We use Stripe to process credit card payments on our website. Stripe is certified as PCI Service Provider Level 1 — the most stringent level of certification possible.
Are you storing my credit card number on your site?
No we don’t! We never touch or handle your credit card information in any way! When you enter your credit card information during the checkout it is entered and sent straight into Stripe’s secure environment through a hosted form. At no point can we see or store your credit card in our systems.
How secure is Stripe?
Stripe is certified as PCI Service Provider Level 1 — the most stringent certification available. Here’s some key points in their own words:
SSL and HSTS
Stripe forces HTTPS for all services, including our public website. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Chrome and Firefox.
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).