I am in the process of looking for a SaaS solution for my clients where I just build React Commerce sites and let another service provider (shopify for example) handle the hosting and updating of the ecommerce platform!
One of my biggest concerns is payments and PCI! I found the following guide on how to accept Credit Card payments here (more specifilcally the card vaulting part): https://help.shopify.com/api/guides/sell-through-the-checkout-api#card-vaulting
My issue is that this method involves my code controlling the flow of credit card information, much like the stripe.js v2 endpoint. Previously this was all fine and dandy, however PCI updated it's rules and made it so that if your code at any time (even on the client only) touches any credit card info it MUST be SAQ A-EP
What I was hoping to be possible is to utilise Stripe Elements to get a code from stripe of which I could use in place of the credit_card on the /sessions Post endpoint. This way all of the CC info is only touched by stripe and I only have to be SAQ A complaint (yay for not having to worry about firewalls, software updates, access logging and all that joyfull crap!)
Also my site is going to be built via GraphQL. Now I'm 100% ok with just wrapping the Checkout API with a custome GraphQL server (also adding some extra awesomeness via subscriptions to get rid of that polling!) but is there any chance that the Storefront API (GraphQL Api) will be getting CC/payment token any time soon.
Speaking of payment tokens, why not whilest you add the StripePayment token to the /sessions post endpoint ALSO add Apple Pay and Google Pay so I can integrate awesome thumb powered payments to my custom checkout experience!