What is Stripe? - Handshake Support

What is Stripe?
Stripe is a quick and secure way to accept credit card and debit card payments online. Stripe
helps Handshake provide a seamless payment experience for you and your customers
(Employers/Students).
Stripe processes billions of dollars a year and is used by tens of thousands of companies
worldwide, including Fortune 500s and small businesses alike. You can learn more at
www.stripe.com​.
Is Stripe secure? PCI compliant?
Stripe meets and exceeds the most stringent industry standards for security. They are also
audited by a PCI-certified auditor, and are certified to PCI Service Provider Level 1. (This is the
highest level of certification available). You can learn more about the technical details of Stripe's
secure infrastructure here: ​https://stripe.com/help/security​.
Is Handshake secure? PCI compliant?
Handshake has been certified by an accredited QSA as a Card-not-present e-commerce only
Merchant (SAQ A). We are happy to produce our AOC and ASV scans if you would like to
review.
Why is Handshake filling out an SAQ A?
Handshake has worked with our QSA and Stripe to ensure we meet all requirements to put us in
scope of SAQ A. This involves:
●
●
Using the latest version of of Stripe.js which is included off of stripe’s domain
Ensuring all transmission of sensitive cardholder data is within an iframe served off of
stripe.com’s domain controlled by Stripe
For more information see here: https://support.stripe.com/questions/what-about-pci-dss-3-1
Does my school have to be PCI compliant?
Generally, anyone involved in the processing, transmission, or storage of credit card data must
comply with the Payment Card Industry Data Security Standards. In Handshake’s Setup with
your University, it's Stripe that is holding the PCI-Compliance certification, which you can
confirm here:
https://support.stripe.com/questions/is-stripe-pci-compliant
In order to be in scope of those security standards, Stripe asks every account to meet certain
requirements, in details those are:
●
Serve your payment page over SSL, i.e., the page’s web address should begin with
HTTPS, not HTTP.
●
Use Stripe.js or Checkout to accept payment information, which uses an iframe to
transmit sensitive information directly to Stripe’s servers.
●
Never store cardholder data on your servers
●
Do not process credit cards via the Stripe dashboard (if you do, you have to do your own
PCI reporting to stripe)
See more infomation here:
https://support.stripe.com/questions/do-i-need-to-be-pci-compliant-what-do-i-have-to-do
Since the Handshake Platform meets those requirements, you are covered. It might be helpful
to have a written confirmation on this - If you want to provide an Attestation of Compliance
(AOC) or a PCI DSS Self-Assessment Questionnaire (SAQ), you can use pre-filled documents
that we provide on your dashboard. See below for more details on generating your AOC.
Who is the merchant of record?
The University’s Stripe account is the Merchant of Record. As explained above, the University
is covered in terms of PCI compliance as long as the requirements outlined are met.
Do I have to setup a merchant account?
Nope! This is one of the reasons we use Stripe, you will only have to set up a Stripe account
and then you will be able to start processing payments. Stripe operates the financial
infrastructure of merchant accounts in the background, and while technically there are merchant
relationships with Handshake and the University, Stripe’s users have no direct interaction with
these, no other agreements to sign or relationships to have; only with Stripe.
What agreement do I have with Stripe?
When you setup your account with Stripe to accept payments in Handshake you need to agree
to the following terms to open your account:
●
●
https://stripe.com/us/terms
https://stripe.com/connect/account-terms
Please reach out to Handshake if you have discuss these terms and conditions.
How does Stripe process payments?
Create a Stripe account by providing a few details about your business. With one click, you’ll
connect your new Stripe account with Handshake and start accepting payments immediately.
You can also connect an existing Stripe account to Handshake if you already have one.
Can we process credit card payments over the phone?
Let more about this here: ​ ​https://support.stripe.com/questions/phone-orders
How does Handshake integrate with Stripe?
In order to associate payments with the correct institution, we use Stripe Connect. Stripe
Connect allows our customers to:
●
Manage and View payments on their own Stripe account.
●
●
●
Decide when and how they want to receive their money, including next day deposits.
View customer and transaction logs.
Provide refunds to their customers.
In order to provide the above, each school account is connected with their own Stripe account in
a seamless process on Handshake with the below steps.
1. Users visit the Payment Management page on Handshake. This page is only accessible
by the school’s Handshake account owner.
2. User clicks the ‘Connect with Stripe’ button.
3. User is brought to stripe to either sign in to an existing account should it exist, or create a
new one.
4. User is brought back to Handshake with Stripe ready to be used. The access token and
public key for the connected account are stored securely in order to associate future payments.
The access token is kept private.
By default only the user who created the Stripe account will have access to the account.
Does Handshake store any information on about the transaction?
Handshake will receive back from Stripe:
● Amount
● External Customer ID
● Card Type
● Last four Digits
Handshake will never see or store full credit card numbers, CVC codes, or other PCI DSS
Sensitive Authentication Data.
When and how does Stripe transfer money into my account?
Payments you accept with Stripe are transferred to your bank account on a rolling basis.
Although Stripe initiates an electronic deposit into your bank account daily, they'll actually be
transferring payments accepted earlier based on your transfer schedule (listed in your Stripe
dashboard).
Visit Stripe's documentation for more information, here:
https://support.stripe.com/questions/how-do-my-payments-get-to-me
Who will appear on the card holder statement?
The University (merchant of record) appears on cardholder statements. This is a requirement
from the industry, a consumer should have direct information about who put that charge on their
card, and who they should reach out to if they require assistance with it.
Will fraudulent orders or cards be rejected?
Stripe provides several tools to minimize fraud losses and to help businesses determine if a
transaction is fraudulent. These include tools that allow Stripe to auto-reject suspicious
transactions and notify you of questionable charges so that you can make the most informed
decision possible as to whether accept a charge. There are also a few tools that you can
implement in your own Stripe account, including CVC or AVS checks.
Additionally, Stripe works with its financial partners and credit card networks to monitor fraud
globally. There’s more information here:
https://support.stripe.com/questions/what-controls-for-fraud-prevention-does-stripe-offer
How much does Stripe cost?
5% of every successful transaction will be collected. Stripe is taking 2.9% + 30¢ for each
transaction and Handshake will take up to but not more than 5% of the total transaction
including stripe’s fees. Volume discounts are available.
Are there any other fees?
With Stripe’s simple and transparent pricing there are no hidden fees and you only get charged
when you earn money.
Unlike with other payment services, you’ll never be charged for failed transactions, stored cards,
recurring payments or refunds. Note that if you accept payments in other currencies, Stripe
charges an additional 2% to automatically convert those funds before depositing them in your
account.
How do I handle disputes?
Stripe actively works to prevent and minimize disputes, and you’ll work with them directly to
manage any disputes. You can learn more here: ​https://stripe.com/help/disputes
How do I keep track of all these transactions?
Your Stripe Dashboard lets you view payments and customers, manage refunds, transfers to
your account, and more. Login here: ​https://dashboard.stripe.com
There are hundreds of applications you can add to your Stripe account to do even more, such
as receive specialized analytics on your Stripe data. You’ll find a full list of these applications
here: ​https://stripe.com/docs/integrations
What does the payment flow look like?
What does the full payment flow look like?
Step 1: User visits the payments enabled page.
Step 2: User enters in Credit Card details including the Credit Card Number, CVC and
Expiration Date and User denotes that they are ready to pay by “submitting” the information.
Step 3: Still on the browser, the client enters their data, which is then transmitted through a
secured iframe controlled and hosted by Stripe. Stripe returns with either validation errors
(missing fields, invalid formats, etc.) or with a token. In the event of a validation error the user is
prompted to fix any invalid fields.
1. This token does not allow access to any cardholder data.
2. This token is not usable without the private key. It is a simple unique string that does not
include any Credit Card information.
3. In the event that Javascript is turned off by the user, the server will still not receive the
entered Credit Card information.
Step 4: The browser sends the Stripe token, along with the last four digits of the Credit Card
Number and Brand, to the Handshake servers. The Full Credit Card number, CVC, and other
sensitive information are not sent to or stored on the Handshake servers.
Step 5: With the Stripe token received we can now create and send charge information to the
university’s Stripe account along with our private key. Stripe processes the payment at this point
and returns immediately with the result.
1. If the result is successful, we send the user a receipt.
2. If the result is failure (for example, the card is declined), we send the user an email
denoting the failure.
Shows the form and request headers sent to Stripe:
Want to get in touch with Stripe?
If you have any questions or feedback, email s​ upport@stripe.com​ or reach out to Handshake for
someone to contact.
How do we generate our Attestation of Compliance, SAQ-A?
If you don’t have a Stripe Account setup and would like to see an example, reach out to
Handshake and we can send you one.
1. Visit: ​https://dashboard.stripe.com/account/compliance​ as an administrator
2. Answer the three questions below
3. After you can View the completed document which is your generated AOC