←back to thread

Stripe records user movements on its customers' websites

(mtlynch.io)
1134 points mtlynch | 6 comments | 21 Apr 20 17:01 UTC | HN request time: 0.318s | source | bottom
Show context
pc ◴[21 Apr 20 17:42 UTC] No.22937303[source]
Stripe cofounder here. The question raised ("Is Stripe collecting this data for advertising?") can be readily answered in the negative. This data has never been, would never be, and will never be sold/rented/etc. to advertisers.

Stripe.js collects this data only for fraud prevention -- it helps us detect bots who try to defraud businesses that use Stripe. (CAPTCHAs use similar techniques but result in more UI friction.) Stripe.js is part of the ML stack that helps us stop literally millions of fraudulent payments per day and techniques like this help us block fraud more effectively than almost anything else on the market. Businesses that use Stripe would lose a lot more money if it didn't exist. We see this directly: some businesses don't use Stripe.js and they are often suddenly and unpleasantly surprised when attacked by sophisticated fraud rings.

If you don't want to use Stripe.js, you definitely don't have to (or you can include it only on a minimal checkout page) -- it just depends how much PCI burden and fraud risk you'd like to take on.

We will immediately clarify the ToS language that makes this ambiguous. We'll also put up a clearer page about Stripe.js's fraud prevention.

(Updated to add: further down in this thread, fillskills writes[1]: "As someone who saw this first hand, Stripe’s fraud detection really works. Fraudulent transactions went down from ~2% to under 0.5% on hundreds of thousands of transactions per month. And it very likely saved our business at a very critical phase." This is what we're aiming for (and up against) with Stripe Radar and Stripe.js, and why we work on these technologies.)

[1] https://news.ycombinator.com/item?id=22938141

replies(52): >>22937327 #>>22937331 #>>22937352 #>>22937362 #>>22937385 #>>22937475 #>>22937518 #>>22937526 #>>22937559 #>>22937599 #>>22937775 #>>22937815 #>>22937962 #>>22938015 #>>22938068 #>>22938208 #>>22938310 #>>22938383 #>>22938533 #>>22938646 #>>22938728 #>>22938777 #>>22938855 #>>22938884 #>>22939026 #>>22939035 #>>22939376 #>>22939803 #>>22939814 #>>22939916 #>>22939952 #>>22940051 #>>22940090 #>>22940177 #>>22940282 #>>22940315 #>>22940317 #>>22940352 #>>22940686 #>>22940751 #>>22941252 #>>22942502 #>>22942538 #>>22942710 #>>22942907 #>>22943100 #>>22943453 #>>22944163 #>>22944509 #>>22944652 #>>22945170 #>>22946136 #
1. ddevault ◴[21 Apr 20 19:03 UTC] No.22938208[source]
Hey pc, good to see you here on HN. Things like this bother me as a Stripe customer who advocates strongly for privacy. I've asked repeatedly for options which let me have more control over what exactly is happening on my page - or to have a JavaScript-free flow on Stripe.com that I can redirect users to in order to complete their card details. Another easy option would be to use subresource integrity so that I can audit each release of Stripe.js, but your team has turned this down, too. Of course, I could go full PCI, but PCI compliance is a big burden for small businesses. Do you have any plans for making Stripe more accomodating of users with privacy concerns?
replies(2): >>22938268 #>>22940107 #
2. pc ◴[21 Apr 20 19:08 UTC] No.22938268[source]
Hi ddevault -- we would like to do this, and I'm very supportive in principle (and, per GP, we are perfectly fine with anyone not using Stripe.js), but our current product/engineering focus is on trying to build better tools for the businesses who are losing tens or hundreds of thousands of dollars to fraud. We think we have to first help the businesses who need help immediately. We'll probably then circle back to build products that explore more points on the [efficacy of fraud prevention] - [PCI burden] continuum.
replies(1): >>22938371 #
3. ddevault ◴[21 Apr 20 19:18 UTC] No.22938371[source]
Thanks for the info, pc! I'm worried that this is a dismissive answer, though. Stripe has been in business for 10 years, and fraud has been and will continue to be a constant battle for you. When can I expect to start seeing other problems like this prioritized?
replies(1): >>22938527 #
4. pc ◴[21 Apr 20 19:33 UTC] No.22938527{3}[source]
Definitely no dismissiveness intended -- apologies. While Stripe has been in business for 10 years, Radar (our fraud prevention tool) has only existed for 3.5. We've made a good deal of progress in that time and I would guess that it's 1-2 years away from being sufficiently complete that we can start to seriously focus on things other than fraud. (As it happens, I just had a conversation about this with the guy who leads it.)
replies(1): >>22938542 #
5. ddevault ◴[21 Apr 20 19:35 UTC] No.22938542{4}[source]
I'm not looking forward to another 1-2 years of waiting - or 3-4, schedules slip ;) - but so be it. Thanks for clarifying!
6. codysc ◴[21 Apr 20 22:41 UTC] No.22940107[source]
I'm in the same boat with my communication based startup. I'm being very cautious about any third-party interaction and the heavy activity from the stripe JS wasn't compatible with that. I had to take some goofy steps to ensure that the Stripe components were limited to just the payments page and didn't bleed over into anything else.