Security Policy

Security is a key concern whenever payments are being sent and received.

Applaus.io has carefully selected Stripe for its high level of security, proven track record, and well known brand and capabilities. Stripe is certified as PCI Service Provider Level 1, which is the most stringent level of certification in the payments industry. Stripe is a U.S. company that enables businesses to accept electronic payments, and transfer funds to their customers. It operates in 25 countries and powers 100,000+ businesses.

To learn more about Stripe’s security and privacy policy, and their verification processes, see their website, or click here to be taken there directly.

Payment Processing

Why use Stripe? Simply put, we use Stripe because it manages the complexity of payment processing, enabling Applaus.io to focus solely on our product and customers.

How are tips processed? When we accept payments, we do so in a PCI compliant manner. The simplest way to be PCI compliant is to never see (or have access to) card data at all. The information entered by the user is encrypted and not seen or stored by Applaus.io. Stripe uses encryption and handles, on Applaus.io’s behalf, issues dealing with compliance, disputed, at-risk or fraudulent charges. When anyone provides payment information on our website, they’re providing it directly to Stripe, and we never have access to it.

Compliance

How does Stripe maintain compliance?

Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, Stripe makes use of best-in-class security tools and practices to maintain a high level of security. Stripe regularly audits the details of our implementation: the certificates they serve, the certificate authorities they use, and the ciphers they support. Stripe uses HSTS to ensure browsers interact with Stripe only over HTTPS.

Because all sensitive information is handled by Stripe, it features simple PCI compliance with SAQ reporting. Stripe also provides a single interface for Apple Pay, Google Pay, and the Payment Request API.

How is information stored and encrypted?

All card numbers are encrypted by Stripe on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting infrastructure and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).

Stripe has two PGP keys to encrypt Applaus.io’s communications with Stripe or verify signed messages Applaus.io receives from Stripe.
Icon