but you’re submitting to someone else (by form post or by JS), your burden is a little more, but still fairly small: SAQ A-EP. But if the card number is ever going to touch your server, you can’t use these things, and must go up to SAQ D which is several hundred questions long, and some of the requirements of which may be bothersome, involving things like quarterly penetration testing from approved vendors; and if you have a larger number of transactions, you end up needing mandatory full on-site audits.

(In practice, at the lower levels compliance is not typically validated, and I wouldn’t be surprised if less than 1% of e-commerce merchants were actually fully compliant even at SAQ A.)

geokon 5 days ago | parent [-]

Thanks for that! Really interesting :))