Credit card security

We never store your credit card data. Instead, we send it securely to Stripe.

Why we don’t store your card data

Storing credit card data is a huge responsibility. While we have taken many steps to make our website secure. We NEVER store your creditcard data.

Who are Stripe?

Stripe is a payment gateway. That means their business is to make payments work securely over the Internet. In return, they take a small cut of every transaction (we pay this cut, not you).

Stripe is certified as a PCI Service Provider Level 1, which is the most stringent level of certification available. They handle billions of dollars of transactions every year.

But I entered my card details on this website, not Stripe!

This is where it gets clever.

When you are filling out the payment form, that data only exists on your computer. You haven’t sent the data anywhere yet.

When you submit the form, we deliberately do not send the data to our server. We never actually see your card data, not even temporarily!

Instead, we use Stripe’s javascript encryption library to encrypt the data and send it securely to Stripe. This javascript runs in the browser, on your computer.

When we send the encrypted data to Stripe, it is sent securely over HTTPS. Stripe actually enforces this; it’s not possible to send them data over an insecure channel.

Stripe then sends us back a single-use token that we can use to make the charge. The token does not include any part of your credit card data. A Stripe token looks like this:tok_5jKPEG5osqmUxu

Stripe’s ingenious system makes the payment process easy, while keeping the card data extremely safe.

What we store

Let’s look at an example, so you can see what we actually store. Suppose you pay us using the following card:

  • Card number: 4242 4242 4242 4242
  • Expiry: 03 / 18
  • Security code: 123

We store only the expiry date and the last four digits of the card number:

  • Last four: 4242
  • Expiry: 03 / 18

To be absolutely sure we are doing things right, we don’t even take this data from the form. Instead, we store it when Stripe sends us a message containing it. We know Stripe will only send us data we’re allowed to have.

Stripe also sends us some unique identifiers, which represent a customer and a card. For example, they might look like this, Notice that these do not contain any card data.

  • Customer ID: cus_3XRDGNLCVPHgIZ
  • Card ID: card_3XRDoHo5LSLHkA

The end result is a system that is both convenient for customers and extremely secure.