Your card never touches our servers. Here is how the checkout flow really works.
The handoff
When you type your card into the checkout form, the form fields are hosted by Stripe — not us. Stripe is a payment processor that holds the highest level of card-data security certification (PCI DSS Level 1). Your card details go from your browser straight to Stripe's servers without passing through ours.
What we get back is a token — a string of random characters that represents your card without containing any of its actual digits. We store the token. The token is useless to anyone outside the relationship between us and Stripe.
Saved cards
When you save a card "for next time", what we save is the token. The next time you check out, you click the saved card and we send the token back to Stripe with the new charge. Same security model.
Refunds
Refunds use the same token. We send Stripe the original charge ID and ask for a refund — Stripe routes the money back to your card without us seeing the card.
What if Stripe is breached?
In Stripe's history, the answer has been "the breach affected a different system, not the card vault". The card vault has not been compromised. If it ever were, Stripe would notify everyone immediately and we would do the same.
Apple Pay, Google Pay, Link
Same model. Your wallet sends a token to Stripe. We never see card details.
Why we do it this way
Two reasons. One, your card data is genuinely safer with a specialist than with a small number of engineers at a startup. Two, we do not want the liability of holding card data — being out of PCI scope means we can move faster on everything else.