
Stripe Button (beta) - firefoxman1
https://stripe.com/docs/button
======
recuter
Outstanding.

However, one tiny nitpick: The Stripe brand is not equivalent to paypal and
other common payment options, it doesn't yet mean anything to most people. The
button saying "Pay with Stripe" might confuse people or not convert optimally,
perhaps let the text be customized?

~~~
maccman
Hi, I'm the developer behind the button

Yes, I absolutely agree. We're redesigning that part of the button, and
allowing people to specify various options, such as 'Pay', 'Add Card',
'Checkout' etc.

~~~
mikegirouard
Howdy. Thanks for not minifying the JS[1].

When it comes to payment-related code, I wouldn't even consider it an option
for my shop w/o reviewing it. Was that by design or will it be minified in the
future?

[1]: <https://button.stripe.com/v1/button.js>

~~~
boucher
Though we'll probably minify it in the future, we also will have a non
minified version for people to look through.

------
davesmylie
Every time I see yet another Stripe post on HN, I get all sad all over again
knowing they have no real plans to launch in NZ (or any other country afaik).

After a year or so of waiting they have expanded to only one other country
(Canada), and they still completely avoid talking about future expansion other
than a token "We are working on expanding into other countries" sort of answer
=/

Very cool looking project, but looking more and more like it's never going to
be able to used by the majority of the world... (ie any developers living
outside of the USA).

~~~
pc
I'm sorry. It's really frustrating for us too. To the extent it helps, Canada
is very much just a first step for us. We're actively working on a number of
countries—including New Zealand specifically.

~~~
winter_blue
There are 43 countries[1] with more English speakers than New Zealand. What
led you to work on NZ first, rather than say, India or Philippines?

[1]
[https://en.wikipedia.org/wiki/List_of_countries_by_English-s...](https://en.wikipedia.org/wiki/List_of_countries_by_English-
speaking_population)

EDIT: Many of these countries aren't as "online" as the ones with Her Majesty
on their money. But, I should add India scores better on the "number of
Internet users" scale than the UK, NZ or Canada.

India should theoretically be the next stop for any startup wishing to expand
into other English-speaking markets.

~~~
omni
Other factors like the country's legal system are also important, especially
for a business that is going to be tightly regulated in most places.

------
antihero
Why would we use a payment processor that only works in the US and Canada? I
mean everything I've seen about Stripe looks utterly fantastic, but we've been
waiting ages for it to come to Britain and Europe, when is this actually going
to happen? What actual roadblocks are in the way of this happening? What have
the team responsible for this been doing for the past year or so, sitting on
their arses?

~~~
tomschlick
Every time someone posts about stripe there is this comment. They have said
numerous times that they are working on it and they have to pass through
several regulatory hurdles to do so. They also explained in their blog post
about the canadian support that many of the hurdles of adding a secondary
region to the platform wont have to be done for further regions. So your
answer is it will be released when its ready.

~~~
antihero
I think it's important that they realised just quite how large the demand is
for this to happen.

------
juddlyon
These guys ship like crazy.

I've used the service for a client and am in the process on two others. Highly
recommended, especially if you've ever been in PayPal integration hell.

~~~
arcatek
Yeah ... but this button is making fishing super-easy. I'm really not sure
it's a good idea (the iframe is a clever trick, but the interface could very
easily be copy/paste in a fishing website. Users would have no way to check if
their credit card is stolen by the website).

~~~
aptwebapps
The usual way that Stripe works is that you enter your cc info on the
merchant's site and it gets sent to Stripe via Javascript. The only difference
here is that they're packaging it up nicely.

------
pfraze
EDIT: to avoid any FUD, there's no problem with the URL; as the replies say,
the path of the target URL is encrypted under SSL.

\---

ORIGINAL: I have a question about the security of the button, though I may be
wrong. The outgoing request is a GET with the credit card info in plain-text
as a query parameter. With it went all of the cookies in the origin's domain.

GET
[https://api.stripe.com/v1/tokens?key=W1xyC0XilnJTkz52noGj1Hh...](https://api.stripe.com/v1/tokens?key=W1xyC0XilnJTkz52noGj1Hh0ftbg5jYO&card\[name\]=foo+bar&card\[number\]=4111%201111%201111%201111&card\[cvc\]=123&card\[exp_month\]=01&card\[exp_year\]=2015&callback=sjsonp1349813368560&_method=POST)

The SSL keeps the cookies safe from loggers, but not from stripe. The URL,
however, is not protected from anybody, right?

~~~
jonknee
That is interesting, the form is a POST, must be Javascript doing the GET in
its place. I wonder what the technical advantage of GET is in this case.

~~~
jtolj
Maybe has something to do with this: <https://stripe.com/blog/stripejs-and-
jsonp> (they mention JSONP only supporting GET requests)?

~~~
jonknee
Yup. Duh.

------
pc
Patrick from Stripe here.

I wanted to say thanks for the comments. This is just a beta product that
we're experimenting with. As many people here are pointing out, there's still
a lot we want to fix and improve (e.g. the button text and how validation
works). We definitely welcome any feedback, though -- especially if you go to
implement it on your site.

~~~
zsherman
This is awesome guys, great work. One quick nitpicky thing that I don't think
has been addressed yet: In Safari after the cancel button has been clicked,
clicking the button fades in, then out, and in again before you can enter
anything. _Edit_ I'm using Safari 5.1, doesn't seem to happen in 6.

------
SkyMarshal
In case any Stripe folks read this, I tested it with an invalid month (13) and
valid year (16,15,13,12 in that order) and valid everything else, and every
time it put the red error highlight around the year instead of the month.

No comment box on post page, so posting here instead.

~~~
boucher
Thanks, we're fixing this.

~~~
Ecio78
The Year field is specified as YY but it allows you to write up to 4 digits,
even though the characters shown are only 3 (the field is not large enough).
Tested on Chrome and Firefox on Windows 7.

nb I tried 2015 as year and it was accepted, so I suppose it's ok to specify
years in 4digit format

------
duiker101
The more I Stripe the more I die inside looking at my Paypal websites....
Please bring it to the EU(at least the UK)

~~~
LordIllidan
A 100 times this. And not just the UK please!

Actually, I'd be interested to know what are the main obstacles in launching
this service internationally. Is it mainly bureaucracy and legal issues, or
are there yet other considerations?

------
pkamb
It would be cool, if you start typing _numbers_ * into the first field, it
automatically switched focus to the proper second field and put the CC numbers
there. Just made the mistake myself, started typing the example CC number and
only afterward noticed I filled out the "Full Name" field.

*May cause problems for 2Pac and other new age names...

~~~
ConstantineXVI
2pac would be fine, no common cards use a 2xxx prefix anymore (only [3 4 5 6]
are in use these days). 50 Cent might cause issues, but those could be
dampened by not bouncing to the CC field until you've entered 4 characters or
so.

~~~
pkamb
I think the best design would be to bounce down upon the first number (99.999%
of cases) but then allow for the entering of numbers if the user manually
clicks back up and enters a number as their name (0.001%).

------
gawker
I'd love to hear the security implications of the button. Seems to me that
someone could easily replicate this and trick users into entering their credit
card number. Am I wrong? Are there any other avenues of attack? I have an idea
about something similar but since I'm no security expert, I'd love to hear
what more experienced hackers think.

~~~
frio
I strongly agree, and wish I could upvote you more. Before I enter CC details
on any site, I check: is it HTTPS? Is the domain correct? The average user
might not, sure, but it's there for those of us who do.

This abstracts that away. Creating a duplicate popup would be trivial, and
harvesting data -- while appearing "trusted" -- is easier this way than the
other way (because you don't even need to bother faking a domain).

I hope the Stripe people are taking this into consideration.

~~~
gawker
I'm glad someone doesn't think I'm paranoid. We're dealing with money at work
and someone thought of the same concept - make it look clean and make it look
cool but there's no real way to let a user know that this is legit. I'd love
to hear and discuss what Stripe has in mind (Don't worry, we're not in
competition :) )

------
degenerate
There seems to be a bug in Chrome when the javascript validates my MM input.
Notice that MM is impossible (66) yet it highlights the YY box (which is
valid): <http://i.imgur.com/iHYFe.jpg>

------
jaredcwhite
Boom! The button idea is brilliant. It really seems like Stripe has the
potential here to become the payment fabric of the web in a way PayPal once
could have been but botched due to a lousy UX.

------
sherwin
I'm not sure having a modal is the best idea -- aren't modals generally
frowned upon because they require a mental recontextualization and disrupt the
user's flow? I'm just curious if anyone else had this thought.

Although I can see why having a prepackaged one-button solution would make
sense, where Stripe takes care of the presentation / styling / inputs, so
there actually is a change of context.

For the record, I use Stripe at my company, and I love it!

~~~
camwest
Well the 'purchase' is usually the conversion point of a particular workflow
so I don't think that this is really that much of a disruption.

------
rubergly
Looks great. I can only imagine that this is the first step towards allowing
users to store their credit card information securely with Stripe and not have
to pass it through every merchant site. I can't wait until the day that
Stripe's ease of use for developers meets (and exceeds) Paypal's ease of use
for customers.

------
bdr
Nice. In the next step, could Stripe start cookie-ing people to remember their
payment info across sites?

~~~
pc86
Let me get this straight, you want a Stripe cookie that remembers a user's
payment information _across unrelated websites_?

~~~
bdr
Yes, like Facebook Connect. This would in fact be more secure than the current
solution.

~~~
ceejayoz
> This would in fact be more secure than the current solution.

... why?

~~~
bdr
Because users wouldn't have to retype their CC on every page, thereby trusting
each site owner (and more). Instead, you'd get used to Stripe already having
your info, and a page where the Stripe button prompted you for it would be
suspicious.

~~~
Kudos
So... like Paypal?

------
plainOldText
In my opinion the button resembles a regular bootstrap button. I think Stripe
ought to give this button a little creative touch to make it instantly
recognizable; you know, building the brand recognition thing. When I see the
Paypal button i instantly know what I'm clicking on.

------
JacksonGariety
For some reason I couldn't find the cancel button, honestly had to look for it
for a while. My brain expected to be able to click in the top left or right or
on the background to dismiss it, never though to look next to the "pay"
button. But otherwise the design is awesome!

~~~
ANTSANTS
Yeah, I'd say a big red cancel button (or maybe give the "Pay" button the
whole bottom slice, and have a traditional red X button in the corner), and
the ability to dismiss the dialog by clicking outside of its frame would go a
long way here.

------
mratzloff
I really like Stripe. They're working hard to make payments work as well as
GitHub does for source control, and this is yet another really useful tool.
They're not perfect--we still encounter bugs occasionally--but they're
responsive and friendly. Goes a long way.

------
marcamillion
Out of curiosity, does this button produce a receipt of the transaction? Or do
I, as the developer and site owner, have to create that manually?

I would love a complete solution that just allows me to connect this button to
a product, and then Stripe takes care of everything else.

~~~
lemieux
I don't think that is what Stripe is meant to do. That button doesn't even
charge your customer. It provides only a token that you can use server-side to
charge the customer.

------
swanify
Please bring this to the UK before i kill myself!

------
doctororange
Hi Patrick. Great stuff!

We're currently implementing invoice payments with the new Stripe button over
at Paydirt (<https://paydirtapp.com>).

One little issue: in Chromium 20.0.1132.47, the button renders with a line
break and overflows the iframe like this: <http://imgur.com/88st1>

The same page renders the button fine in Firefox and other Chrome browsers I
checked. Adding `white-space: nowrap;` via the Chrome inspector fixes the
problem.

I'm tristan[ at ]paydirtapp.com if you need it replicated.

Cheers.

------
brackin
Love the new button, GoCardless is a good alternative for UK (and soon Europe)
focused businesses until Stripe launches, know they are different as GC uses
Direct Debit.

~~~
Kudos
I wouldn't call it slightly different, GoCardless is not much good to people
looking to lots of small payments.

~~~
brackin
It's definitely for a certain type of seller. Although you could technically
use it for micro-payments, it's not very effective at all. There's Braintree
among other competitors too.

------
dm8
I use Stripe on our website for payments and it's beautiful. I agree that
Stripe is still not that well known outside tech/geek circles. But it will be
very useful for one-time payment type of websites/blogs and I'm sure it will
give lot of brand lift to Stripe in non-tech users.

To Stripe Folks: It would be great to have "Powered by Stripe" badge so that
developers can show that payments are taken care by Stripe.

------
moe
They must be kidding. They're not seriously going to ask for CC credentials in
a javascript popup without any means to inspect an SSL certificate?

------
ljoshua
Wow, the open/close animation is smoooooth! Almost as impressive as the
functionality itself. Going to have to inspect the CSS for that goodness.

------
xm1994
I love the Stripe service and use it anytime I have the need for accepting CC
payments. However, as a consumer, I see myself choosing the Paypal option for
the sole reason that I only have to type in a password vs. taking out my
credit card. Its the same reason I love buying items from Amazon. Any
alternative to Paypal has to make the buying process just as easy.

~~~
SkyMarshal
_> Its the same reason I love buying items from Amazon._

Truth. I wonder if Amazon has looked into entering this market.

~~~
fooandbarify
<https://payments.amazon.com/sdui/sdui/business/cba>

------
aquark
Nice implementation. Though I wish they would address the issue with CCV
validation. If you use the test card 4000000000000101 which will fail the CCV
check, you still get back a valid token.

There doesn't appear to be any way to configure their API to reject a token
request with an invalid CCV short of creating a customer record for each
request.

------
tomx
Does Stripe ask for any more information than that available on the card?

Normally I'm asked for at least a Post Code, which I assume is part of
reducing fraud, through making it a bit more difficult to use a stolen card.

------
quadrant6
Waiting for the the day us New Zealanders can use this instead of PayPal.

------
melicerte
Stripe looks great and affordable! Alas, still not available in Europe
(request was sent to them more than a year from now). In the meantime, we are
working with Avangate.

------
joelrunyon
Stripe has been 5x better than Paypal for me (approximately). Process is
seamless. Still waiting on more people to get integrations baked in, but this
is good stuff.

------
karolist
This is what it looks like on linux, Chromium Version 22.0.1229.92 (159988)

<http://imgur.com/Fqm52>

------
consultutah
I'm using the new stripe button on <http://jungleblaze.com> and love it.

~~~
coolnow
Hi, nice site you have there.

I found a few tiny mistakes under "About Us", specifically: "The /book book/
didn't make him rich, but it did sell enough /copied/..."

Just trying to help :)

~~~
consultutah
Thank you!

------
markgarity
Well done Stripe! Love the creativity and dedication towards simplifying every
possible approach to payment processing.

------
zerostar07
How about it goes even further, i.e. use the webcam to take a snap of the
credit card to fill in all card information?

------
tzaman
The button itself could use a bit more personality, it currently looks like
the generic bootstrap button

~~~
thomasfl
The blue color is reminiscent of twitter bootstrap, but the pay dialog with
the subtle embossing and slightly rounded corners must have been made with
lots of love and care.

~~~
tzaman
The dialog is very nice, agreed - but the button itself is missing the 'brand
touch', despite the fact it may have been designed with lots of love :)

------
Raphael
Great. But I would like the ability to customize the look of the button if it
doesn't go with my design.

------
matthodan
Definitely need to add a close button at the top right of that window.
Otherwise, nice work! :p

------
knighthacker
I love it. Well executed. My only comment is to make the text on the button
customizable.

------
alpb
I see an empty space on IE 10, could anybody post a screenshot please?

~~~
maccman
Could you contact me at alex@stripe.com and we can get this resolved. Thanks!

~~~
alpb
Seems to be resolved, cool.

------
yesimahuman
This looks so awesome! I'm really excited to add this to my projects.

------
tonyblundell
Please open to Europe!

------
ExpiredLink
They really disabled Ctrl-c?

------
Void_
Credit card payments is not a place to show off your ability to make pretty
animations, IMO.

~~~
bluthru
What are you talking about? The animations are extremely tasteful and
restrained. Don't be a curmudgeon.

