I hope to build a mobile app that sends credit card information to an aws-lambda microservice, which then submits that information to stripe. I'm concerned about PCI compliance/security, and I'm wondering if there is something I'm missing. The following is my plan:
1) Users sign in using PCI compliant passwords - and are assigned unique ids and get cognito access keys.
2) Users enter payment information in the mobile app. The app then sends that credit card data via POST request using HTTPS to a cognito authenticated aws-lambda instance (api gateway is used to create endpoints).
3) Upon a successful post request the app deletes the local credit card data.
4) The lambda instance decrypts encrypted stripe secret access keys using KMS.
5) The lambda instance uses Stripe NodeJS sdk to send the data to stripe and stores stripe tokens in databases.
6) At no point does the Lambda instance save ANY credit card data - it ONLY writes Stripe tokens to the database.
Is there anything I'm missing here? Is there something I should be concerned about?
EDIT:
Additional Info: Credit card details are collected within the app and stored in the app state until they are deleted. The https POST does not use Stripe tools because I'm using React Native.
Further to our discussion in the comments, you could write a service wrapper to POST the data directly to Stripe using their JavaScript API. You'd just need to embed the public API key in your app.
See the solution in this blog post: http://blog.bigbinary.com/2015/11/03/using-stripe-api-in-react-native-with-fetch.html