My initial attraction to Stripe was because of a reason mentioned in the post: not wanting to redirect or otherwise interrupt the normal order process of my site with another company's (branded) checkout form just to handle credit card payments. The other reason for initial attraction was of course their elegant API, which was very refreshing to see after having dealt with Intuit's QBMS API (shudder) in the past.
Stripe really sealed the deal though when I tweeted them to ask my first question about signup and one of the co-founders reached out to me. Since then, I've been in contact to share my feedback or ask other questions, and the quality and timing of their responses is one of the best I've ever seen.
When a customer of ours had an issue placing his order, I wrote Stripe to see if they could offer any insight as to what errors they might be seeing on their end. While the error was unrelated to Stripe itself, they were so awesome that they actually took the initiative to browse through our checkout page and point out the spot that they thought to be the issue.
A company that stands beside you when debugging your checkout page, maintaining swift response times on an issue that isn't even theirs? That's customer support.
I probably sound like I'm gushing right now, but I just have mad respect for this company. The product isn't the only thing that's top notch, the people behind it rock too.
(edit: I typed this over too long a period of time, and some of this post appeared after I had already submitted a draft with the above paragraph that received some upvotes, so I've now edited again to add this edit paragraph to explain that everything after this point was added after I received said upvotes. ;P)
Also, I'm very curious about their API... I didn't see much information on chargebacks. Processors like Litle & Co make it very easy to fully automate the chargeback representment flow. PayPal, incidentally, does /not/ provide this either, but they do have APIs that let you (with only some hoops to get through bugs that I've filed with them, and we may see fixed fairly soon) correlate and track all of the chargebacks and how they relate to your transactions.
Yet, when Stripe first started appearing on Hacker News, their website seemed to have almost no information on chargebacks. I asked after this, and the page "appeared" with an apology that it was supposedly there but not linked, but it then had very little information on it. I still (checking again now) see no information on how I'd determine /which/ transactions had chargebacks automatically: they seem to seriously rely on sending an e-mail? Why does their API page never once mention the word "chargeback"?
In that instance, the co-founder replied, but I've heard from a number of Stripe's other employees since then, and in every case the customer support has been wonderful. Perhaps that's solely because they are still a startup, but given what I know now about the people themselves, I don't believe that to be the case.
I don't mean my original comment to suggest that the co-founder will always be the one to respond to a tweet as Stripe grows, but I do suspect that their standards for customer service will remain high, and someone in the company will give a quick and quality response. That said, with Stripe, I believe that–even if they aren't the ones responding to every tweet, which is admittedly much to ask–the co-founders will continue to have an eye on what people are saying about them and interact appropriately, not wall themselves off.
Edit to reflect your edit:
I remember that HN thread where you brought up chargebacks. For anyone interested, they discuss how they handle chargebacks here: https://stripe.com/help/chargebacks
I can't attest as to why they manage chargebacks that way, and will not speculate beyond the note that they are still new and seem to be developing their service in response to customer feedback and perceived needs.
For you, or anyone else who might be interested in requesting features regarding chargebacks or any other aspect of their service, I highly recommend writing in: email@example.com or https://stripe.com/help/contact. As I mentioned, they're very responsive, and seem to love the feedback.
Though, I cannot say PayPal is perfect. I have run into a bunch of annoying issues correlating settlements (bugs filed recently, will be curious to see if they get fixed), and their pricing is not the best that is out there (although is still better than Stripe). I am curious if you've looked into any alternatives. I've spent the last few days talking to Litle & Co, and I must say that the people there /love/ talking to you about payments... their booth at ad:tech was the most enjoyable conversation I've had about payments in a while, and I got to spend another half hour on the phone with them yesterday learning more about how bank ACH settlement works.
Edit to reflect your edit ;P
That is the page I just had gone and reviewed now. It still seems incredibly manual. I would not feel comfortable running a site at scale where I'm dealing with receiving e-mails in an undocumented (probably designed-for-humans) format as my only source of notifications for chargebacks. :(
It is often these "at scale" issues that are seemingly not handled by them; example: per their API page, Stripe does not resend webhooks if there is an error in the response... doesn't this make them useless to rely on? Am I required to sit around and poll my transactions to feel 100% certain that I didn't miss something because my load balancer accidentally gave them a 503 during some traffic spike? :(
Unfortunately, everyone is coming out the woodwork now to get their two shots in while PayPal is down.
I will be the first to say there are warts, but the warts are really far down in the trenches (I only noticed them after using them for years; I did my initial PayPal integration in less than a day): Stripe seems to be missing important things upfront.
Also, I am confused what you mean by "electronic forums"; do you mean like an online ticket site? I have filed numerous tickets against PayPal, and they have always been answered within a few hours during the day; they even have people available to respond to integration issues in the middle of the night.
WePay's API is very well designed and easy to understand. The documentation is blissfully short and effective. When I had technical questions, a post to their email list got me a detailed response within hours (and usually within minutes). Honestly it's the best developer support experience I have ever had with any product in my 16 years of professional software development. I hope it lasts.
All three of PayPal, Google, and Amazon suck, but I will honestly say that PayPal is probably the worst developer experience I've had in that same time period. And this was for a very simple implementation of a single product one-time purchase.
1) It took hours to figure out what product I wanted. PayPal's product assortment is a trainwreck. What the hell is the difference between Web Payments and Web Payments Pro and Adaptive Payments and about a dozen other things with idiotic names that all sound the same. The chart that tries to help you pick a product is useless.
2) The layout of paypal's website is labyrinthine. Even after I figured out what product I needed, assembling all the relevant documentation was hard.
3) The documentation is flat-out wrong in several (rather important) places. For example, the IPN guide (naturally, a PDF https://cms.paypal.com/cms_content/US/en_US/files/developer/...) on page 9 clearly states that you must explicitly post back messages to paypal to get them to stop sending (which is retarded and screws up transactions), but HN says that this is not the case. You can see my venting about this almost a year ago here: http://news.ycombinator.com/item?id=2341119
4) Posting a technical question to PayPal's forum gave me an unhelpful response from a clearly first-level "read the flowchart" technical support rep. Pointless exercise.
5) PayPal's APIs all feel like they were designed in the 1990s. Seriously, I would be horribly embarrassed to publish an API like that. I put more thought into (and produce better documentation for) my opensource projects. Useless crap websites like Foursquare can come up with solid APIs, there's no excuse for a company that handles actual money to be this janky.
It's vogue to hate PayPal because they really horribly suck. And now there are good alternatives. So I say, let them rot. WePay costs a little bit more but it is worth it not to have bit scary parts of my codebase that I dread going into.
WePay's retry policy at least exists, but only retrying three times total, with those three times only spanning a single hour of attempts, is kind of bothersome... I have totally had outages that affected some random load balancer for an hour in the middle of the night: PayPal will retry for something like four days, and has a mechanism to "force flush" the notifications as your infrastructure comes back online.
Honestly, all of these APIs are not that great. Amazon's API, for example, does not let you get the shipping address. They return it as part of the co-branded UI return, but that request to your server, at scale, will sometimes be lost in transit. When the user goes back through the payment process, you are encouraged to look up the existing token the user succeeded in authorizing by CallerReference and then continuing the payment, but that means the shipping address is not sent, and you can't query for it. You can, however, get it via IPN, but if you find some silly bug in your code that drops an IPN's incoming shipping address (but returns a successful result), you are simply screwed and have to talk to the customer to recover the shipping address for that transaction.
Looking more at WePay, I again see the same thing I keep harping about regarding Stripe: I see no mentions of chargebacks. Doing a "site:wepay.com chargeback" search using Google I find their terms of service, but nothing in their API documentation; and omg: their terms of service regarding chargebacks is the worst I have so far seen... $35 ding and your account seems to immediately be put on hold and goes into account review? For a single chargeback? WTF.
(Also, just FYI, you can see logs of all the webhooks in your Stripe account, including the response body and response status code, and they can be retried with a button click -- a manual process, yes, but it is at least possible)
If this were the case (and it seems from other responses to the rant that it is not, but honestly the documentation seems to read as if it is), then it would not be possible to both verify the validity of IPN requests /and/ guarantee that the information is safely committed to one's database.
In essence, and to explain, there are really only two options: either my server commits to my database before or after I perform the verification.
If I do it after, then I might fail (for whatever reason, let's say out of disk space), but will not get a retry of the IPN as I already cleared it.
