The <a href="http://js.recurly.com/" rel="nofollow">http://js.recurly.com/</a> site doesn't link to or mention recurly.com (or that it's a payment provider service) anywhere. As a result, I was pretty confused when the intro video started mentioning the "Recurly API" - I was also wondering how an open source JavaScript form library could possibly handle payments.<p>Suggestion: add the text "a JavaScript library for the Recurly payments API" (or equivalent) somewhere on the page!
PCI compliance is about maintaining a secure network, transmitting information securely, logging access in case of a breach, and access controls. Recurly.js minimizes your compliance scope because the sensitive data does not pass thru your network.<p>You are still required to maintain a secure network so that malicious code does not end up on your site. This means protecting your site from cross-site scripting. If your site is running untrusted Javascript code, your users could end up being redirected to a phishing site regardless of how you implement your order form (including linking offsite to a hosted page). As long as your server is secure, Recurly.js is secure.<p>The one scenario that is being pointed out here is from a malicious merchant. We work to make it easier for a merchant to be PCI compliant. If they are malicious and want to defraud their own customers, there are easier ways to post the credit card numbers straight to your server without our software.
How is this PCI compliance?<p>You're exposing credit card number on the input field of the original publisher's HTML page. This means that the publisher can pick up the credit card number himself, or an included third party javascript library(like google analytics).
This is nice, but I sort of wish it stated more bluntly that it requires jQuery.<p>I also wish it didn't depend on jQuery, but that's just personal preference.
This is very nicely done. I would like to see a long-form explanation from Recurly about the safety implications of this, however. Maybe it really is brilliantly bullet-proof, but please explain.
Is this accessible for audio browsers? Screen readers navigating by form elements will be pretty lost without <label>s (and WAI-ARIA attributes for rich components, but one thing at a time).<p>Would hate to be the site that tried to simplify their billing but got an accessibility lawsuit[1] for their troubles.<p>[1]: <a href="http://en.wikipedia.org/wiki/National_Federation_of_the_Blind_v._Target_Corporation" rel="nofollow">http://en.wikipedia.org/wiki/National_Federation_of_the_Blin...</a>