Sign in
An image of the Stripe logo
Create account
Sign in
Home
Payments
Business operations
Financial services
Developer tools
No-code
All products
Home
Payments
Business operations
Home
Payments
Business operations
Financial services
Developer tools
Support
Overview
Developer tools
    Get started
    Quickstarts
    Stripe Shell
    Stripe CLI
    Dashboard
    Stripe for Visual Studio Code
    Webhooks
    File uploads
    Error handling
    Security at Stripe
      Integration guide
      Request permissions
      Python library PGP key
    API
    API keys
    Upgrades
    Changelog
    Rate limits
    Data Availability
    Expanding responses
    Domains and IP addresses
    Search
    Building With Stripe
    Prebuilt iOS UI
    Prebuilt Android UI
    Extensions
    Samples
    Checklist
    Feedback
SDKs
Sample projects
Videos
Stripe Apps
Stripe Connectors
Partners
HomeDeveloper tools

Security at Stripe

Learn how Stripe handles security.

Secure your integration

To learn more about PCI compliance and establishing good security practices, check out our integration security guide.

A PCI-certified auditor has audited Stripe. We’re a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. To accomplish this, we use the best-in-class security tools and practices to maintain a high level of security at Stripe.

HTTPS and HSTS for secure connections

Stripe forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard to ensure secure connections:

  • Stripe.js is served only over TLS.
  • Stripe’s official libraries connect to Stripe’s servers over TLS and verify TLS certificates on each connection.

We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure that browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.

Sensitive data and communication encryption

All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plain text card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with Stripe’s primary services including our API and website.

Vulnerability disclosure and reward program

By submitting a security bug or vulnerability to Stripe through HackerOne, you acknowledge that you’ve read and agreed to the program terms and conditions. Please refer to our policy on HackerOne for more information on how to participate in our bug bounty program.

See also

  • Integration security guide
  • Single sign-on (SSO)
  • Fighting fraud
Was this page helpful?
Questions? Contact us.
Watch our developer tutorials.
Check out our product changelog.
Powered by Markdoc
You can unsubscribe at any time. Read our privacy policy.
On this page
HTTPS and HSTS for secure connections
Sensitive data and communication encryption
Vulnerability disclosure and reward program
See also
Stripe Shell
Test mode
Welcome to the Stripe Shell! Stripe Shell is a browser-based shell with the Stripe CLI pre-installed. Login to your Stripe account and press Control + Backtick on your keyboard to start managing your Stripe resources in test mode. - View supported Stripe commands: - Find webhook events: - Listen for webhook events: - Call Stripe APIs: stripe [api resource] [operation] (e.g. )
The Stripe Shell is best experienced on desktop.
$