Which PCI Compliance needs carried out for flutter?

[lbk9]

Because of the ongoing issues with your CardField on Android I have to use the CustomCardPaymentScreen implementation from your example app. Your documentation does not say what PCI Compliance questionnaire is required to be completed for the flutter package, mobile SDK does not cover it.

Am I right in thinking that as long as I do not store any card details I do not need complete a questionnaire? If so then this is a non-issue as I make use of your API to generate payment methods and confirm payment intents.

[remonh87]

@lbk9 unfortunately it is quite impactful what you need to do: https://stripe.com/en-se/guides/pci-compliance . The fact that you use non certified screen components for handling card data is already sufficient enough request PCI compliance. Thats why we heavily (and also Stripe) advise against using it. I think Stripe can advice more precise about what you need to do.

I was able to convince my company to use the payment sheet which offers less customisation but we do not need to do the paperwork. https://stripe.com/docs/security/guide

[lbk9]

Is the CardField PCI compliant? Is the PaymentSheet able to generate paymentMethodIDs and confirm payment intents? If so I may look to switch over to it.

[lbk9]

Much appreciated @remonh87. If both widgets are PCI compliant does that mean there's no need to fill in a SAQ A form?

[remonh87]

you still need to fill it in but stripe does this for you:

"For users that have developed their own integration and are using either Checkout or Stripe.js and Elements to collect card details from customers, you are eligible for the simplest method of PCI validation: SAQ A. Stripe automatically creates a combined SAQ A and Attestation of Compliance (AoC) for you, available for you to download in your account’s compliance settings, and no action is required on your part to submit further proof of your PCI compliance." (Stripe docs)

see: https://stripe.com/docs/security/guide

[lbk9]

Sorry but that section of the docs is for Stripe Elements/Stripe.js are your stripe components not from the mobile SDK? I've just checked the documents in my Stripe dashboard settings and see no completed documentation.

[jamesblasco]

Please consider taking a deeper look at the security guide of the Stripe link that @remonh87 shared with you. In the Mobile SDK section:

Stripe’s mobile SDK development and change control is done in accordance with PCI DSS (requirements 6.3 - 6.5) and is delivered via our PCI validated systems. As such, we advise our users to rely on UI components from our official SDKs for iOS or Android, or to build a payment form with Elements in a WebView, to be eligible for the simplest form of PCI validation: SAQ A. If you only use our mobile SDKs or an Elements-based WebView, you can inform your PCI auditor that card numbers pass directly from your customers to Stripe.

Should you do otherwise, such as writing your own code to handle card information, you may be responsible for additional PCI DSS requirements (6.3 - 6.5) and not be eligible for an SAQ A. In this case, we’d suggest you reach out to a PCI Qualified Security Assessor (QSA) to determine how best to validate your compliance according to the current guidance from the PCI Council.

If your application is intended for your customers to enter their information on their own devices, then you qualify for SAQ A. If your application is used to accept card information for multiple customers on your device (e.g., a point of sale app), consult a PCI Qualified Security Assessor (QSA) to learn how best to validate your PCI compliance.

You can read here more about the sections that you would be responsible for: https://www.pcisecuritystandards.org/document_library

[remonh87]

I just went through the process and what you need to do is following:

• after around 20 transactions Stripe will give an advice about which PCI compliance you need.
• if you do not use custom UI for capturing but you use the standard Stripe components, you only need to do the SAQ A self-assessment