0
votes

Setup:

  1. Mobile uses Stripe to get credit card token.
  2. Mobile sends token to Server 1.
  3. Server 1 gets credit card details using the token.
  4. Instantly, the Server 1 encrypts the details and sends it to a PCI DSS compliance Server 2 via an SSL connection.

Does Server 1 has to be PCI DSS compliant?

1

1 Answers

3
votes

Your set up won't work. You cannot get raw credit card details from a Stripe token. Even if you could, you'd still be handling sensitive information and would have to be PCI compliant.

For your flow to work you'd have to send the raw details to Server 1, which puts you in the SAQ D category of PCI compliance (the harshest one): https://stripe.com/docs/security#validating-pci-compliance