Patrick “P. J.” McDermott

Software and hardware hacker and advocate for software and cultural freedom.

Epirts.js, a free software replacement for Stripe.js

This is Epirts.js, a free software replacement for Stripe.js implementing a subset of the Stripe.js API.

With Epirts.js, a merchant can use Stripe to process payments and ensure that no non-free JavaScript programs are distributed to customers.

Downloading

Epirts.js is maintained in a Git repository, which can be cloned from git://git.pehjota.net/payments/epirts.js.git.

API

Epirts.js is compatible with Stripe.js version 2. Currently Epirts.js only supports validating and tokenizing payment cards.

Methods

PCI DSS Compliance

All merchants who accept payment cards must comply with the Payment Card Industry Data Security Standards. Merchants classified in Levels 2 through 4 may complete an annual Self-Assessment Questionnaire.

E-commerce merchants who "fully outsource" all cardholder data processing to a PCI DSS compliant third-party payment processor (by redirecting to or loading in an iframe a payment page served by the payment processor) can file SAQ A. This applies to merchants who use the non-free Stripe.js program, because it loads a payment page from Stripe in an iframe.

E-commerce merchants who "partially outsource" their payment processing (e.g. by serving their own payment page and sending cardholder data to a payment processor by JSONP) must file the longer SAQ A-EP and have quarterly vulnerability scans performed by an Approved Scanning Vendor. This applies to merchants who use Epirts.js, because it uses JSONP instead of an iframe, to avoid causing the customer to run non-free JavaScript programs loaded by Stripe's payment page.

Therefore, under PCI DSS 3.0, Epirts.js may not be used to process live payment cards without first completing PCI SAQ A-EP and having an ASV perform quarterly vulnerability scans. Currently, the only way to control your store's checkout process and ensure that no non-free JavaScript programs are distributed to your customers is to use a program like Epirts.js (or process cardholder data directly on your server) and pay for a scanning service. Such is the state of payment processing.