Not a webdev, so I'm curious: Have we reached the point where you can you make credit card payments without JS?
(if not, what are the blockers?)
Not a webdev, so I'm curious: Have we reached the point where you can you make credit card payments without JS?
(if not, what are the blockers?)
Credit card payments on the web are older than JavaScript, and I don’t think that anything even today actually requires JavaScript—all the fancy security things I know of could be done easily enough with additional form submissions and/or meta redirects (alas for multipart/x-mixed-replace, it was never reliable and its removal is almost complete). Unfortunately, PCI DSS makes it expensive now to direct things via your own server, so a typical business will be at the mercy of what their payment gateway provides: and I don’t know if any popular ones will support JavaScript-free operation any more, even though it’s theoretically pretty easy.
"makes it expensive now to direct things via your own server"
can you expand on this? why expensive..?
i figured Visa and company would mandate some JS monstrosity. However ive had some really ancient weird credit card online forms in Asia that i suspect have no JS
The Payment Card Industry has a set of Data Security Standards: if you want to accept cards, you must comply with their rules, or they may ban you. There are different degrees of compliance requirements. If someone else handles everything (e.g. external link or iframe), you get the easiest time: Self-Assessment Questionnaire A. If the data is actually in your DOM but you’re submitting to someone else (by form post or by JS), your burden is a little more, but still fairly small: SAQ A-EP. But if the card number is ever going to touch your server, you can’t use these things, and must go up to SAQ D which is several hundred questions long, and some of the requirements of which may be bothersome, involving things like quarterly penetration testing from approved vendors; and if you have a larger number of transactions, you end up needing mandatory full on-site audits.
(In practice, at the lower levels compliance is not typically validated, and I wouldn’t be surprised if less than 1% of e-commerce merchants were actually fully compliant even at SAQ A.)
Thanks for that! Really interesting :))
I think for such a trivial task as submitting a form with some data (such as CC info), JS was never required to begin with.
I believe you can do that without JS by using an HTML form containing the requisite user input fields.