What is Stripe?
Stripe is a quick and secure way to accept credit card and debit card payments online. Stripe helps Handshake provide a seamless payment experience for you and your customers (Employers/Students).
Stripe processes billions of dollars a year and is used by tens of thousands of companies worldwide, including Fortune 500s and small businesses alike. You can learn more at www.stripe.com.
Is Stripe secure? PCI compliant?
Stripe meets and exceeds the most stringent industry standards for security. They are also audited by a PCIcertified auditor, and are certified to PCI Service Provider Level 1. (This is the highest level of certification available). You can learn more about the technical details of Stripe's secure infrastructure here: https://stripe.com/help/security.
Is Handshake secure? PCI compliant?
Handshake has been certified by an accredited QSA as a Cardnotpresent ecommerce only Merchant (SAQ A). We are happy to produce our AOC and ASV scans if you would like to review.
Why is Handshake filling out an SAQ A?
Handshake has worked with our QSA and Stripe to ensure we meet all requirements to put us in scope of SAQ A. This involves:
- Using the latest version of of Stripe.js which is included off of stripe’s domain
Ensuring all transmission of sensitive cardholder data is within an iframe served off of stripe.com’s domain controlled by Stripe. For more information see here: https://support.stripe.com/questions/whataboutpcidss31
Does my school have to be PCI compliant?
Generally, anyone involved in the processing, transmission, or storage of credit card data must comply with the Payment Card Industry Data Security Standards. In Handshake’s Setup with your University, it's Stripe that is holding the PCICompliance certification, which you can confirm here:
In order to be in scope of those security standards, Stripe asks every account to meet certain requirements, in details those are:
Serve your payment page over SSL, i.e., the page’s web address should begin with HTTPS, not HTTP.
Use Stripe.js or Checkout to accept payment information, which uses an iframe to transmit sensitive information directly to Stripe’s servers.
See more infomation here:
Since the Handshake Platform meets those requirements, you are covered. It might be helpful to have a written confirmation on this If you want to provide an Attestation of Compliance (AOC) or a PCI DSS SelfAssessment Questionnaire (SAQ), you can use prefilled documents that we provide on your dashboard. You can find them here:
Who is the merchant of record?
The University’s Stripe account is the Merchant of Record. As explained above, the University is covered in terms of PCI compliance as long as the requirements outlined are met.
Do I have to setup a merchant account?
Nope! This is one of the reasons we use Stripe, you will only have to set up a Stripe account and then you will be able to start processing payments. Stripe operates the financial infrastructure of merchant accounts in the background, and while technically there are merchant relationships with Handshake and the University, Stripe’s users have no direct interaction with these, no other agreements to sign or relationships to have; only with Stripe.
What agreement do I have with Stripe?
When you setup your account with Stripe to accept payments in Handshake you need to agree to the following terms to open your account:
Please reach out to Handshake if you have discuss these terms and conditions.
How does Stripe process payments?
Create a Stripe account by providing a few details about your business. With one click, you’ll connect your new Stripe account with Handshake and start accepting payments immediately. You can also connect an existing Stripe account to Handshake if you already have one.
How does Handshake integrate with Stripe?
In order to associate payments with the correct institution, we use Stripe Connect. Stripe Connect allows our customers to:
Manage and View payments on their own Stripe account.
Decide when and how they want to receive their money, including next day deposits.
View customer and transaction logs.
Provide refunds to their customers.
In order to provide the above, each school account is connected with their own Stripe account in a seamless process on Handshake with the below steps.
Users visit the Payment Management page on Handshake. This page is only accessible by the school’s Handshake account owner.
User clicks the ‘Connect with Stripe’ button.
User is brought to stripe to either sign in to an existing account should it exist, or create a
User is brought back to Handshake with Stripe ready to be used. The access token and public key for the connected account are stored securely in order to associate future payments. The access token is kept private.
By default only the user who created the Stripe account will have access to the account.
Does Handshake store any information on about the transaction?
Handshake will receive back from stripe:
- External Customer ID
- Card Type
- Last four digits
Handshake will never see or store full credit card numbers, CVC codes, or other PCI DSS Sensitive Authentication Data.
When and how does Stripe transfer money into my account?
Payments you accept with Stripe are transferred to your bank account on a rolling basis. Although Stripe initiates an electronic deposit into your bank account daily, they'll actually be transferring payments accepted earlier based on your transfer schedule (listed in your Stripe dashboard).
Visit Stripe's documentation for more information, here:
Who will appear on the card holder statement?
The University (merchant of record) appears on cardholder statements. This is a requirement from the industry, a consumer should have direct information about who put that charge on their card, and who they should reach out to if they require assistance with it.
Will fraudulent orders or cards be rejected?
Stripe provides several tools to minimize fraud losses and to help businesses determine if a transaction is fraudulent. These include tools that allow Stripe to autoreject suspicious transactions and notify you of questionable charges so that you can make the most informed decision possible as to whether accept a charge. There are also a few tools that you can implement in your own Stripe account, including CVC or AVS checks.
Additionally, Stripe works with its financial partners and credit card networks to monitor fraud globally. There’s more information here: https://support.stripe.com/questions/whatcontrolsforfraudpreventiondoesstripeoffer
How much does Stripe cost?
5% of every successful transaction will be collected. Stripe is taking 2.9% + 30¢ for each transaction and Handshake will take up to but not more than 5% of the total transaction including stripe’s fees. Volume discounts are available.
Are there any other fees?
With Stripe’s simple and transparent pricing there are no hidden fees and you only get charged when you earn money.
Unlike with other payment services, you’ll never be charged for failed transactions, stored cards, recurring payments or refunds. Note that if you accept payments in other currencies, Stripe charges an additional 2% to automatically convert those funds before depositing them in your account.
How do I handle disputes?
Stripe actively works to prevent and minimize disputes, and you’ll work with them directly to manage any disputes. You can learn more here: https://stripe.com/help/disputes
How do I keep track of all these transactions?
Your Stripe Dashboard lets you view payments and customers, manage refunds, transfers to your account, and more. Login here: https://dashboard.stripe.com
There are hundreds of applications you can add to your Stripe account to do even more, such as receive specialized analytics on your Stripe data. You’ll find a full list of these applications here: https://stripe.com/docs/integrations
What does the payment flow look like?
Step 1: User visits the payments enabled page.
Step 2: User enters in Credit Card details including the Credit Card Number, CVC and Expiration Date and User denotes that they are ready to pay by “submitting” the information.
Step 3: Still on the browser, the client enters their data, which is then transmitted through a secured iframe controlled and hosted by Stripe. Stripe returns with either validation errors (missing fields, invalid formats, etc.) or with a token. In the event of a validation error the user is prompted to fix any invalid fields.
This token does not allow access to any cardholder data.
This token is not usable without the private key. It is a simple unique string that does not
include any Credit Card information.
entered Credit Card information.
Step 4: The browser sends the Stripe token, along with the last four digits of the Credit Card Number and Brand, to the Handshake servers. The Full Credit Card number, CVC, and other sensitive information are not sent to or stored on the Handshake servers.
Step 5: With the Stripe token received we can now create and send charge information to the university’s Stripe account along with our private key. Stripe processes the payment at this point and returns immediately with the result.
If the result is successful, we send the user a receipt.
If the result is failure (for example, the card is declined), we send the user an email
denoting the failure.
Shows the form and request headers sent to Stripe: