Posted on 18.05.2016
Very secure, all financial transactions are processed by Stripe one of the world’s leading online payment service providers. Security is one of the biggest considerations in everything Stripe does. If you have any questions after reading this, or encounter any issues, please contact them directly at firstname.lastname@example.org.
Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.Stripe forces HTTPS for all services, including their public website. They regularly audit the details of their implementation: the certificates they serve, the certificate authorities they use, and the ciphers they support. They use HSTS to ensure browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS pre-loaded lists for both Chrome and Firefox.
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plain text card numbers; instead, they can just request that cards be sent to a service provider on a static white list. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).