Yes, Stripe makes it SUPER simple for accounts to change hands.

I bought a small business from a brokerage site.

He transferred the Stripe account to me no problem. It was as simple as me making a Stripe user account and then him adding me to the account he used for the business and then me removing him.

The entire process took minutes. It took about 3 weeks for PayPal.

https://support.stripe.com/questions/change-account-owner

According to Stripe, they require evidence you comply with PCI-DSS. I'm interested, did they ask you for this?

As long as you're using their JS solutions so credit card data never ever goes through your servers (even temporarily), PCI-DSS compliance on Stripe just means serving the payment page over SSL.

https://support.stripe.com/questions/do-i-need-to-be-pci-com...

Except this article says it is not served over SSL. There's even a huge graphic with an arrow pointing it out.

https://cdn-images-1.medium.com/max/1600/1*dLlQGvWTeMTB7PT_n...

That could just be the last four digits. When you create a token with Stripe, you do still get those back. Conceivably, they're showing 12 asterisks and the naked last four, while retaining the token Homejoy used with you so they can recharge -- although in order to do that, they would need Homejoy's Stripe API secret.

The last four digits are still plenty sensitive enough to make serving them over http blatantly irresponsible.

It's not just that - it allows you to update your credit card over unencrypted http.

Yes. That's a problem, certainly. I'm just pointing out that Stripe's "are you PCI compliant" process is pretty low-key.

I was also thinking through which rules would apply here. (What entity owns a Stripe account? What constitutes a transfer of data? How does this case differ from say, an acquisition?)

The medium article only shows info you can get from a Stripe card_id request. Not using https on that page is troublesome, but I don't think there's any evidence to suggest FlyMaids (or even HomeJoy) ever had access to actual CC information.

It seems more likely that this depends on Homejoy's ToS/Privacy Policy. (Although it's certainly possible the transfer was done in a way that violates Stripe's policies, I'm just not familiar with those)

Edit: It might even be the same business entity with different d.b.a names. Good discussion here: https://news.ycombinator.com/item?id=10468161

My guess is the account never changed hands. Stripe can't really prevent a legitimate owner of an account from doing something stupid with it. At least, not until after the fact.

Most likely they just have the same API keys

I was wondering the same thing about Stripe or any of the big credit card processors. That'd be shady.

True, they probably don't have the full card numbers. But if the new business can charge my card, then I don't think my card info is "safe".

Doesn't look like it is stored (only) with Stripe. The profile section of the site (per the blog post screenshot) displays some of the credit card info.

Stripe's API returns the last four digits for a tokenized card so you can display them to users.

It's also intentionally difficult to gain access to the customer's card number on checkout. All the server is allowed to receive is a unique token representing the customer to complete the transaction with. Pretty clever, but I suppose not impossible to workaround.

Thanks for clarifying that. Did not know.

Are they using stripe on the new site(s)? Looks like those have all been taken down.

If so this information should be deleted. If I were effected I would be pissed.

I hope someone at Stripe responds because this is a personal data issue.