Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we make use of best-in-class security tools and practices to maintain a high level of security at Stripe.
HTTPS and HSTS for secure connections
Stripe forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard.
We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.
Encryption of sensitive data and communication
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
An SSL Certificate allows us to encrypt the information exchanged between our servers and your device. We use a special kind of certificate - an Extended Validation or EV certificate. The following information was taken from our provider's site in July 2017:
What is an Extended Validation (EV) SSL Certificate?
Extended Validation (EV) is the highest class of SSL Certificate available. It uses the same powerful encryption as other SSLs, but getting one requires a thorough vetting of the applicant's business. Only those businesses that pass this process will receive an EV SSL Certificate. Anyone who sees the green address bar while on your site knows instantly they’re on a legitimate website.
Before we grant an EV Certificate, one of our staff members verifies that the business listed on the application is:
You'll need to pass this vetting process every two years to keep your Extended Validation (EV) SSL. Any business that sells products or accepts payment information online should use an Extended Validation (EV) SSL Certificate.
Unlike other SSL Certificates, Extended Validation (EV) SSL Certificates display a prominent visual sign that visitors quickly recognize. The address bar on their browser turns green when they're on an EV-secured website, showing them your business is legitimate.
Nearly everyone has had the experience of almost buying something online, only to leave the site before submitting their order because they didn't feel safe.
Any website protected by an EV SSL will display a green address bar in addition to the padlock and HTTPS prefix. It shows shoppers they're on an encrypted website and that their credit card information and any other sensitive data they've submitted are secure.