You are here
Why do we trust Stripe to handle our billing?
We take security extremely seriously, so when searching for a payment processor with the same level of paranoia, we were happy to find Stripe.
1) End-to-end encryption from browser to payment processor
We use the recommended security best practices to integrate with Stripe. This includes using a client-side Javascript library (Stripe.js) to ensure your browser encrypts and transmits billing info directly to Stripe for secure handling.
2) Industry leading payment processor
Stripe processes billions of dollars worth of transactions for thousands of companies, and is backed by industry leading investors, including Sequoia Capital, Andreessen Horowitz, and PayPal co-founders Peter Thiel, Max Levchin, and Elon Musk.
3) Certified compliance with the highest security standards
Quoting from Stripe's security page:
- PCI: Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
- SSL/TLS and HSTS: Stripe forces HTTPS for all services, including our public website. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Chrome and Firefox.
- Disk encryption: All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines.
- Security in depth: Even Stripe's internal servers and daemons are not authorized to access plaintext card numbers; instead, they can just request that cards be sent to a whitelisted service provider. Stripe's infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn't share any credentials with Stripe's primary services (API, website, etc.).
More TurnKey Hub documentation: