Security is a key concern whenever payments are being sent and received.
Applaus.io has carefully selected Stripe for its high level of security, proven track record, and well known brand and capabilities. Stripe is certified as PCI Service Provider Level 1, which is the
most stringent level of certification in the payments industry. Stripe is a U.S. company that enables businesses to accept electronic payments, and transfer funds to their customers. It operates
in 25 countries and powers 100,000+ businesses.
Why use Stripe? Simply put, we use Stripe because it manages the complexity of payment processing, enabling Applaus.io to focus solely on our product and customers.
How are tips processed? When we accept payments, we do so in a PCI compliant manner. The simplest way to be PCI compliant is to never see (or have access to) card data at all. The information entered
by the user is encrypted and not seen or stored by Applaus.io. Stripe uses encryption and handles, on Applaus.io’s behalf, issues dealing with compliance, disputed, at-risk or fraudulent
charges. When anyone provides payment information on our website, they’re providing it directly to Stripe, and we never have access to it.
How does Stripe maintain compliance?
Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available
in the payments industry. To accomplish this, Stripe makes use of best-in-class security tools and practices to maintain a high level of security. Stripe regularly audits the details of our
implementation: the certificates they serve, the certificate authorities they use, and the ciphers they support. Stripe uses HSTS to ensure browsers interact with Stripe only over HTTPS.
All card numbers are encrypted by Stripe on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons are able to obtain plaintext card
numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a
separate hosting infrastructure and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
Stripe has two PGP keys to encrypt Applaus.io’s communications with Stripe or verify signed messages Applaus.io receives from Stripe.