Stripe.js - Handling sensitive customer data

Hello hello,

I’m using the stripe.js plugin to handle customer payments, and I’m trying to figure out if our app is in fact handling the sensitive payment details or not (we’re putting together a terms of use doc).

Looking at Stripe’s documentation, they say that using Stripe.js ensures that all sensitive data is handled by Stripe, so it is PCI compliant. But in the tokenization part of their API docs, they mention that it is only PCI compliant if the tokens are being generated at the client side. That confuses me because the tokens are generated within a bubble workflow.

Is someone able to clarify whether using the stripe.js plugin to handle customer payments using tokenization is PCI compliant or not? And additionally if there is anything specific we should include in our terms and conditions to this end?


Hey @MattN,

The Stripe.js plugin uses Stripe’s native JavaScript library to securely tokenize your user’s cards on their own computer, also known as client-side. Not every action or step in a Workflow is run server-side, and that is certainly the case with the Stripe.js plugin. It’s always best to contact the plugin developer first if you’re seeking more information regarding their plugins and how they’ve been structured. :slight_smile:

Okay great. If the customers card details are being tokenized client-side and never touch our (bubble’s) servers then I’m happy!

Thanks for clarifying :slight_smile: