[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Links to javascript-based websites from orgmode.org: Paypal and Gith

From: Bradley M. Kuhn
Subject: Re: Links to javascript-based websites from orgmode.org: Paypal and Github
Date: Sat, 26 Feb 2022 20:43:57 -0800

I'm a happy org-mode user who usually just lurks on the list, but I have some
expertise of note to share on the issue of taking donations and proprietary

I've spent much time over the last 25 years working for and/or helping to run
various non-profit organizations related to FOSS.  I've worked on the problem
of “how do you take donations while limiting the amount of proprietary
software both the donors and NPO staff have to use?” extensively.

To my knowledge, the current answers to these questions are:

 (0) You cannot take online donations by credit/debit card or ACH without

      (a) handling PCI-compliance rules yourself, which is a high burden and
          out of reach for most small organizations. (I have researched this
          extensively, and am pretty sure that the level of self-PCI
          compliance that would be required for this would mean the
          organization would need to employ at least one person who will
          spend almost full-time working on PCI compliance.)

      (b) having the donor run some proprietary Javascript [0].

 (1) It is impossible for an organization to take credit card donations
     without its staff sometimes using non-FOSS (usually in the form of
     proprietary Javascript).  It's very difficult to take ACH donations of
     any kind without the staff occasionally using proprietary software.

I'd be glad to discuss how I've come to these assessments in more detail if
that's useful to the discussion.  (However, I won't have time to check back
into this thread until Tuesday due to a deadline.)

I generally recommend PayPal to projects that want to minimize proprietary
Javascript because you cn often make it all the way through a PayPal
transaction (if you already have a PayPal account with a credit card attached
and you're in the USA) with Javascript fully turned off.  That's not saying
much, but it's better than other processors.  I retest that every 3-6 months;
the last time I tested it was November.

Comparatively, Stripe is particularly bad because they mandate that you load
their proprietary Javascript on your own page (see below in footnote for
more) if you want them to handle the PCI compliance.

[0] Someone mentioned liberapay — but it simply uses Stripe and/or PayPal
    underneath for the donations.  I just double checked this and noticed
    that the payment page has:
         <script src="https://js.stripe.com/v3/";></script>
    which is what Stripe requires if you want them to handle the PCI

  -- bkuhn

reply via email to

[Prev in Thread] Current Thread [Next in Thread]