40 comments

[ 4.9 ms ] story [ 81.9 ms ] thread
"While PayPal was once known for easing the pain of that process, you can’t deny that digital payments has stagnated as the rest of the Web elevated in general usability." So true. With initiative like this, Stripe seems to be going in the right direction to become the new Paypal(better and improved of course ;-)) Way to go guys!
It's beautiful, but how does the user verify that the credit card popup form is being posted to a valid, secure site?

I mean, normally you'd first be redirected to a trusted payment site and verify its SSL identity in the browser URL bar. Then you'd know that the trusted site will do things properly from there.

But in this case, are you just supposed to trust blindly that the Stripe-looking payment form popping up on some semi-random site will really be submitted to Stripe? Am I missing something?

Am I missing something?

Yes: most customers don't think about the question you're posing.

For that question to even arise in a customer's mind, they would have to know what an iframe is. Otherwise, it's just a cool little popup that the website opened.

Besides how does a pop up make it more likely to be an iframe than just any old iframe?
100%....Most customers don't even understand https vs http. In the tech bubble, we definitely recognize things like that, but for normal people, they determine their trust by the look and brand name on the payment form.

This button is the first step for stripe to start being a trusted name by more skeptical e-customers.

I would trust Stripe, but only after seeing it verified as the owner of the SSL certificate of the website I'm using. There's way too much phishing going on for me to trust anything just shown in HTML branding..

Of course I realize that 'normal' people might trust anything, but it still won't make me trust it any more. So I'm not quite sure in what situation I would personally ever be able to use these nice Stripe button payments.

Surely that's a bad thing? It would be trivial to make an identical Javascript popup which harvested data rather than sending it off to Stripe. Yes, the current redirect-ad-infinitum workflow is reasonably trash, but this scares me a lot, and I'd personally not trust it.
I think the idea would be that this is in a https payment page of the client company who you would then choose to trust (or not) as implementing the payment frame correctly. Just like if they had their own payment solution essentially.
(comment deleted)
Don't all modern browsers warn of (or block) mixed HTTP/HTTPS content?
Only if the parent page is HTTPS and tries to load HTTP content, but not vice versa. So an HTTP page loading an HTTPS iframe won't trigger an error.
(comment deleted)
While I do like that they have a standardized button now, I wouldn't say that the button itself is gorgeous.
> Either way, I’m hoping PayPal, Google and everyone else follows suit, because buying something online should be frictionless by now.

This aesthetic choice doesn't seem to change the friction much. We're still typing in 16-digit codes by hand.

Paying with Amazon is mostly frictionless for me. If I remember correctly from my purchase on louisck.net on Sunday, it was click to get to Amazon login page, click to login to Amazon account, click to use card ending in 9432, click to confirm.
And, correct me if I'm wrong, they've been delivering that level of convenience for many years and without any need for iframes.

All due respect for Stripe, iframes are a potential security hole waiting to happen. iframes open many possibilities for exploits. I doubt we've seen all of them yet.

Um, Amazon handles credit cards for their sales. Stripe is for the the thousands of sites that don't.
This is true. But I wouldn't say it is an absolute justification for using iframes, as if that was the only possible way to approach the problem Stripe is trying to solve.

Maybe it won't matter. We'll see.

Neither PayPal nor Google require you type in your CC number at point of sale.
I wouldn't go so far as to call it gorgeous, it's just an extension of the default Bootstrap theme[1].

I guess if your site is using the default Bootstrap theme, then that's great, but in and of itself it is not eye-catching IMO.

1. http://twitter.github.com/bootstrap/

So how long after a link is submitted here at HN can the OP alter the title?

Last night when I commented, the title was something along the lines of:

> The new ‘Pay with Stripe’ button is gorgeous

But now this morning, it's:

> The new ‘Pay with Stripe’ button makes online payments feel better

...which makes my comment seem like a critique out of left field.

This article sort of rubbed me the wrong way for some reason. I understand the problems with PayPal and the benefit of companies like Stripe competing, but an article gushing over a bootstrap-esque button on a payment popup? Comes across as inane, at best...
Yeah; this isn't something we're looking to make a big deal out of. It's just a beta product we're experimenting with and which The Next Web chose to write about. There's still a lot we want to fix and improve.
I've gone back and forth on this. I totally get what you are saying about the bootstrap-esque button. That was the first thing I thought, too.

But...it is also an indication of a change coming to a segment that has seen a decade of stagnation.

And that is beautiful.

Thanks :).
Did you try using it? The design might look stock-ish, but the UI experience is what I wish for every time I check out.
Kudos to Next Web for celebrating interface innovation. The payment process looks super slick.
iframes are hard to trust, they create opportunities for spoofing and phishing for regular users

I once sent a letter to Steve Jobs saying that the MacOS (and other operating systems) were susceptible to phishing by applications, which would simply present a dialog that looks very much like the System Security dialog, and thereby gain the user's root password.

The solution is to have an area where only the operating system can draw (and which cannot be screen-captured, the same way Apple currently does with DRM movies). In this area, the system would present to the user a phrase which the user selected when setting up their account.

This would prevent phishing, as users would be trained to look for the phrase (and / or icon ... the reason you can't have an icon alone is because the phisher could get it right 1 out of N times).

Now, on the web there is a similar thing you can do! When someone places KEYBOARD FOCUS in your password box, and starts typing the correct password, you display the icon + phrase that you previously selected when setting up your account. If the phrase doesn't pop up or is different, you know you're being phished.

THIS is a great way to stop phishing on the web. Anyone impersonating you will not know what phrase to display. Only by starting to type the correct pass phrase will they get this information. On the other hand, they won't be able to place anything fake over the password input box and capture your input, because the phrase only appears when you type IN the password input box, which the attacker can't get to, thanks to the cross-domain security in browsers!

I've thought about that impersonating password window on OS X a lot too. I like your solution although I'm pretty sure nobody is going to implement that. It only makes sense if we go back to browsers taking over for login, then there could be a uniform approach that could also be outside of the browser controlled window area.
"Am I just gushing, or is this feeling mutual?"

Someone please tell the author that web design components do not have any emotions. The feeling could never be mutual.

go international for crying out loud
This is the first bad thing I've read about Stripe. I was expecting something a lot more special when I checked the article from the link-baity headline. Instead, it's just a bootstrap-style button. And an inline popup that I would never trust to enter my credit card details. Wasted first impression on me.

And The Next Web just dropped another notch on the news sites I trust list. I have to stop clicking those links. Wasn't this the same site that copied someones blog post basically word for word without giving them credit? Quick, check to see if this same story appeared somewhere else first.

> And an inline popup that I would never trust to enter my credit card details. Wasted first impression on me.

Then you wouldn't trust any non-brand-name site that sells things via credit card charges (which makes you fall outside of the entire e-commerce consumer space).

Stripe isn't for Amazon and eBay, it's for those thousands of other sites out there that accept credit cards. If you would shop there using an inline payment form, you would still shop there with the modal <div> payment form. Believe it or not, people trust and use these kinds of sites every day.

I feel like a lot of people here are missing the point of the article: mainly the fact that the author is commenting on the UX of the Pay with Stripe button (compared to more complicated payment workflows) and not its tasteful use of background gradient and pretty colors.
Sigh... I don't care about the pretty buttons, I just want a payment service that works.

After another spate of PayPal randomly refusing my customer's payments, I've just spent most of my day searching for an alternative, AGAIN. Stripe, Dwolla, you name it - all closed to non-US residents.

US-based companies have a significant advantage here. They can sell globally because the rest of the world is used to paying in US dollars. But North American customers are paranoid about paying in other currencies, and don't understand the concept of exchange rates.

If anyone can tell me how to get an account with ANY mainstream US payment processor (except PayPal), I would be forever in your debt. There is a HUGE opportunity here. There are thousands of reputable companies from reputable countries that would jump aboard within days.