Hacker News new | past | comments | ask | show | jobs | submit login

I use PayPal for random sites that I don’t know because I don’t like handing my credit card info to random websites. Now I would personally trust Stripe Checkout (especially on a stripe.con domain rather than in a modal) but that’s because I know Stripe. The dislike of PayPal among techies is not common the population at large in my experience.

Another thing I use PayPal for is any kind of subscription, because I know I can cancel it from the PayPal side without having to worry about jumping through hoops.




As devs, we know in theory Stripe and PayPal are roughly equivalent in terms of protecting a card number. But the streamlined Stripe UI with the subtle branding doesn't drive home to the customer that Stripe is keeping your card number safe vs. random merchant storing all 16 digits in a hackable database somewhere.

The friction in the PayPal UI of making you log in to PayPal to make the payment is a pretty big trust signal IMO.


Stripe isn't as safe. PayPal collects my details only on paypal.com, Stripe collects my details on all sorts of domains, where who-knows-what JS might be present.


Are you speaking about real threats that cannot be mitigated by best practices, or theoretical threats of the future? I guess in other words, I’m under the impression using Stripe and following OWASP and script signing that my customers are safe. If I’m incorrect please pass me a clue.


As a customer, how do I verify that the merchant is following best practices and hasn't by mistake forgotten some ad script enabled on the payment page?

With PayPal as long as I only enter my password on paypal dot com I know I'm safe.


If you’re very careful and copy/paste the PayPal URL into an editor and verify you didn’t get sent to PayPal.com.evil.domain, then you’re very likely to be safe.


I don't need to do that, browsers carefully show the actual domain in ways to avoid that problem since a few years now.


I'm with you. I hate paypal, and I love stripe. But I am not going to hand my card number to a merchant I don't know. I broke this rule once in 2016, and regretted it.

If merchants would display a "Processed by Stripe" early on, I'd let up a bit.


This is it exactly. I think for Stripe to really succeed in consumer space and not just among techies, they need to have a manageable back end for consumers to log in and be able to stop payments any time and allow for storing of cc info so people are not asked to enter it on a random website.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: