[noneTheHacker]

Yes, Stripe makes it SUPER simple for accounts to change hands.

I bought a small business from a brokerage site.

He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.

The entire process took minutes. It took about 3 weeks for PayPal.

https://support.stripe.com/questions/change-account-owner

[chris_wot]

According to Stripe, they require evidence you comply with PCI-DSS. I'm interested, did they ask you for this?

[ceejayoz]

As long as you're using their JS solutions so credit card data never ever goes through your servers (even temporarily), PCI-DSS compliance on Stripe just means serving the payment page over SSL.

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

[nerdy]

Except this article says it is not served over SSL. There's even a huge graphic with an arrow pointing it out.

https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...

[jessedhillon]

That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.

[shkkmo]

The last four digits are still plenty sensitive enough to make serving them over http blatantly irresponsible.

[chris_wot]

It's not just that - it allows you to update your credit card over unencrypted http.

[ceejayoz]

Yes. That's a problem, certainly. I'm just pointing out that Stripe's "are you PCI compliant" process is pretty low-key.