Regarding PCI compliance, the following Stripe docs requires the extension to serve the payment form within an IFRAME served off stripe.com server which is not the case with your Stripe extension which is served within Magento checkout page so how is it PCI compliant although it doesn’t use IFRAME?
Stripe PCI DSS guidelines (https://stripe.com/docs/security#pci-dss-guidelines):
All Stripe users must be compliant with the PCI Data Security Standards (PCI DSS). Checkout and Stripe.js meets the requirements and security constraints of the Self-Assessment Questionnaire (SAQ), SAQ A, by performing all transmission of sensitive cardholder data within an IFRAME served off of a stripe.com domain that is controlled by Stripe.
Checkout and Stripe.js meets the requirements and security constraints of the Self-Assessment Questionnaire (SAQ), SAQ A, by performing all transmission of sensitive cardholder data within an IFRAME served off of a stripe.com domain that is controlled by Stripe.
It means that IFRAME is on the Stripe domain (server).
But your Stripe extension doesn’t use IFRAME, all the card input fields are part of the Magento checkout page which is on Magento installation domain (server). Is that right?
As long as you serve your payment pages over TLS, and use either Checkout or Stripe.js as the only way of handling card information, Stripe automatically creates a prefilled SAQ A questionnaire for you, and you won’t need to undergo a PCI audit.
Maybe Stripe.js creates an IFRAME dynamically, ask the Stripe support for it.
Now Stripe provides a native support for IFrames with the Elements technology.
My extension uses this technology since the 2.2.0 version.
Checkout and Elements host all form inputs containing card data within an IFRAME served from Stripe’s domain—not yours—so your customers’ card information never touches your servers.
