questions relating to the security of the Silver Membership credit card process

THE WHOLE CREDIT CARD PROCESS IS HANDLED BY STRIPE

Stripe is a huge international company like PayPal. Squarespace (the company’s system I used to build the website) only allows us to use Stripe for connecting member areas to banks, but allows PayPal for other areas which require less sophistication. I connected the Stripe system to my website at one end and my bank account at the other. I see very little of the payment in information.

For each new member that joins I get three emails with overlapping information. They and the various panels I can access on the Stripe site show the persons name, how much they paid, their email address, the state and country where they live (but not their address) and the type of credit card and only the last four numbers on the card. That’s only four of sixteen numbers!

Stripe’s web address for me here in Australia, is as follows (I can’t seem to set it for non-country specific):

https://stripe.com/en-au

I wrote the following request to Stripe:

”Sent: 10/22/2022, 3:30 AM
To: support@stripe.com
Subject: Stripe Security for customers credit cards

Hi, I've been asked by a couple of members in my group how their credit card security is guaranteed by Stripe ie. can I see their CC numbers etc. Do you have a web document or similar that I can direct them to or something I can copy to the group that demonstrates that in easy to understand terms? Cheers, Mike Bysouth”

and got the following reply:

”Hi Mike,

Thanks for reaching out, and I hope you are doing well. I understand that you’re looking for a web document regarding the security in using Stripe. Let me assist you regarding this matter.

I’m glad to let you know that Stripe is a certified PCI Service Provider Level 1, which is the highest grade of payment processing security. You can also get the information from our public documentations below:

https://stripe.com/docs/security

For more information regarding Stripe’s data protection and privacy practices, you may refer to below:

https://stripe.com/privacy-center/legal

https://stripe.com/privacy

I hope this information has been useful. If there's anything else I can help you with, I'm more than happy to assist further. You can also get in touch with us anytime at your convenience through chat[0] or phone[1].

Regards,”

So you can follow up on their links if you want to understand their security with respect to transfers of credit card payments. But this is part of what you’ll see from the first link.

“Security at Stripe

Learn how Stripe handles security.

SECURE YOUR INTEGRATION

To learn more about PCI compliance and establishing good security practices, check out our integration security guide.

A PCI-certified auditor has audited Stripe. We’re a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Stripe.

HTTPS and HSTS for secure connections

Stripe forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard to ensure secure connections:

. Stripe.js is served only over TLS.

. Stripe’s official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection.

We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.

Sensitive data and communication encryption

All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.”

That’s not in my skill set, so I’m not going to try and explain it. The important bit from my lay persons view, seems to be the last paragraph which states that your credit card data is encrypted which means no one else can read it (including me, except as indicated above).