The Badminton Bible


All original content copyright © Mike Hopley

Credit card security

Home > Card security

We never store your credit card data. Instead, we send it securely to Stripe.

Why we don’t store your card data

Storing credit card data is a huge responsibility. While we have taken many steps to make our website secure, we are not security specialists. We cannot expect to be absolutely bullet-proof.

If we stored card data, then a single security breach could have devastating consequences for our customers. And the financial compensation would probably ruin us.

For that reason, we don’t store your card data. Ever.

Who are Stripe?

Stripe is a payment gateway. That means their business is to make payments work securely over the Internet. In return, they take a small cut of every transaction (we pay this cut, not you).

Stripe is certified as a PCI Service Provider Level 1, which is the most stringent level of certification available. They handle billions of dollars of transactions every year.

But I entered my card details on this website, not Stripe!

This is where it gets clever.

When you are filling out the payment form, that data only exists on your computer. You haven’t sent the data anywhere yet.

When you submit the form, we deliberately do not send the data to our server. We never actually see your card data, not even temporarily!

Instead, we use Stripe’s javascript encryption library to encrypt the data and send it securely to Stripe. This javascript runs in the browser, on your computer.

When we send the encrypted data to Stripe, it is sent securely over HTTPS. Stripe actually enforces this; it’s not possible to send them data over an insecure channel.

Stripe then sends us back a single-use token that we can use to make the charge. The token does not include any part of your credit card data. A Stripe token looks like this: tok_5jKPEG5osqmUxu

Stripe’s ingenious system makes the payment process easy, while keeping the card data extremely safe.

What we store

Let’s look at an example, so you can see what we actually store. Suppose you pay us using the following card:

  • Card number: 1234 5678 0000 9876
  • Expiry: 03 / 18
  • Security code: 123

We store only the expiry date and the last four digits of the card number:

  • Last four: 9876
  • Expiry: 03 / 18

To be absolutely sure we are doing things right, we don’t even take this data from the form. Instead, we store it when Stripe sends us a message containing it. We know Stripe will only send us data we’re allowed to have.

Stripe also sends us some unique identifiers, which represent a customer and a card. For example, they might look like this:

  • Customer ID: cus_3XRDGNLCVPHgIZ
  • Card ID: card_3XRDoHo5LSLHkA

Notice that these do not contain any card data. We store these to help make the website work smoothly. For example, say someone cancels a subscription but then wants to re-subscribe after two months. There is no need to re-enter the card data. We can just ask Stripe to make a new subscription with the card corresponding to card_3XRDoHo5LSLHkA.

The end result is a system that is both convenient for customers and extremely secure.