Stripe security

This article is but a narrow list of the many security measures both Stripe and we adopted in order to make your experience the most secure.

Credit card numbers

The credit card numbers are never shared with your site. Stripe creates a token which is exchanged with your server, which the Stripe plugin verifies for authenticity. So we know that the payment confirmation is official and good, without ever needing to know the card number.

Security at Stripe

Stripe's documentation on their security measures is available here.

Transaction security

After the user terminates the transaction on the Stripe site, first Stripe sends to the webhooks on your site a confirmation, which is authenticated by the Stripe Plugin, and then returns the call. This makes it very hard to hack the transaction, as the intruder would need to have compromised completely your local network and dns server.

Server security

Your server is tested by Stripe before sending webhooks. In particular, the SSL certificate must be installed properly and have a proper validation chain, else Stripe will refuse the connection. You will find a notice in the Stripe Dashboard when you inspect the webhooks. Beware, having Firefox or Chrome accept a certificate is not enough, as Stripe is way more thorough.

Fraudolent payments

The major risk you run as a website owner, and your Vendors if any, is to receive a fraudolent payment. Typically criminals purchase something small from a small website to test a credit card number they just stole / bought on the black market.

Eventually, possibly weeks from today, the credit card owner will realise he's been compromised, and disavow the "test" charge you received. In this case, Stripe may keep a hefty fee.

The only way around this is to check if the purchase was collected i.e. if the ticket or a downloadable product downloaded; and routinely check the names and emails of the customers as very often the criminals stand out.

Since the adoption of SCA this has never happened to us, i.e. thanks to SCA most often the user is prompted for more information by Stripe themselves to prevent frauds. This typically are information a thief wouldn't have, such as their address, or even a second authentication with a smartphone,.