[balls187]

I like this idea.

Are you storing bank credentials?

Since you posted on HN:

Besides the marketing fluff "state of the art encryption" what are you actually doing to ensure my credentials are secure?

What prevents you from updating your TOS to be more ominous and adding a clause buried that allows you to inspect & store our bank transactions?

[harrisonmgordon]

Thanks!

We use Plaid as our bank connection API. We actually never see your bank account, so we can't store it.

We also use Stripe for cc processing, and similarly do not store credentials, instead opting for Stripe to do it for us.

[slg]

I may be overly critical here, but I don't think it is completely right to say in your FAQ that you don't store credentials "which means your sensitive information is safe and secure!" Sure, you don't store them. However you still ask for them and then have someone else store them on your behalf. That still leaves end users vulnerable to the exact same problems. The user could still experience issues specifically because they used your service. They wouldn't really care who is actually responsible if that were to happen, only that it was caused by using Give A Dime.

You are responsible for your partners. Saying you won't do something isn't completely honest if you turn around and outsource that exact same activity to a partner.

[deegles]

How would you phrase it?

[slg]

I'm not sure on the exact phrasing. It can either mention Plaid by name or some complementary descriptor about "banking level security". It just shouldn't say credentials aren't being stored when they are being stored by a partner.

[harrisonmgordon]

That's really great feedback - I will update our FAQ to clearly state where the data is going and some basic information on the security protocol.

[balls187]

I would think how you message this. What others and I picked up on is appropriate for this level of discourse (HN), but something that is likely not going to make sense to your core customers.

Are customers that buy from companies that integrate with Stripe aware that it is Stripe that stores credit card information when prompted? I don't know if the average person can make that abstraction.

[slg]

Good to hear. Clarity is really the most important part.

[balls187]

Gotcha, so the bank credentials are passed through to Plaid, which issues an access token, which can be used to re-authenticate and obtain new data.

[harrisonmgordon]

Exactly!

[toomuchtodo]

Very nicely done. The only thing you might want to do is get on Stripe's ACH beta, and use an ACH for the transaction (saving the CC fees).

[harrisonmgordon]

I emailed stripe 2 days ago for access :)

[harrisonmgordon]

I would rather shut the company down than inspect and store bank transactions. Risk of lawsuit is also a pretty good deterrent, since lawyers are expensive.