Integration Security Guide

Ensure PCI compliance and secure communications between your customer and your server by using these best practices. If you need help after reading this, check out our answers to common questions or chat live with other developers in #stripe on freenode.

Anyone involved with the processing, transmission, or storage of credit card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). Stripe makes this easy for you to do, and you can set up a fully PCI-compliant integration by taking the following steps:

  • Serve your payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS
  • Use Checkout or Stripe.js to accept payment information, which is securely transmitted directly to Stripe’s servers without it passing through your servers

Using TLS

TLS refers to the process of securely transmitting data between the client—the app or browser that your customer is using—and your server. This was originally performed using the SSL (Secure Sockets Layer) protocol. However, this is outdated and no longer secure, and has been replaced by TLS. The term “SSL” continues to be used colloquially when referring to TLS and its function to protect transmitted data.

Payment pages must make use of SSL as it significantly reduces the risk of you or your customers being exposed to a man-in-the-middle attack. TLS attempts to accomplish the following:

  • Encrypt and verify the integrity of traffic between the client and your server
  • Verify that the client is communicating with the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it, there’s no guarantee that you’re encrypting traffic to the right recipient.

Additionally, your customers are more comfortable sharing sensitive information on pages visibly served over HTTPS, which can help increase your customer conversion rate.

TLS is only required for live transactions, and you can test your integration without using TLS. Once you’re ready to accept live charges, you will then need to set up TLS.

Setting up TLS

A digital certificate—a file issued by a certification authority (CA)—is needed in order to use TLS. When installed, this certificate assures the client that it’s really communicating with the server it expects to be talking to, not an impostor. You should get a digital certificate from a reputable certificate provider, such as:

Certificates can vary in cost, depending on the type of certificate and provider. Let’s Encrypt is a certificate authority that provides certificates for free.

Conceptually, setting up TLS is very straightforward: a certificate is purchased from a suitable provider, and then your server is configured to use it. The actual process does tend to be somewhat complex, and we recommend you follow the installation guide of the provider you use.

As TLS is a complex suite of cryptographic tools, it’s easy to miss a few details. We recommend using the SSL Server Test by Qualys SSL Labs to make sure you have everything set up in a secure way.

PCI DSS guidelines

All Stripe users must be compliant with the PCI Data Security Standards (PCI DSS). Checkout and Stripe.js meets the requirements and security constraints of the Self-Assessment Questionnaire (SAQ), SAQ A, by performing all transmission of sensitive cardholder data within an IFRAME served off of a stripe.com domain that is controlled by Stripe.

As long as you serve your payment pages over TLS, and use either Checkout or Stripe.js as the only way of handling card information, Stripe automatically creates a prefilled SAQ A questionnaire for you, and you won’t need to undergo a PCI audit. If card data is stored or transferred through your servers, you are responsible for following PCI DSS guidelines for handling card data, and periodic audits by a PCI-certified auditor.

Depending on your use of Stripe, we may ask you some questions on how you handle credit card data once you’ve been accepting payments. These are from the Payment Card Industry’s Security Questionnaires and we’ll prompt you through the Dashboard if we need this from you.

If you need an Attestation of Compliance (AOC), and/or you are asked to complete a Self-Assessment Questionnaire, pre-filled documents are available in your account’s security settings.

Out-of-scope card data

Stripe returns non-sensitive card information in the response to a charge request. This includes the card type, the last four digits of the card, and the expiration date. This information is not subject to PCI compliance, so you are able to store any of these properties in your database.

Content Security Policy

If you have deployed a CSP, the full set of directives that Stripe.js requires are:

  • connect-src: https://api.stripe.com
  • frame-src https://js.stripe.com
  • script-src https://js.stripe.com

Additional security considerations

It can be a security risk to include JavaScript from other sites as your security becomes dependent on theirs. If they’re ever compromised, an attacker may be able to execute arbitrary code on your page. In practice, many sites make use of JavaScript for services like Google Analytics, even on secure/sensitive pages. Nonetheless, it’s something to be aware of, and ideally minimize.

If you’re making use of webhooks, we recommend using TLS for the endpoint to avoid traffic being intercepted and the notifications altered (sensitive information is never included in a webhook event).

While complying with the Data Security Standards is important, it shouldn’t be where you stop thinking about security. Some good resources to learn about web security are: