Stripe - Why do you ask me to set it to the "process payments unsafely" Setting

Stripe recently added a setting called "process payments unsafely" and some new Stripe accounts have that turned off by default.

While this sounds like an ominous setting to turn on, it actually is perfectly safe if you're using Prepaysystems, and it's something we require in order to use Stripe as a credit card processor.

Why Does It Have to be Turned On?

Prepaysystems passes credit card information on behalf of its merchants (customers like you!).  We do this for a variety of business processes such as customer purchases and refunds and more.  We also do this so that you can switch processors (eg. away from Stripe to someone else) any time you want.  We do not store your customer credit card information in our system at all.   The data is simply passed on to stripe securely.

But Stripe Says It's "Unsafe" and There Are Better Options!

Stripe is incorrectly painting all integrators with a broad brush here.  It isn't unsafe if you're using a PCI compliant vendor like Prepaysystems.  Prepaysystems is not only fully PCI compliant, but our systems have undergone a specific design to align with PCI best practices.

Stripe recommends tokenization as its preferred integration method, but that locks you into using them as your processor indefinitely.  We built Prepaysystemsto be vendor agnostic and we integrate with more than 12 other processors and gateways.  We want you to be able to seamlessly change processors at a moment's notice without having to do a lot of hard work.

How To Turn It On

If you process a live credit card on your account and you get a decline with this message:

"Sending credit card numbers directly to Stripe API is generally unsafe." This means you need to turn on the "process payments unsafely" settings in Stripe.

 

To do that, login to your Stripe dashboard and search for "Integration" in the top bar to go to the Settings > Integration section. Or use this direct link to get there: https://dashboard.stripe.com/account/integration/settings.

Once in the Integration section, expand the "Show advanced options" and select "Handle card information directly".

A small dialog box will open and ask you a series of questions.  Select each checkbox and then select "Someone else built my Stripe integration" from the drop-down.  Enter "prepaysystems.com" as the vendor and then click the Process button.  Your answers should resemble the picture below.

After this saves, Stripe will tell you that you need to verify your phone number -- do that as well. Having a verified phone number is good practice.

Why Is Stripe Now Requiring This?

It's hard to say why Stripe added this and even harder to explain why they worded it this way (ie. stigmatizing it as "unsafe").

If integrators like prepaysystems have demonstrated PCI compliance and technical competency at integration (which we have), there is nothing "unsafe" about passing credit cards via secure protocols.  In fact, Stripe themselves uses the very same secure protocols and PCI regulations that we do when they interface with interchange and the cardholders' banks.

To be honest, we believe Stripe is making this new policy for vendor lock-in and not safety.  If we used Stripe's proprietary tokenization system, it would be impossible for our users to switch to a different processor if you found better processing rates.

I'm also using Stripe with another system that does support tokenization, will this setting break that?

No.  Turning on the "process payments unsafely" setting simply allows Stripe to accept credit card information directly.  It doesn't also prevent the tokenization method from being used at the same time.