When you configure your Stripe Integration within Operate, you are asked by Stripe to allow it to "Process payments unsafely". This article discusses this setting: why it is needed and what it means to you.
Why enable this setting?
During the initial transactions that your customers perform on your Portal, using a particular payment method; as well as when they update that method, it is necessary for Operate and Stripe to process transaction details, including the full credit card number. If this does not happen, payments obviously cannot go through. If you use Operate's API integration to Stripe, this setting is necessary for the integration to work.
Why is it 'unsafe'?
By calling this process 'unsafe' Stripe's purpose is likely to encourage customers to use their own tokenization instead of a third party integration. Long term, this may make it more difficult for you to switch providers. By integrating Stripe with other tools you trust and use to collect payments, such as Operate, you have more freedom to change gateways in the future. Stripe have no control or monitoring mechanisms over such integrations, so they may call them 'unsafe' simply to discourage users from using them and choose their tools instead. Stripe cannot determine how safe or unsafe an integration is, so the name of this setting is not the most fortunate choice.
PCI Compliance and HTTPS connections are most efficient in ensuring data security while processing payments.
PCI Compliance - When a platform stores full payment information, including complete credit card numbers, the cardholder's name, the expiry date and CVC code, that platform needs to comply with the PCI Standard. This means that companies are evaluated and certified only if they meet the highest transaction data security standards. More information about PCI is available here. Stripe is a PCI compliant provider - you can learn more about their security guidelines here.
HTTPS Secure Connection - This type of connection is used to encrypt the data flow between client and server. This is a highly secure type of connection between the platform where the payment is made, and the payment processor. It is typically used when the former does not store full payment information. HTTPS is the security protocol that Operate uses when processing payments.
How does Operate Protect Payment Data?
Payment processing is made possible by Operate's API integration to Stripe, (as well as other providers) which enables the two platforms to communicate while a transaction takes place.
Operate collects, but does not store full credit card details - they are submitted to Stripe directly, right after collection. Please see the next section for details on the data that Operate records.
Operate posts the full card details to Stripe, the operation being performed securely, over a HTTPS connection and protected by a firewall. When a payment is completed, Stripe returns a payment Token which Operate stores for reference (details below). This exchange of information only takes place during the initial transaction and during a payment method update - saving the payment method stores it within Stripe only. Operate no longer intervenes after the initial transaction or update.
What information does Operate store?
Payment tokens as well as partial transaction information are being stored by Operate for identification and validation purposes. This information is collected during the initial transaction and if the customer updates their payment method. The information being processed is the same in both cases, noting that an update will replace the old payment method information with the new one. Below are details about what and how Operate stores:
The Payment Token - This is a reference string that we receive back from Stripe, once the payment has been passed, which tells our system when a payment has been completed. This token is necessary so that Operate can mark invoices or bookings as paid. When a customer chooses to enable recurring payments, Stripe generates a recurring payment token which Operate receives and stores in order to allow recurring payments to be processed automatically.
The cardholder's name and the last 4 digits on the card - This information does not represent the full payment details - it is incomplete and safe to store by providers who do not process payments themselves. Operate stores these details in order to be able to initiate recurring payments - while the recurring payment token enables the transaction itself, the card related information allows Operate and Stripe to work togetner in identifying the card that needs to be used to make the payment.
For ACH payments, Operate stores the Account Holder's Name, the last 4 digits of the Account Number, the Routing Number. This information serves to identify and validate transactions - on a recurring basis. More information on how a ACH payment takes place is available in this article.
You, Operate and Stripe
Operate does not interfere with your merchant relationship with Stripe, therefore you still need to ensure that you meet Stripe's Terms and Conditions, along with Operate's. You may thus need to add any needed reference to Stripe's T&C's to your Member Portal, which you can do in Operate's Settings > General > Portal > Operate Portal, as shown in this article.
Find out more
For any further questions, please feel free to contact our support using the chat icon at the bottom right corner of the screen.