If I do it before, and the verification returns "invalid", then I have to attempt to undo what I did to the database, which might not be possible, or itself might fail.
Instead, IPN needs to (and I am under the impression from the responses to the rant that it does) clear the IPN retry if the entire request succeeds, allowing for verification to be separate: you first verify, then commit, and finally return a successful HTTP status code to clear retries; here, if your commit fails, you will get another attempt.
I can see how the validation step might be confusingly described. For what it's worth, the validation step merely compares a hash of the variables to confirm the authenticity of the IPN. It doesn't touch the DB at all.
The rant really was just about how he perceived it working based on what I do feel is a reasonable reading of the documentation (and in fact I think I originally had that interpretation myself until I actually tried it in practice): that the documentation lists the "response" as the verification process, and does not seem to have any provisions for "500 error": again, though, the way it works is fine.
The IPN protocol consists of three steps:
1. PayPal sends your IPN listener a message that notifies you of the event
2. Your listener sends the complete unaltered message back to PayPal; the message must contain the same fields in the same order and be encoded in the same way as the original
3. PayPal sends a single word back, which is either VERIFIED if the message originated with PayPal or INVALID if there is any discrepancy with what was originally sent
Your listener must respond to each message, whether or not you intend to do anything with it. If you do not respond, PayPal assumes that the message was not received and resends the message. PayPal continues to resend the message periodically until your listener sends the correct message back, although the interval between resent messages increases each time. The message can be resent for up to four days.
This is clear, unambiguous, and - if what you say is correct - just flat out WRONG. My misunderstanding wasn't just "a reasonable interpretation", its the only reasonable interpretation. At the barest minimum, competent documentation should state "PayPal will attempt to resend messages until your handler returns a 200 OK http status code." It doesn't. Anywhere.
This is a perfect example of why working with PayPal is an unacceptable developer experience. And who doubts that one year from now this document won't have changed one bit?
But it is unforgivable that there does not seem to be any mention of what response the PayPal server is expecting to indicate that the IPN has been successfully caught.
I'm simply referring to the fact that most arguments over the past week have revolved around PayPal's technical support teams and the service that they provide.
Should they simplify their API and provide documentation that's 1000x better than what they have today? Yes. Am I going to act like the other 1,000,000 on the web right now screaming about how shitty they are? No. It's a brilliantly run company that needs to improve on somethings.
People need to grow up these days. Not you specifically stickfigure, but people of the web. No one is constructive anymore. People just want to vent and vent and spew rhetoric.
To be clear: I'm not actually saying that PayPal is bad. I don't have enough experience with them to weigh in one way or the other. I am merely saying that I do like Stripe.
I'm not sure of Stripe's reasoning behind not resending webhooks, but I don't know that I care for them not resending them either. Perhaps this is something they'll be addressing in the future or otherwise have a legitimate reason.
Well, talking of facts small companies with a small customer base will always deliver better customer service than the larger ones. True test of these companies will come when their subscriber and customers run into millions(In paypal's case hundreds of millions).
Imagine a situation where where 283 million registered customers and probably more unregistered buyers. Ensuring operations related to that magnitude of people work fine for 99.99% of the people, 99.99% of the times. And then ensuring the remaining get appropriate customer support is not just difficult but requires a lot of work to maintain and run.
At that scale the founders will have a lot more different work to do. And addressing one user out of those hundreds of millions by communicating them on twitter might not scale properly. And the customer support employees are working in call center shifts. They are not going to be any more enthusiastic any more than other general call center employees.
Coming to arcane policies, Now for all those millions of users. There are definitely going to some x% of crooks out there gaming the system. Frankly speaking if you don't have such policies you may actually end up putting a lot of your other buyers and other customers in trouble and expose them to fraud. The problem is in programmatically handling hundreds of millions of users and their problems is not easy. You can build a system to do payments et al, but that's only beginning. So any good payment gateway etc will ultimately end up looking like PayPal.
PayPal works at a scale, Whether a new competitor will work at scale is question of time.
But don't write PayPal off, It actually works well for those hundreds of millions of registered and more unregistered users.
Can you imagine what that could have been like?
Customer: yeah I've having trouble accessing the purchase history
Support (Elon Musk): you need to twiddle the such-and-such.
Customer: tried that. can you escale to your superior?
Manager (Peter Thiel): can I help? I want to make personally sure you have a great experience. Also, avoid college. I'll pay you.
Stripe, please come to Australia!
You can sign up at https://stripe.com/global to be notified when they do come to your country. I bet that also gives them a priority list.
But the problem is theirs. Their site says it all:
"No setup fees, no monthly fees, no card storage fees, no hidden costs: you only get charged when you earn money."
Therefore, if you're having an issue with your checkout form and their API, it very much is their problem. You're not able to process payments, so you're not able to get paid. Because you're not getting paid, they're not getting paid.
Technically, PayPal depends on people sending payments through them to draw profit, as well, but that didn't get us good support.
The big takeaway from the top of this thread is: Stripe's support was fast, even when it wasn't necessarily their service that was causing the issue. Why they came to the rescue fast doesn't really matter.
To make sure that I'm clear: the problem was entirely unrelated to Stripe; it had to do with a different component of my site.
That's a restriction only for the free accounts.
With the Pro account ($30/month) you use the API and your customers never leave your site.
Unless you do more than 20k CC transactions/year, OR store CC numbers directly on your server, no one is going to require much of anything from you except one of those fake website scans.
Edit: i just checked;
It looks like Paypal takes care of PCI compliance only if you use; PayPal Website Payments Standard, Email Payments, or Payflow Link. Otherwise you're on your own.
If someone's credit card number hits your server at any time, you are liable for a proper level of care for that information. The proper level of care in this case is set by the payment industry in the form of PCIDSS (the Payment Card Industry's Data Security Standards).
So setups where the data goes through you, you're on the hook.
Where you're sending someone to an external site to pay, in a frame or otherwise, then you're not.
A quick glance at the implementation guide for any payment system, present or future, is enough to know who's on the hook for PCIDSS just by seeing whether the card number's gonna get POSTed to your server or someone else's.
You are on the hook as soon as your code touches credit card data.
A is for merchants who redirect to another site or use an iframe (like paypal). B is for merchants who use a dial up terminal. C is for any merchant who accepts credit card information electronically (i.e. an internet connected terminal or a website with no redirect / iframe). D is for anyone who stores credit card information.
A & B just require you to fill out a self-assessment indicating you're aware of the rules and following them. C & D both require "scans", probably of your website or server (at least a couple hundred dollars, if not more).
Edit: I was looking at it more and, as MichaelGG pointed out, I think it still means that you have to handle the credit card on your server and be PCI compliant.
Stripe is much easier to integrate than the x.com/paypal.com family of conflicting api's, all of which lack easy to read documentation.
Stripe doesn't have a history of randomly locking accounts, and even if they do (if you process payments, I can understand the legal need to now and then) their customer support is so responsive and helpful I wouldn't really mind.
Stripe is easy to use. The web UI is fast, the api makes sense, I get joy out of it.
Stripe sent me a real, physical letter, to thank me. I was one of the early users of the beta, and we all got real letters, on thick cardstock, I wish I had taken a picture of it. That may be a virtue of being a small userbase startup, but if you start with that mentality, it means a lot.
Paypal does have slightly lower fees, but Stripe is worth it.
Paypal also makes it easy to add a paypal pay button to sites, but those a fraught with stories of accounts shut down, and are ugly.
Here's a picture of it: http://yfrog.com/nz99532600j
1) Costs. We pay 2.2% + $0.30 USD per transaction vs. Stripes' 2.9% + $0.30 USD per transaction. At our transaction rate, that makes a difference in received revenue.
2) Moving. Refactoring a well established business to interface with a new payment provider can be a costly and expensive process. Think of switching personal banks.
3) Fraud. Paypal probably has the most advanced fraud protection in the online business today. If you deal in any decent amount of online payments you will find this to be a huge issue.
Additionally, we have our own dedicated Paypal account manager that actively reaches out to us and keeps in contact, and we can instantly call a direct line to this person if we need assistance with an issue.
With that said, our team is actively looking at Stripe because we like the ease of use when it comes to reoccurring payments, which we don't do at this time but plan to implement in the coming year. From what we see, reoccurring payments are a messy with Paypal and I'm not satisfied with Paypal's solution compared to their competitors like Recurly, Chargify, and, well, Stripe. But I am impressed with what Stripe has to offer on all fronts. Especially their API which appears to be very easy to use. ...And, they have a nice looking reoccurring payments process which fits our vision nicely.
Anyway, disclaimer: we run between 50K and 100K a month through Paypal, so that is probably why we get fantastic support from them and better pricing.
When you're doing hundreds of thousands of dollars (or more for you big guys) in credit card transactions, eating 1% just for a friendly API is a huge turnoff.
Please Stripe, prove me wrong and provide an external merchant account option!
The WePay API does allow you to embed the entire checkout experience on your own site with our iframe checkout. The iframe contents are customizable (header color, button color, etc), but as Greg mentions in the comments, it's not quite as customizable as Stripe or another merchant account based system.
Unfortunately, even with Stripe, you are still liable for most of the PCI spec (our iframe checkout gets around this). We made a bet that there are a lot of developers out there that who are willing to give up a little on the customization side to not have to deal with the headache of PCI compliance (we've gone through that process ourselves and it is complicated and expensive).
When you use Stripe.js, you need only serve your page over SSL and verify that you aren't collecting credit cards through other means to be PCI compliant.
In particular, while I have no idea whether Stripe's implementation is letter-of-the-law PCI compliant, I do know that 'LeBlanc's reasoning is not PCI reasoning (particularly: you can't draw a line from architectural susceptibility to "liable to audit") --- even though it's the reasoning I myself would use.
On this link you can find the experience of Embedded payments, i implemented it on our site but the docs on the api are not complete on paypal, rather complete they are not present at one place.
I am sure everyone would agree that PCI spec is complex and not easy to understand :) Said that, its intention is pretty clear: protect credit card information from leaking to "bad" guys.
A great deal of PCI spec is about protecting the stored credit card data. You are absolutely correct that Stripe's JS solution allows one to avoid dealing with these issues. However, many other sections of PCI spec discuss other potential vectors of attacks. For example, if you don't follow security coding guidelines then an attacker can embed a malicious JS on your website (through XSS or other attacks) and steal credit cards information. Obviously, the suggestion to serve your pages from SSL don't help you to avoid these problems.
I think Stripe's model is great. But I don't believe that it allows one to completely avoid PCI compliance. I believe that you correctly phrased it on the stripe's home page: "Stripe.js lets you build your own payment forms while still avoiding most PCI requirements."
So basically: Be smart about what goes on your sensitive, mission-critical payment-receiving pages, as you should be. It's not extremely difficult. A little bit more responsibility in turn for more flexibility.
We've designed WePay solution to make it "out-of-the-box" as secure as possible for both our partners and WePay. We plan to offer more customization options in the future to improve usability while keeping it simple and secure to use. Doing security right is hard. We believe that WePay can help with it and make our partners life easier.
There's literally no security difference between processing the card transaction through your own servers, and processing it client-side via HTML/JS that your servers are providing (and can modify).
 I wouldn't have thought this would meet compliance requirements, but I'm not a PCI expert -- I've only had to work on compliance on the user side, and deal with the auditing requirements.
Either way, I think Stripe is doing awesome work and I hope you keep kicking ass!
It's probably best not to ask too many questions. It'll only hurt your brain.
† (If that's what you want to call PCI assessments)
PCI compliance is ridiculous enough that it's still worth avoiding though, even if only for the short term.
We are fortunate enough (being new and in closed beta) in that our audience knows who we are and that we're not a random sketch site. Down the road, we probably will have to support PayPal again (though very differently), but for now our current state (closed beta) and our business model allow Stripe and traditional payment gateway-only checkout.
With that said, I will put a huge "YMMV" here! This is obviously not OK for every site, and the privacy concerns are very valid.
My wife sells knitting related things (patterns, books, yarn) on ravelry.com. They collect the payment for her and transfer the money to her paypal account. I suspect it will be a while before stripe can do such a thing.
From there, your wife could transfer the money directly into her own regular bank account.
If ravelry.com goes out of business before they transfer the money to her paypal account, there is no chance that they can take any of her money with them. (While highly illegal, I've seen this happen elsewhere with a similar setup.)
Our current enrollment process is so fast and simple with Stripe that we're curious to see if our conversion rate is -better-, for our current audience (older, non-technical users at this point). While a $30-$90 course isn't an impulse buy, lowering the barrier to enrolling in more than one may leave us better off.
But we'll be able to discuss that better after we have more data.
As you've noted, there are some differences in feature sets on both sides. However, perhaps there will be some convergence in the future. Both services are very young, and improving very rapidly.
So for now, I am stuck with Paypal.
Unfortunately they don't even have a timeline for availability outside of the US yet - http://twitter.com/#!/stripe/status/144951134795218945
"The iframe checkout lets you embed an iframe on your own site that will contain the WePay checkout system."
With Stripe, we have 100% control over presentational stuff during checkout.
Your app appears to be in private beta, so I can't test that form to see if you missed anything and post about it here. ;-)
we contemplated building a JS solution as well, but using JS can place your site within the scope of PCI compliance. (this is somewhat up for debate) the reason we went with an iframe implementation is because it is firmly outside the scope of PCI, and we are working on making it even more customizable.
either way, you are in good hands with stripe or wepay. (at wepay we are big stripe fans - they rule!) to me, the big difference is whether or not you want the money to settle to someone's bank account directly (stripe), or whether you want it aggregated and stored in an online account first (wepay).
I ended up choosing them for my non-day-job gig as well (saas business) and am very happy. Happy that both of these services exist, really.
The net bottom line was this:
1. our customers (business people who are not super tech savvy) just don't understand that you can pay with a credit card on paypal and google checkout requires a google account
2. the "go off and pay" somewhere else and come back to the main site is messy
I have no real complaints with paypal over the years we used them so I can't bash them but I found that over time, we lost sales because people were confused. Now there is no more confusion - fill in a few fields and instantly you are done.
We also considered Braintree which I was also impressed with but decided on Stripe because of the non-need for a merchant account.
I am happy to answer any questions here or privately if needed.
I've used both of these. Braintree may not have been the right choice in their situation, but grouping them with Authorize.net for these reasons isn't really fair. Braintree's bundled merchant account and gateway services are much easier to set up, and their transparent redirect eliminates the need to handle card data on your own servers.
And in my experience, their "We (heart) developers" motto is, well, true. They have really great, friendly support. Braintree and Authorize.net are miles apart. At least as far apart as Stripe and PayPal.
In fact, if it wasn't for PayPal non-US websites selling to the US would be almost impossible. The US has a massive advantage in that the rest of the world is happy to pay in US dollars, but US citizens won't pay in other currencies.
So here's a very lucrative challenge, Stripe and Wepay: the one that figures out how to allow non-residents to set up an account first simply has to post the news to HN and will be flooded with new accounts. I'd switch within 24 hours if there was a viable alternative to PayPal.
We ended up driving to the airport in Indy. No way am I just going to put a few hundred Euros in cash into the mail.
But I have a generic payment processor API that I wrote and I plan to add support for stripe into that for personal projects.
Paypal sucks, blocks your account and keeps your money on the least excuse, and is a bureaucratic hell, those are good reasons to not use them. Redirects aren't, IMO.
Again, it's still early, but we are seeing better conversion rates so far. The PayPal redirect gave some of our less technical users fits.
I'm probably missing out on something here.. I know that flaming PayPal is popular nowadays but I can't find an alternative with both Authentication and Adaptive Payments (which our app is completely based on)
I wonder if anyone is working on making payments platform-independent so it's easy to switch between payment providers.
We just don't want to get into PCI audits and scans just yet, but once we do, we'll probably use Stripe's direct server->server APIs like Braintree/Authorize.net do instead of stripe.js.
Anything is better than PayPal. I appreciate their contributions to epayment, but their time has passed.
Other great options out there include Square, MoneyBookers, and Dwolla (if anyone is looking to leave PayPal after this article and the recent Regretsy one).
I'm assuming this is just a shameless plug? Nothing wrong with that, but it looks like you don't even have the feature set the original article is discussing.
Edit: Oh, I see what's going on: http://news.ycombinator.com/threads?id=fastspring
EDIT: By seamless, I mean "Sign up and get an API key", and by instant, I mean "Read this article, sign up, instant activation, plug in API keys, start charging, switch complete!"