Comment 1 for bug 1774892

If we don't upgrade to v3 then Stripe Evergreen sites will need to file for annual compliance using the PCI Data Security Standard Self-Assessment Questionnaire A-EP (https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-SAQ-A_EP.pdf) for partially outsourced e-commerce merchants using a third-party website for payment processing. This places the compliance burden on us not Stripe.

If we do upgrade to v3, the vendor will continue to file for compliance:

Stripe: For some context, the PCI Council has published a series of changes to eligibility requirements for Self-Assessment Questionnaire A (SAQ A). These require that businesses use input fields hosted by a payments provider in order to be eligible for the simplest PCI validation method (SAQ A). We've designed Stripe Elements with these changes in mind so that you can continue to validate using SAQ A without losing much of the flexibility and customization of a form hosted on your website if you migrate to v3.