Is that true though? If you have XSS vulnerabilities on your website, someone ca... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		IgorPartola on March 29, 2011 \| parent \| context \| favorite \| on: Stealth Payment Startup Stripe Backed By PayPal Fo... Is that true though? If you have XSS vulnerabilities on your website, someone can lift the CC info right from the form before posting of any data happens. I am not sure whether PCI talks about this but I sure would be worried about this.

ntalbott on March 29, 2011 | [–]

We (at Spreedly) have talked to several QSA's about this question, and their take is that using a redirect removes the application from PCI scope. It's a really good illustration of how PCI != security.

techiferous on March 29, 2011 | [–]

I don't know if it's true. That's a great point that you raise. It'd be nice for a PCI expert to weigh in. :)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact