I've never seen a company release incredible products with as high velocity as Stripe has over the last few years. Truly incredible. $1.50/user may sound outrageously expensive at first, but having seen all the engineering power it takes to build something like this at Uber...it's a totally fair price.
This is on the less expensive side of alternatives and doesn't require a minimum annual spend quota. They nailed this for startups, which I imagine is a combination response to / anticipation of regulatory requirements in Web3 apps.
I have been thinking the same thing for some time now. Unfortunately, I wouldn't hold my breath. If they are able to stay private, they probably will. It's easier to build a business when you don't have to deal with the hassle and interference of public markets.
I'm not familiar with Stripe's situation, but there are non-public markets available for this kind of stock sale. You just can't buy from them unless you're already rich. I'd guess that long-term employees do have an amount of flexibility in that regard.
Publicly traded organizations can have any kind of private investment. I wonder, though, if there is regulation around how much of the public org’s capital can be put in private stock purchases…
This is already a thing, large investors like Fidelity do exactly this.
e.g. Fidelity has a significant investment in SpaceX through a handful of their mutual funds, which you can then purchase and basically invest in SpaceX indirectly.
Unfortunately many companies have clauses in their options grants that prohibit employees from selling shares to any investor not approved by the company board (e.g. EquityZen).
"In March, Stripe, which describes itself as “payments infrastructure for the internet,” became the most valuable private company in Silicon Valley, raising $600 million at a valuation of $95 billion. The Journal reported Stripe is considering going public later this year or early next year."
I'm sure OP was implying "for retail investors" in his wish. Carta is just another way for rich people to access things that are only available to rich people.
While that sounds like a great ... in all likelihood by the time it hits the public market most if not all the value will be extracted by the investors. With a branded company like this and equity markets as frothy as they are. I doubt there will be much value left for retail. Hopefully Im wrong though.
The idea of going public is to raise another round of financing for the company while being able to get liquidity for private shareholders. It is not necessarily to create value going forward.
The best option is for the company to raise a good deal from the public markets (high valuation on limited equity) and then execute successfully without needing to raise again. If they do need to raise again they have hopefully not done a poor job on their original public IPO so that they can go back to the public markets. That said it isn't that important a factor.
> It is not necessarily to create value going forward
Not sure where you are going with that thought. A business that isn't creating value is going out of business or selling to someone who has an idea of how to use its assets to create value.
Actually not all companies create value. Monopolies create profits through pricing distortions but not necessarily value. My point is that creating value is not a key component of a company going public.
In this current moment I would wager that if you are suggesting that you will create value in the market going forward you will get a great return on your investor dollars but you may not actually execute that value creation. (relevant news: lordstown motors)
Perhaps my original wording should have been "delivering value" rather than "creating value." Of course it's true that some things that companies do are at best shifting value around and at worst extracting or even stealing value from elsewhere. But my point was that people who buy public stock from a company almost certainly expect that company to somehow be more valuable in the future.
> The idea of going public is to raise another round of financing for the company while being able to get liquidity for private shareholders. It is not necessarily to create value going forward.
Perhaps the company doesn't necessarily intend to create value going forward, but they must at least pretend to have that intention. What I meant was that the idea of the people buying public stock in a company is that the company will create value going forward.
I always hear this line of thinking, but there aren’t ever supporting examples presented. Stripe reminds me of Cloudflare. Cloudflare is over 5x what it was at IPO (as of 6/14/21). Maybe what you describe is the case “on average” for most IPOs, but it seems to not be the case for extraordinary companies like Cloudflare (and maybe Stripe). Obviously just an n of 1 but I’m sure others could chime in with similar examples.
There are numerous examples on both sides for sure. I would add that performance also does well for companies operating in a bull market.
In the case of cloudflare (And many tech stocks) they had a black swan event of a large portion of the global economy going online during the pandemic which has juiced their returns.
Not saying it doesn't happen but rather that it isn't how people typically price their IPOs to generate value to the retail investor.
Yep, makes sense. A little nitpick: I wouldn’t call it a Black Swan because multiple people called out the potential for such a global event to happen (Gates, Taleb, etc.), but to your point it certainly further accelerated the move to online commerce, mainstream remote work, etc. Cloudflare and Stripe are/were both well positioned for that type of world.
I've been eyeing Scottish Mortgage which despite the name is actually a high-tech fund packaged as a stock publicly traded in the London Stock Exchange. They hold Stripe among many other interesting investments.
> $1.50/user may sound outrageously expensive at first, but having seen all the engineering power it takes to build something like this at Uber...it's a totally fair price.
I observed other teams struggle to build and have tackled challenges posed by identity, 1.5$/user is terrific price. Handling PII data in itself is a rabbit hole of engineering, product, and regulatory challenges. Let alone creating unique identities, matching, and what not.
I thought that too - until I tried to use Twillo for the first time in a couple of years. Holy crap they overcomplicated the interface! There's 3 or 4 levels of menu all shown at the same time in different directions. The docs are also way worse. The product is still great, but the interface is a complete mess!
Sadly out of reach for small projects. For example if you had a site with 100k users, you'd barely cover server costs with Ad Sense. $150k to check all of them? Would never happen :/ Maybe if they could pay for verification themselves?
In many cases you don’t need to verify the identity of every user. You can use some signal to determine when you need ID, or require it for accessing certain products/features.
Instagram may be verifying identity now (I didn't know... letting FB scan my id would be one of the last things I would want), but I'm pretty sure they reached a massive scale without such a measure.
When are we as a community going to move past treating frameworks/languages/tools as a silver bullet? Frameworks don't make teams better; good management, technical leadership, and great infrastructure does.
You are right but frameworks help with long term maintainability of code and also being able to build out features quickly which is what the comment was referring to originally. If they use Go lang of some other tech stack without framework it can help them achieve their goal but not at the same speed.
I can't even find any evidence that they use Rails, and I'm pretty sure their outstanding velocity is minimally explained by their choice of tech stack.
This sort of thing is definitely usable in Europe; if you’re thinking of GDPR the legitimate interest and legal obligation rules are likely to apply to users of this product. Eg at least one of my banks uses something like this for account identity validation (I see KYC is high on their list of use cases). Things like car rentals would find this really useful too.
This is amazing. Did you build all of the scanning logic yourselves?
We’re exploring different options for scanning IDs like Anyline and BlinkID right now, but this looks incredibly well suited for what we’re building and would save us a tremendous amount of time if it works.
Yes, we’ve spent a lot of time on the scanning logic—especially to help guide users through photo-taking, since that’s half the battle for a successful verification.
Those are 4 great bullets btw. They helped me understand the service a lot more than the landing page for identity. Might want to consider a view like this.
> Document checks verify the authenticity of government-issued identity documents. Stripe uses a combination of machine learning models, automated heuristic analysis and manual reviewers to verify the authenticity of hundreds of different document types.
> Selfie checks look for distinguishing biological traits, such as face geometry, from a photo ID and a picture of your user’s face. Stripe then uses advanced machine learning algorithms to ensure the face pictures belong to the same person.
> ID Number checks provide a way to verify a user’s name, date of birth, and national ID number. Stripe uses a combination of third-party data sources such as credit agencies or bureaus, utility or government-issued databases and others to verify the provided ID number.
In their TOS and Privacy Policy it’s made clear they are also data controllers. Unless you contribute to the breach it would almost certainly fall on them.
Out of curiosity, given that this is among the most sensitive PII that can be stored, where is this data located for Stripe? I think this looks like an excellent product and can absolutely see the utility for so many businesses, but as a European I would never want such data to be stored outside of the EU. If there could be flexibility in the location the data is stored I think many European customers would appreciate that. Thanks.
As USA is no longer Safe Harbor compliant, transferring PII outside EU's jurisdiction requires a legitimate interest. Does Stripe do the assessment on behalf of its customers, or does it rely on the customer being truthful and risk exporting data without consent?
Stripe supports the legal processing and transfer of data by our users — and EU requirements are top of mind. (Feel free to me at edwin@stripe.com if you have more questions.)
To be clear, this isn't entirely true for all situations (sorry). Stripe verifies identities as a service provider (or processor) for the business that's using Identity. Stripe may be either a controller or a processor of data depending on the purpose of data processing (https://support.stripe.com/questions/managing-your-id-verifi...).
Amazing how Stripe consistently executes fantastic solutions for all the very real and difficult pain points of building commercial products on the web. Fantastic work!
Absolute game changer, other actors in this market have big bulky sales processes with difficult pricing models and high commitment. If Stripe is competitive on pricing they will definitely win this market.
Having experienced the end-user flow for Identity when doing bot verification on Discord, this was an incredibly seamless product back then, when it was presumably in beta. Can only imagine its even cleaner and faster now its officially released.
The Stripe Identity product is fantastic. Some of the most impressive things:
1. If you are at a desktop, there is an easy transition to using your phone to take a picture of your ID (or a selfie if that's the use case - it will match selfies with ID photos), and then complete verification on the desktop.
2. It does all the image analysis (i.e. is the ID in focus, etc.) in browser without the need for a native app.
This almost proves that webapps are a competitive substitute to AppStores - making the consumer detriment very hard to prove in the current anti-trust framework.
The fact that Apple has refused to deliver that only proves the point. If they did, many apps wouldn’t be forced to be in the App Store. It’s certainly possible, as iirc, it works on Android for years now.
Incredibly annoying that apple does not support this, while also trying to crack down on apps that is considered to just be a wrapped web-application. (In which case they want you to make a proper web app instead). Even using notifications is not considered enough of a reason to get an app they feel is just a wrapper approved.
The problem with having those APIs in the browser is that it increases the attacker surface area, which makes the browser less secure for everyone, including those who do not use PWAs.
The only saving grace is that you have to accept the permission box (I hope so at least...), which, for the average user, may not be much protection.
Simply existing in the world increases your attack surface; everything is a trade off between usability and security. Given the pressures browsers are under, they have incentives built into their business model to provide very good security which is a departure from most other software where security is just a nuisance at best and totally ignored at worst.
Said it in another thread -- SMS's are a tangibly better user experience. You get to say stop in the moment, instead of searching through opaque settings... you can set DND to certain numbers for certain times...
The whole ecosystem is there and very few are playing with it.
Any iOS notification permits you to "say stop in the moment" - you just swipe on the notification and select "Manage". The options are pretty well thought-out.
That's actually a whole different user flow -- you leave the notification to enter a separate system of controls with esoteric commands, over just typing what you want to happen..
"Stop" - forever until I want you back
"Stop this week" - self-explanatory
"Not during work hours" - also ^
"Consolidate weekly" - get a digest
"I don't care" - make better suggestions
So many contextual pieces to make better notifications are right there... and though a toggle button appears to be 'easier' the cognitive dissonance is less the conversational environment of SMS.
> I've never seen any SMS system that would correctly interpret and adjust to things like "not during work hours" or "consolidate weekly" responses.
I know!! I built a stupid simple bot for myself that just reminds me of things I want in SMS form... I text it things like 'For tomorrow - x, y, z' and then 9am the next day it messages with what's behind '-'...
There's a bit of configuration the first time you text the bot, for timezones and things like what does tomorrow afternoon mean to me? 2pm or 3pm? If multiple 'tomorrow afternoons come' do you want that as a digest or just individually, or w/e.
But for me, I love it because I forget things so quickly, so as I quickly as I can send a text, I can get reminded at an appropriate time. (and yes, I hate reminder apps.)
I'm still struggling how to keep it 'safe' - because Twilio keeps all the message data in plain text (more a byproduct of SMS) and holds a record of it, so while I can encrypt the db entries, I'm not sure how to make it 'secure' for other folks yet.
SMS are a horrible user experience for notifications!
For push notifications, I can set them to silent by application, they take me to the right place in the app when clicking them, very often they offer quick responses directly from the notification itself...
Finally, it's bad enough to require a phone number for 2FA (or worse, as the primary user identifier). Why should I have to give my phone number to a service?
Just be aware that, no matter how seamless it is, you still getting crazy bounce rates for it. You would need a really good reason to use it (basically, be a bank and need KYC or something).
Of course, a common use case for this would be to only show the Stripe Identity UI when a user has a higher chance (based on IP, time of day, other on-site behavior, etc.) of being fraudulent in the first place, in which case a higher bounce rate is a feature, not a bug.
> If you are at a desktop, there is an easy transition to using your phone to take a picture of your ID (or a selfie if that's the use case - it will match selfies with ID photos), and then complete verification on the desktop.
Meaning they can identify my laptop and phone as belonging to the same person. I prefer they don't.
The pricing link on the top doesn't refer to any pricing section on the page. Is it missing?
Edit: This seems to be an internationalization problem. I am from India. The pricing section for Indian page https://stripe.com/en-in/identity#pricing is missing so the link doesn't work.
For anyone looking for the answer, in the US it's $1.50 / ID verification and $0.50 for Social Security Number lookup (an American tax number that is officially not for identity purposes but used that way all the time).
Some things don't change, like the dimensions between features like eyes, nose, ears, etc. Coinbase had an interesting presentation on this a few years back about how they verified IDs from pictures and dealt with all kinds of fraud.
Worst case, if the appearance is really drastic then it would just fail and require a manual intervention.
If this even reduces 20% of having to call up a human to verify my account because 'our systems have detected that you have accessed your account from an unknown location' then, yes please and thank you!
Also interested to see what form of IDs it will accept!
Only negative: Expensive...but I guess it's fair for it doing all the heavy lifting.
Oh man, really excited about this. I'm curious how far Stripe wants to go down the path of KYC-related products... it feels like a huge market with a lot of pain points where having Stripe-quality APIs would be amazing.
Cross posting this from Twitter but please consider marketing to states. They are using a company called IDMe to verify eligibility for benefits in the US and a family member (and thousands of others) have wasted days on the phone with them trying to get them to do verifications because their automatic verification tech does not work. (There are class actions against this co they are so bad)
This is a refreshingly affordable and beneficial offering.
I did a deep-dive on KYC providers last year. The more well-known folks commanded 5 figure setup fees, wanted 1 to 2 year commitments, and sought to have you pre-pay for verifications. It reminded me of internet credit card processing pre-Stripe.
Does Stripe intend to make a giant online database of international identity documents? Why should we trust Stripe to secure these? It could be Equifax levels of problematic if there would be a intrusion, but I also can't tell how Stripe plans to use this information.
I never wanted Equifax to have any of my data, and yet here we are. After the breach, I wouldn’t ever be a paying customer to them if I had a choice. (Indirectly, I am still a “customer” in the sense that they probably still have my data and get new data about me—but apart from canceling all my cards, not sure what choice I have). In comparison, Stripe seems to charge for each product it offers. I think that’s a more fair and transparent model.
If the company you're interacting with uses Stripe ID verification and you are forced to use it to pay them, I'm not sure it's much better than going to a bank and opening an account and then Equifax getting the information immediately.
You are not a credit bureau's customer - the stores, public utilities, cell phone companies, banks, and so forth, are. They share that information to minimize their risk in extending credit (even something like billing you at the end of the month for services rendered is a form of credit) to you.
And frankly, if Stripe is offering any form of credit, it's likely working with the credit unions too.
Vote for representatives that pass laws similar to the GDPR but for USA? If Equifax or you were EU-liable, you could ask them to show, modify or remove any and all of your data.
Edit (sorry, I don't think I can edit my own comment at this point): I think I was missing the point. Storing user data for 3 years after verification seems unnecessary for the user. So yes, it does sound like some data-mongering f*ckery is going to happen/is happening.
> It could be Equifax levels of problematic if there would be a intrusion
I'm sure they're not as lax as Equifax. I would hope that Stripe compartment all these documents so that a compromise of one database is not a compromise of the whole database. That's basic data storage hygiene in the information age. `Don't put all your eggs in one basket` as the saying goes.
I think the Estonian e-Card scheme is the right one despite hiccups in its implementation and ID verification should be the domain and responsibility of governments. Each ID card has an embedded private key-public key pair and you can sign to reveal your identity without having to resort to giving away anything else about yourself. There is already a zero-risk way for customers to verify themselves, so giant ID databases are a step backwards.
The electronic identity cards of Austria, Belgium, Estonia, Finland, Germany, Italy, Liechtenstein, Lithuania, Portugal and Spain all have a digital signature application which, upon activation, enables the bearer to authenticate the card using their confidential PIN. Consequently they can, at least theoretically, authenticate documents to satisfy any third party that the document's not been altered after being digitally signed. This application uses a registered certificate in conjunction with public/private key pairs so these enhanced cards do not necessarily have to participate in online transactions.
Germany has an electronic ID card that can be used to certify identity, or only age, or only uniqueness, for a few pennies per auth. There's an app that lets you use your Android phone as a scanner, paired over wifi.
Yet I've never seen any company use it. Everyone uses slower, more expensive private services that don't ask any questions about what you're going to do with the data they collect.
I am too, but that's not an endorsement. And more pertinently, that is nowhere nearly enough.
Every database of value tends towards uncontrollable sharing over time. The more available and more valuable it is, the harder it is to fight that trend.
The best thing for humanity is to stop making high-value data hordes like this. Unfortunately, the interests of smaller groupings are the reverse.
No. 1. Stripe cares tremendously about and knows the importance of security—we’ve learned a lot from securely processing hundreds of billions of dollars in payments annually, and Identity is built from those learnings. (https://stripe.com/docs/security/stripe).
2. Any biometric identifiers that are created to perform the verification are never stored or retained—they are fully removed from all of our systems within 48 hours (usually within minutes).
> We will typically store the rest of your submitted identity information for 3 years. This includes all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.
That doesn't make me feel a lot better. :( The images are enough to generate biometric data such as facial recognition profiles.
We are very specific about collecting consent before doing anything with your data.
We ask for permissions before beginning the verification process, and if you consent, we will only use your biometric identifiers for the verification itself. (And again, those identifiers—which contain the most sensitive info—aren't stored.)
Specifically, we ask for an additional level of permissions before conducting any additional biometric analysis.
https://support.stripe.com/questions/common-questions-about-...
I think you might be missing the point. I'm sure gp does not doubt that you collect consent before collecting and using data. However, when presented with the choice of not giving up personal data and not using $awesome_service (or maybe even $essential_service), I’d imagine all but a very tiny percentage of people would reluctantly give up personal data. The data is then stored for three years, and if there's ever a leak, it would be hugely damaging given the scope:
> all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.
> We are very specific about collecting consent before doing anything with your data.
How do you foresee that consent working if your product is used in account recovery flows?
For example, imagine if Steam adopted Stripe Identity as their only way to allow people with $$$$ worth of games to recover hacked accounts. If the user's only choice is to "consent" or lose their valuable account, that makes the "consent" something of a joke.
I'd be interested to hear how you plan to square that circle!
I have an account with a lot of content in it on an online service. When I signed up, they didn't require any personal information. Now they want some significant info or I can't get back into my account.
It's simply not legal to "not keep records" if you are running payments.
If you ran a payment to "O Bin Laden" but you have a driver's license picture showing that it is Oscar Bin Laden, from CA, DoB 2001, you'd better keep all that information for your records in case you get audited for potential OFAC violations.
Well, I don't believe what Stripe (or anyone) says; I believe what you do.
Does Stripe have a legal contract with users that says something to the effect of "if it does 1 and 2 above (by mistake or by choice doesn't matter) - that they will be liable for it". If not, all the support documents and technical security documentation is moot. I want to see "skin in the game" by Stripe. If you're so sure about "security" sign a legal contract.
This is only about the specific image processing Stripe does to match your selfie with your ID document. The rest of the information on the document—which is what the GP comment was asking about—is retained for 3 years. Referencing the 48 hour retention period instead of the 3 year one is very misleading in this case.
Since we are storing these IDs on behalf of businesses using Identity, we need to retain non-biometric information for a period of time to support their use cases.
For example: KYC is a core use case for identity, which requires us to retain ID information for audit purposes.
For businesses who don’t need to keep the ID for as long, we provide a deletion API that lets them automatically delete the IDs from our system.
Yes, I agree that Stripe's policy makes sense here. But your original comment was misleading, in that it implied the information contained on your ID card was deleted after 48 hours. (It looks like you may have since edited it to clarify that you were talking about biometric signals? Maybe you haven't edited it, but it was definitely unclear enough that I, like the other responders, was confused.)
Stripe hires elite Stanford grads unlike Equifax is the simplest answer they probably wouldn’t say publicly. But the pedigree and engineering talent is miles better.
In what sense? Looking at incoming classes it’s apparent you people are objectively superior to people like me before college than I am several years after. It’s almost definitely innate too, all the more depressing for strivers-turned-failures/underachievers like myself.
The Stanford thing was really the basis for Palantirs competitive advantage in the consulting space over companies like Booz Allen Hamilton etc.
These databases already exist. Typically the way it works is after you claim an identity, they will look up past addresses, phone numbers or employers then present multiple choice questions asking which one is part of your past. The companies I've seen that do these are not hosting (or claim to not host) any of the data, but rather have hooks to fetch it from financial institutions. I think it's mostly credit bureaus, but could also be banks.
These databases already exist. For example, all driver's licenses issued in a state are part of the public record, and many companies already maintain databases of them. For example, you can sign up for an account with the NY DMV that allows you to search all DMV records, as long as your use falls within one of a dozen permissible use-cases (including "To verify the accuracy of information submitted by the individual to the business"). Identity documents are designed to be verifiable, which in this case generally precludes them from being secret
The only way i would trust such a thing is if i have complete control over my data and how it's used (that's probably never gonna happen from a for-profit imo)
I'm really surprised they don't support Polish IDs. We've had them in the same format for ages and I've done automatic verification with some other companies (e.g. Revolut).
Multiple much smaller countries' IDs are supported.
Maybe Stripe is not that much popular in Poland compared to other countries? I would not be surprised that they put priority on the countries where they already have a significant user base.
They are building a platform where other companies are clearly just selling a product.
Identity verification is definitely something that gets better with more data as more people use it. Pricing low to gain market-share is the obvious move for companies which don't have pressure to show immediate returns.
Maybe it shows a more general difference in ambition between companies in the UK to those across the pond.
That is assuming the translation is of high quality and sadly that is not always the case. I am a native Spanish speaker and for the life of me I cannot understand most of the "Spanish Version" technical pages I read.
I work at Stripe, though not on the L10N/I18N or identity teams. It would be tremendously helpful if you could send me some feedback so that we can improve, jlh at stripe dot com.
I'm a native Spanish speaker too, and nothing in this announcement strikes me as unintelligible, but that might be my own biases at play given the familiarity with Stripe's lingo.
Otherwise, if you're a trained linguist and have demonstrable consulting experience QA'ing technical documentation then we'll be happy to arrange something.
In either case, we appreciate your feedback, and my emails are open!
No trabajo de gratis para multinacionales cuiquito. Tu credencialismo barato y sobrador lo puedes archivar donde mas te convenga.No se si es la respuesta que estabas esperando.
Google translate says: "I don't work for free for small multinationals. Your cheap and spare credentials can be filed wherever it suits you. I don't know if this is the answer you were waiting for."
What a quality answer! I get very poor quality support from Stripe's live chat, but the professionalism and helpfulness on HN from Stripe people like you and Edwin is beyond reproach, that's for sure.
That is an interesting data point. In my case the support I got from Stripe over the years (email, chat, IRC, ...) has been consistently stellar. Are you in the US?
I'm not in the US. Typically I use live chat during European evening hours, and I often get agents with upper-intermediate English skills, who miss the crux of my question or who are completely unfamiliar with Stripe's own dashboard or services. Not even on an API-level. Simply on a "here's a thing that Stripe has and here's something it can do" level.
I gave up on Stripe because they clearly are a US-focused company, and do not have a global outlook. I find it disappointing that after so many years of being in business, their payment processing services are still only available to a few dozen countries. This for example makes it impossible to rely on them to build a global marketplace with Stripe Connect accepting merchants from all over the world.
Stripe is not for those seeking to run truly international businesses. We've been patient, but we eventually realized that they simply do not care. We care about Sub-Saharan Africa and Latin America, but they do not. We do not trust them to prioritize the global availability of their offerings at this point, and as a result we no longer even bother checking out their offerings. What's the point if instead of empowering us, they restrict our business model.
I haven't given up on them, but LATAM is definitely not their focus and we've moved 95% of our payment volume to a local payment processor, even tough we were one of the first private beta testers back in 2015 (wow, it's been 6 years already).
My angle is in Brazil. Even after all these years, they still don't support monthly installments, which is literally a single line API param that, honestly, I don't know any other payment gateway in Brazil that doesn't support it. Monthly installments is a huge deal in Brazil.
They also only now started the private beta of Boletos, which is unfortunate since Boletos are being phased out in Brazil due to the new PIX, which allow for instant payments 24/7. So they are basically releasing just now a feature that nobody really wants anymore.
Stripe connect also isn't available (AFAIK only the "standard" account is available, which mandates for Stripe onboarding and can't accommodate any white label marketplace integration).
The lack of focus is noticeable even from their marketing pages. Notice how in https://stripe.com/br/connect the explanation for "Cobranças diretas" and "Cobranças de destino" are exactly the same (the text "Os compradores fazem transações diretamente com os vendedores, mas quase nunca notam a existência da plataforma, que pode cobrar tarifas de transação" appears in both), making it impossible to understand the difference, while if you visit https://stripe.com/us/connect you see two different texts for each option.
Their support team has always responded quickly and politely, but we've had an impossible time trying to understand how they could allow us collect payments from abroad as a marketplace operating in Brazil, and that's even pointing out we didn't rule out opening a US-based company via Stripe Atlas if that was necessary. Lots of contradictory information and when we pressed on, they always end with them noticing that Brazil is still in preview and they still can't operate properly with Connect in Brazil.
Which is weird, considering it's LATAM's biggest market. This release of Stripe Identity missing out Brazil on launch, even tough it's a country that badly needs antifraud solutions, is only one more evidence of this.
Ooh, we could use this. Curious, can anybody point me to other similar products out there? I'd be interested in comparing. BTW, my uses case is USA only.
556 comments
[ 4.6 ms ] story [ 358 ms ] threadCan Stripe hurry up and go public so I can buy some shares?
e.g. Fidelity has a significant investment in SpaceX through a handful of their mutual funds, which you can then purchase and basically invest in SpaceX indirectly.
The best option is for the company to raise a good deal from the public markets (high valuation on limited equity) and then execute successfully without needing to raise again. If they do need to raise again they have hopefully not done a poor job on their original public IPO so that they can go back to the public markets. That said it isn't that important a factor.
Not sure where you are going with that thought. A business that isn't creating value is going out of business or selling to someone who has an idea of how to use its assets to create value.
In this current moment I would wager that if you are suggesting that you will create value in the market going forward you will get a great return on your investor dollars but you may not actually execute that value creation. (relevant news: lordstown motors)
Perhaps the company doesn't necessarily intend to create value going forward, but they must at least pretend to have that intention. What I meant was that the idea of the people buying public stock in a company is that the company will create value going forward.
In the case of cloudflare (And many tech stocks) they had a black swan event of a large portion of the global economy going online during the pandemic which has juiced their returns.
Not saying it doesn't happen but rather that it isn't how people typically price their IPOs to generate value to the retail investor.
I've been eyeing Scottish Mortgage which despite the name is actually a high-tech fund packaged as a stock publicly traded in the London Stock Exchange. They hold Stripe among many other interesting investments.
https://betakit.com/shopify-reportedly-invests-in-stripe-bri...
I observed other teams struggle to build and have tackled challenges posed by identity, 1.5$/user is terrific price. Handling PII data in itself is a rabbit hole of engineering, product, and regulatory challenges. Let alone creating unique identities, matching, and what not.
What is the usecase?
This strikes me as classic HN bikeshedding.
Instagram also don't charge users and yet they verify identity.
Using that as a means to block spammers would be.... unusual.
When are we as a community going to move past treating frameworks/languages/tools as a silver bullet? Frameworks don't make teams better; good management, technical leadership, and great infrastructure does.
> Match the ID photo with selfies of the document holder
> Validate SSN and addresses against global databases
Seems fairly clear.
* Uses various sophisticated heuristics to detect real vs fake IDs.
* Matches the ID to the human face.
* Detects whether the human face is live or not.
* Dynamically requests more or less information depending on the confidence level.
It also gets better over time based on the attacks and fraud attempts that Stripe itself sees.
We’re exploring different options for scanning IDs like Anyline and BlinkID right now, but this looks incredibly well suited for what we’re building and would save us a tremendous amount of time if it works.
• Document detection
• Blur and glare detection
• Tool-tips during the user flow
Those are 4 great bullets btw. They helped me understand the service a lot more than the landing page for identity. Might want to consider a view like this.
This means it will fail for a few individuals and you will be stuck trying to reach support who are going to be pointless and useless.
Mostly this will be an issue with people of non-white ethnic origins and people with older laptops/phones with poorer cameras.
This is obviously a useful product, but it is one the world would be much better of if it didn't exist at all.
> Document checks verify the authenticity of government-issued identity documents. Stripe uses a combination of machine learning models, automated heuristic analysis and manual reviewers to verify the authenticity of hundreds of different document types.
> Selfie checks look for distinguishing biological traits, such as face geometry, from a photo ID and a picture of your user’s face. Stripe then uses advanced machine learning algorithms to ensure the face pictures belong to the same person.
> ID Number checks provide a way to verify a user’s name, date of birth, and national ID number. Stripe uses a combination of third-party data sources such as credit agencies or bureaus, utility or government-issued databases and others to verify the provided ID number.
(I'd also expect the ID photos etc. aren't stored long-term.)
1. If you are at a desktop, there is an easy transition to using your phone to take a picture of your ID (or a selfie if that's the use case - it will match selfies with ID photos), and then complete verification on the desktop.
2. It does all the image analysis (i.e. is the ID in focus, etc.) in browser without the need for a native app.
They are using it to force developers who don’t need the App Store to use the App Store. Thus, Apple can force them to pay their tax.
Other apps cannot do the same.
Like messaging or social networks need things like notifications. Or those for IoT related tasks, which would need Bluetooth or such.
https://developer.mozilla.org/en-US/docs/Web/API/Notificatio...
https://developer.mozilla.org/en-US/docs/Web/API/Web_Bluetoo...
The only saving grace is that you have to accept the permission box (I hope so at least...), which, for the average user, may not be much protection.
The whole ecosystem is there and very few are playing with it.
"Stop" - forever until I want you back
"Stop this week" - self-explanatory
"Not during work hours" - also ^
"Consolidate weekly" - get a digest
"I don't care" - make better suggestions
So many contextual pieces to make better notifications are right there... and though a toggle button appears to be 'easier' the cognitive dissonance is less the conversational environment of SMS.
I've never seen any SMS system that would correctly interpret and adjust to things like "not during work hours" or "consolidate weekly" responses.
I know!! I built a stupid simple bot for myself that just reminds me of things I want in SMS form... I text it things like 'For tomorrow - x, y, z' and then 9am the next day it messages with what's behind '-'...
There's a bit of configuration the first time you text the bot, for timezones and things like what does tomorrow afternoon mean to me? 2pm or 3pm? If multiple 'tomorrow afternoons come' do you want that as a digest or just individually, or w/e.
But for me, I love it because I forget things so quickly, so as I quickly as I can send a text, I can get reminded at an appropriate time. (and yes, I hate reminder apps.)
I'm still struggling how to keep it 'safe' - because Twilio keeps all the message data in plain text (more a byproduct of SMS) and holds a record of it, so while I can encrypt the db entries, I'm not sure how to make it 'secure' for other folks yet.
You need to buy from apple/google if you want battery efficiency, as you want to be included in the one persistent channel the OS manages.
Even without that your own servers cost money.
For push notifications, I can set them to silent by application, they take me to the right place in the app when clicking them, very often they offer quick responses directly from the notification itself...
Finally, it's bad enough to require a phone number for 2FA (or worse, as the primary user identifier). Why should I have to give my phone number to a service?
Meaning they can identify my laptop and phone as belonging to the same person. I prefer they don't.
Edit: This seems to be an internationalization problem. I am from India. The pricing section for Indian page https://stripe.com/en-in/identity#pricing is missing so the link doesn't work.
Edit: to be a little less flippant, what is an example of a Stripe user to whom you would be comfortable giving your SSN?
I leave it blank and tell them (in vaguely more polite terms) to fuck off if they probe me about not providing it.
Worst case, if the appearance is really drastic then it would just fail and require a manual intervention.
I did a deep-dive on KYC providers last year. The more well-known folks commanded 5 figure setup fees, wanted 1 to 2 year commitments, and sought to have you pre-pay for verifications. It reminded me of internet credit card processing pre-Stripe.
They can't know for sure whether an ID is real or fake (they're not the government).
They could be charging you AND creating an international ID database.
And frankly, if Stripe is offering any form of credit, it's likely working with the credit unions too.
I'm sure they're not as lax as Equifax. I would hope that Stripe compartment all these documents so that a compromise of one database is not a compromise of the whole database. That's basic data storage hygiene in the information age. `Don't put all your eggs in one basket` as the saying goes.
Yet I've never seen any company use it. Everyone uses slower, more expensive private services that don't ask any questions about what you're going to do with the data they collect.
I am too, but that's not an endorsement. And more pertinently, that is nowhere nearly enough.
Every database of value tends towards uncontrollable sharing over time. The more available and more valuable it is, the harder it is to fight that trend.
The best thing for humanity is to stop making high-value data hordes like this. Unfortunately, the interests of smaller groupings are the reverse.
2. Any biometric identifiers that are created to perform the verification are never stored or retained—they are fully removed from all of our systems within 48 hours (usually within minutes).
More on this at https://support.stripe.com/questions/managing-your-id-verifi....
That doesn't make me feel a lot better. :( The images are enough to generate biometric data such as facial recognition profiles.
> all images captured, extracted data from your ID document including name, date of birth, and ID number, and any information submitted via forms such as name, date of birth, SSN, email, and phone number, and the verification response.
How do you foresee that consent working if your product is used in account recovery flows?
For example, imagine if Steam adopted Stripe Identity as their only way to allow people with $$$$ worth of games to recover hacked accounts. If the user's only choice is to "consent" or lose their valuable account, that makes the "consent" something of a joke.
I'd be interested to hear how you plan to square that circle!
It's simply not legal to "not keep records" if you are running payments.
If you ran a payment to "O Bin Laden" but you have a driver's license picture showing that it is Oscar Bin Laden, from CA, DoB 2001, you'd better keep all that information for your records in case you get audited for potential OFAC violations.
Does Stripe have a legal contract with users that says something to the effect of "if it does 1 and 2 above (by mistake or by choice doesn't matter) - that they will be liable for it". If not, all the support documents and technical security documentation is moot. I want to see "skin in the game" by Stripe. If you're so sure about "security" sign a legal contract.
Trust and goodwill is enough to get me to consider a service, not enough to sign up.
Also, data outlives management regimes. Eventually, any data set that can be used will be used.
For example: KYC is a core use case for identity, which requires us to retain ID information for audit purposes.
For businesses who don’t need to keep the ID for as long, we provide a deletion API that lets them automatically delete the IDs from our system.
No need to go any further for an example than Google and its "Don't be evil" somehow evolving into "Normalize the creepy".
The Stanford thing was really the basis for Palantirs competitive advantage in the consulting space over companies like Booz Allen Hamilton etc.
If there was, all black-hats would be coming from Ivy League schools. They’re not.
Nor is there a correlation between Stanford degrees and wanting to write secure code.
That doesn't matter.
The only way i would trust such a thing is if i have complete control over my data and how it's used (that's probably never gonna happen from a for-profit imo)
Previously, you'd have had to use something like Jumio for this, which was (to be generous) pretty wonky.
Multiple much smaller countries' IDs are supported.
Identity verification is definitely something that gets better with more data as more people use it. Pricing low to gain market-share is the obvious move for companies which don't have pressure to show immediate returns.
Maybe it shows a more general difference in ambition between companies in the UK to those across the pond.
When an HN post sends me to a Dutch page, it's always Stripe. 100% of the time.
I'm a native Spanish speaker too, and nothing in this announcement strikes me as unintelligible, but that might be my own biases at play given the familiarity with Stripe's lingo.
Otherwise, if you're a trained linguist and have demonstrable consulting experience QA'ing technical documentation then we'll be happy to arrange something.
In either case, we appreciate your feedback, and my emails are open!
Stripe is not for those seeking to run truly international businesses. We've been patient, but we eventually realized that they simply do not care. We care about Sub-Saharan Africa and Latin America, but they do not. We do not trust them to prioritize the global availability of their offerings at this point, and as a result we no longer even bother checking out their offerings. What's the point if instead of empowering us, they restrict our business model.
My angle is in Brazil. Even after all these years, they still don't support monthly installments, which is literally a single line API param that, honestly, I don't know any other payment gateway in Brazil that doesn't support it. Monthly installments is a huge deal in Brazil.
They also only now started the private beta of Boletos, which is unfortunate since Boletos are being phased out in Brazil due to the new PIX, which allow for instant payments 24/7. So they are basically releasing just now a feature that nobody really wants anymore.
Stripe connect also isn't available (AFAIK only the "standard" account is available, which mandates for Stripe onboarding and can't accommodate any white label marketplace integration).
The lack of focus is noticeable even from their marketing pages. Notice how in https://stripe.com/br/connect the explanation for "Cobranças diretas" and "Cobranças de destino" are exactly the same (the text "Os compradores fazem transações diretamente com os vendedores, mas quase nunca notam a existência da plataforma, que pode cobrar tarifas de transação" appears in both), making it impossible to understand the difference, while if you visit https://stripe.com/us/connect you see two different texts for each option.
Their support team has always responded quickly and politely, but we've had an impossible time trying to understand how they could allow us collect payments from abroad as a marketplace operating in Brazil, and that's even pointing out we didn't rule out opening a US-based company via Stripe Atlas if that was necessary. Lots of contradictory information and when we pressed on, they always end with them noticing that Brazil is still in preview and they still can't operate properly with Connect in Brazil.
Which is weird, considering it's LATAM's biggest market. This release of Stripe Identity missing out Brazil on launch, even tough it's a country that badly needs antifraud solutions, is only one more evidence of this.
I'd love your feedback on installments, Pix, and Custom Connect. Can you reach out to Marcio@Stripe?
Thanks for the marketing typo, on it.
Love it.