Our Payment Provider:
We use Stripe to process credit card payments on our website. Stripe is certified as PCI Service Provider Level 1 -- the most stringent level of certification possible. Here’s a list of other companies that use Stripe: https://stripe.com/gallery
Are we storing your credit card number on our site?
Short answer: No
When you opt into saving your credit card with us, all storage of sensitive information (i.e., your credit card number) is kept in Stripe’s secure environment. At no point can we see or store your credit card number on our systems.
How secure is Stripe?
Stripe is certified as PCI Service Provider Level 1 -- the most stringent certification available. Full details on their security infrastructure is available here. Here’s some key points in their own words:
SSL and HSTS
Stripe forces HTTPS for all services, including our public website. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Chrome and Firefox.
Encryption
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe's internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe's infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn't share any credentials with Stripe's primary services (API, website, etc.).
