Online payments are processed by stripe who is a certified PCI one service provider. The card
details are therefore processed in a secure manner with the highest level of security.
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level
1. This is the most stringent level of certification available in the payments industry.
HTTPS and HSTS for secure connections
Stripe forces HTTPS for all services using TLS (SSL), including the public website and the
Stripe regularly audits the details of implementation: the certificates we serve, the certificate
authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with
Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and
Encryption of sensitive data and communication
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate
machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card
numbers; instead, they can just request that cards be sent to a service provider on a static
whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in
separate hosting infrastructure, and doesn’t share any credentials with Stripe’s primary services
(API, website, etc.).
More info at https://stripe.com/docs/security/stripe
Data Usage, Privacy and Security
part of the Stripe Services Agreement: https://stripe.com/en-ca/ssa#section_d