Question about billing

[GregK954]

Does your company have a way to pay with a PayPal account?  I feel a bit concerned  about having to submit my credit card number to a server that does not appear to be PCI compliant.  Not saying the back-end is not compliant, as I can not tell, however the certificate that secures your site is by 'Let's Encrypt'.

 Don't get me wrong 'Let's Encrypt' is great, it will make sure that end to end the data is secured, but any company can encrypt a site with it unverified. There is no vetting involved. If your company is not vetted by an accredited SSL provider, then what can I think your policy is with my credit card number?  I was already forced to give you that info to use your product and start the free trial, I felt uneasy about that.

I like your product and wish to upgrade to premium but I would like to know exactly how or if my number was stored. Is the server where my bank/credit information resting PCI compliant?

Thanks
-G

[emalafeew]

Hi Greg,

Our membership payments are handled entirely by Stripe, which is analogous to PayPal in many ways including security. Their customers include Target, Kickstarter, Under Armor and more (https://stripe.com/customers). Your credit card data never passes through our system, we integrate Checkout from Stripe which is PCI compliant:

"Stripe Checkout and Stripe Elements use a hosted payment field for handling all payment card data, so the cardholder enters all sensitive payment information in a payment field that originates directly from our PCI DSS validated servers. Stripe mobile and Terminal SDKs also enable the cardholder to send sensitive payment information directly to our PCI DSS validated servers." (https://stripe.com/guides/pci-compliance)

Hope that helps!

[GregK954]

Thank you, yes this answered my question. As a suggestion in your payment box you may want to indicate that your making that third party call, perhaps a powered by Stripe as well. With Paypal it is never an issue as you are directed to a new page with paypal, not an iframe. In cases where it would be done in an iframe you would still see the paypal logo, etc. Just some food for thought.

Since you mentioned it was through Stripe I checked the page's code and indeed it is going to Stripe's servers, however should your servers ever be compromised it would not take much for a hacker to redirect that form to another site, and since it is hidden in an iframe it would not look any different to the end user.

I am a system administrator at a hosting company so I look for these things, both on and off the job If I had a dime for every hacked website I see in a year.. I would at least have enough buy a cup of tea. LOL

Thanks again.

[emalafeew]

Thank you, yes this answered my question. As a suggestion in your payment box you may want to indicate that your making that third party call, perhaps a powered by Stripe as well.  With Paypal it is never an issue as you are directed to a new page with paypal, not an iframe. In cases where it would be done in an iframe you would still see the paypal logo, etc. Just some food for thought.  

Since you mentioned it was through Stripe I checked the page's code and indeed it is going to Stripe's servers, however should your servers ever be compromised it would not take much for a hacker to redirect that form to another site, and since it is hidden in an iframe it would not look any different to the end user.  

I am a system administrator at a hosting company so I look for these things, both on and off the job  If I had a dime for every hacked website I see in a year.. I would at least have enough buy a cup of tea.  LOL

Thanks again.

Sincerely thanks for the suggestion, we can add "powered by Stripe" to our membership popup that knowledgeable users can verify. Whatever we can do to make our site more actually and apparently secure we appreciate! Ideally Stripe would provide identification that users could verify in their browser, if there's a way to do that with Stripe we'd love to know.