←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 10 comments | 21 Apr 20 17:01 UTC | HN request time: 1.288s | source | bottom
Show context
pc ◴[21 Apr 20 17:42 UTC] No.22937303[source]
Stripe cofounder here. The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Stripe.js collects this data only for fraud prevention -- it helps us detect bots who try to defraud businesses that use Stripe. (CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings.

If you don't want to use Stripe.js, you definitely don't have to (or you can include it only on a minimal checkout page) -- it just depends how much PCI burden and fraud risk you'd like to take on.

We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.

(Updated to add: further down in this thread, fillskills writes[1]: "As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase." This is what we're aiming for (and up against) with Stripe Radar and Stripe.js, and why we work on these technologies.)

[1] https://news.ycombinator.com/item?id=22938141

replies(52): >>22937327 #>>22937331 #>>22937352 #>>22937362 #>>22937385 #>>22937475 #>>22937518 #>>22937526 #>>22937559 #>>22937599 #>>22937775 #>>22937815 #>>22937962 #>>22938015 #>>22938068 #>>22938208 #>>22938310 #>>22938383 #>>22938533 #>>22938646 #>>22938728 #>>22938777 #>>22938855 #>>22938884 #>>22939026 #>>22939035 #>>22939376 #>>22939803 #>>22939814 #>>22939916 #>>22939952 #>>22940051 #>>22940090 #>>22940177 #>>22940282 #>>22940315 #>>22940317 #>>22940352 #>>22940686 #>>22940751 #>>22941252 #>>22942502 #>>22942538 #>>22942710 #>>22942907 #>>22943100 #>>22943453 #>>22944163 #>>22944509 #>>22944652 #>>22945170 #>>22946136 #
1. brogrammernot ◴[21 Apr 20 18:00 UTC] No.22937526[source]
We’re big-time Stripe users (ACH mostly to the tune of $300M+ annually) but soon will be branching into debit/credit & in the research so far have found the Radar product impressive.

Having this information up-front and center makes it easier to pass to our Infosec folks + another check in the transparency box.

As far as not using the JS, I was under the impression as long as you’re not storing the account or card numbers & utilizing the tokens properly you’re still at the base level of PCI compliance - meaning you’re securing your website, endpoints, data store etc in the same manner you should be already.

The JS package is really nifty and helpful though, we will be able to standup a one-off late payment page utilizing their checkout flow & one-time payments (server/client - couldn’t expose all the SKUs to folks so had to go that route instead of just client) but the fact we could use Stripe to send the emails with our branding & all we have to really do is pull the payment they owe & create a checkout session to hand-off to Stripe is pretty awesome.

replies(1): >>22937542 #
2. pc ◴[21 Apr 20 18:01 UTC] No.22937542[source]
Glad you're liking Radar!

You're right that, if you don't use Stripe.js, PCI compliance will be more work.

And, yes, you can definitely include Stripe.js only on a single page.

replies(3): >>22937611 #>>22937642 #>>22943090 #
3. brogrammernot ◴[21 Apr 20 18:08 UTC] No.22937611[source]
We are, indeed.

As far as PCI compliance, I was just saying your comment about more work is true depending on your setup w/o using Stripe.js.

In our business we already have our own proprietary fraud models and other PII we secure, so the level of effort to keep PCI compliance for the additional Stripe components is a wash whether or not we use Stripe.js

I totally agree if you're going to use Stripe and you don't have to deal with PCI already in your normal course of business it's a complex area to navigate & using stripe.js is a much smoother path to take.

Basically goes back to basic principles, don't add more stress or work for something outside your core competencies unless necessary & in many cases, I can see where companies should just leverage stripe.js plus the UI utilities as they're well done & save a lot of time.

Big fans of Stripe, even if your ACH rates are significantly more than Wells Fargo or others :P

4. wolco ◴[21 Apr 20 18:10 UTC] No.22937642[source]
Wouldn't it be just a server side to stripe call on a form submit? Even easier than using js (probably not as good user experience wise)
replies(3): >>22937852 #>>22937931 #>>22938959 #
5. brogrammernot ◴[21 Apr 20 18:29 UTC] No.22937852{3}[source]
Sure, you could.

We more or less do this today, but if you need to setup a new workflow to take payments (one-time or recurring) there's a lot of work already done for you in the Stripe.js ecosystem.

So in our case, to take one-time payments it would've been more work to stand-up the checkout page itself and all of that work behind the scenes. It is much easier to just create a checkout session (basically just hitting the DB to pull the outstanding payment record and creating a stripe customer if one doesn't already exist) and redirect to Stripe's checkout.

The PCI part isn't overstated either, that checkout session lives on Stripe's domain not ours and that's where payment method is collected & stored within Stripe so you're not having to worry about it.

It's pretty nifty, give it a look - https://stripe.com/docs/payments/checkout/one-time

6. Nextgrid ◴[21 Apr 20 18:36 UTC] No.22937931{3}[source]
I think that you will be on the hook for PCI compliance if card data touches your server, while with Stripe.js your server never sees the card data. Of course, it's extremely stupid, because your server is still the one serving the original page and can change it to silently exfiltrate the card details if it gets compromised.
replies(1): >>22938384 #
7. skoskie ◴[21 Apr 20 19:19 UTC] No.22938384{4}[source]
I mean, if your server is compromised, you are completely screwed, no matter what services you do or don’t use.
replies(1): >>22938801 #
8. Wowfunhappy ◴[21 Apr 20 20:08 UTC] No.22938801{5}[source]
I believe the point was, if your server is compromised but you're using stripe.js, you're not legally on the hook for exposing CC details, even though they definitely could have been exposed.

(I have no idea if this is even true, this was just my reading.)

9. Kalium ◴[21 Apr 20 20:23 UTC] No.22938959{3}[source]
> Wouldn't it be just a server side to stripe call on a form submit? Even easier than using js (probably not as good user experience wise)

Sure! You just have to also handle PCI-DSS.

One of the nasty things I've had to accept about PCI-DSS is that if you think you have a clever hack for getting around it, you probably don't. It's really a remarkable work of standards authoring.

10. AdieuToLogic ◴[22 Apr 20 07:25 UTC] No.22943090[source]
> You're right that, if you don't use Stripe.js, PCI compliance will be more work.

That is not what @brogrammernot wrote. What @brogrammernot wrote was:

> As far as not using the JS, I was under the impression as long as you’re not storing the account or card numbers & utilizing the tokens properly you’re still at the base level of PCI compliance - meaning you’re securing your website, endpoints, data store etc in the same manner you should be already.

Note the the conclusion of "... in the same manner you should be already."