Securely Collecting Card Information

Securely collect card information from your customers using tokenization, allowing you to make the most of our products. If you need help after reading this, check out our answers to common questions or chat live with other developers in #stripe on freenode.

Whether you’re creating a one-off charge or saving your customer’s card details for later, processing a card payment with Stripe is a two-step process:

  1. Securely collect payment information using tokenization
  2. Create a charge request using the tokenized payment details

Client-side tokenization is the process Stripe uses to collect card information directly from your customers in a secure manner. During this process, a token representing this information is returned to your server for use in a charge request (or to save the card details for later use). Tokens can only be used once and expires within a few minutes.

Collecting payment information

We provide three methods for tokenizing your customer’s payment information over HTTPS:

Tokenization ensures that no sensitive card data ever needs to touch your server so your integration can operate in a PCI compliant way. If any card data were to pass through or be stored on your server, you would be responsible for any PCI DSS guidelines and audits that are required.

Radar, our modern suite of fraud protection tools, is only available to users who have implemented client-side tokenization using any of these methods. By doing so, it ensures that you can pass the necessary data required for our machine-learning fraud prevention models to make more accurate predictions.

Checkout

Checkout combines HTML, JavaScript, and CSS to create an embedded payment form, and is the simplest way for you to securely collect and tokenize your customer’s payment information. When your customer enters their credit card information, it’s validated, and then tokenized for your server-side code to use.

If Checkout is something you’d like to use, you can refer to our documentation on integrating Checkout to get started. If you’d prefer to have complete control over the look and feel of your payment form, you can create a custom payment form instead.

Stripe.js

If you need more customization, Stripe can securely collect your customer’s payment information from a HTML form you’ve created using Stripe.js. Your form can be customized however you need and Stripe.js tokenizes the payment information directly with Stripe. You can read our documentation on building a payment form to learn more.

Mobile SDKs

Using our native mobile libraries for iOS and Android, Stripe can collect your customer’s payment information from within your iOS or Android app and create a token that your server-side code will use.

Using payment information

Once a token is created, your server-side code uses it when making an API request to Stripe. Two common examples of when you would use a token are:

Charge your customer immediately

You can create a one-time charge request to charge a customer’s card. The API request contains the token, currency, amount to charge, and any additional information you may want to pass (e.g., metadata). Since a token can only be used once, your customer will need to re-enter their payment details every time they make a purchase.

Saving your customer’s card information

If you’d like to have the ability to charge your customers without them needing to enter their payment information each time, you can create an API request to store their payment details inside a customer record instead. Future charges can be made using the stored information and is required if you’d like to start using subscriptions.

Next steps

Once you've collected payment details from your customers, you're probably going to do one of two things: