Stripe

Stripe

Payment processing infrastructure used by online businesses globally. The Stripe.js script loads securely to handle card tokenization, 3D Secure authentication, and payment element rendering. Stripe also runs fraud detection heuristics in the browser to assess transaction risk.

Back to Vendor Library

Overview

Stripe is the leading payment processing infrastructure provider for online businesses. Stripe.js handles secure card tokenization, renders payment input elements in isolated iframes, manages 3D Secure and Strong Customer Authentication flows, and runs fraud detection heuristics to assess transaction risk — all in the browser on the merchant's checkout page.

What This Script Does

Script Loading Stripe.js must be loaded from js.stripe.com/v3/ (Stripe's canonical URL) to qualify for PCI-DSS compliance. Loading Stripe from a local copy or any other domain breaks PCI compliance. The script file itself is stripe.js (or stripe.esm.js for ES module imports).

Stripe Elements (Hosted Input Fields) Stripe Elements renders secure card input fields as iframes hosted on Stripe's domain (js.stripe.com). This means raw card numbers, expiry dates, and CVV codes are entered directly into Stripe-controlled iframes and never touch the merchant's JavaScript execution environment or servers. The merchant's page communicates with the Stripe iframe via postMessage.

Elements rendered:

  • Card Number, Expiry, and CVV fields (separate or combined CardElement)
  • PaymentElement — a smart form that shows the appropriate payment methods for the customer's location (cards, SEPA Direct Debit, iDEAL, BLIK, etc.)
  • AddressElement — address collection with postal validation
  • PaymentRequestButton — Apple Pay and Google Pay button

Payment Processing Flow

  1. Customer enters card details in the hosted iframe
  2. Stripe.js calls stripe.createToken() or stripe.createPaymentMethod() — card data is sent directly to Stripe's servers at api.stripe.com
  3. Stripe returns a one-time use token or Payment Method ID
  4. The merchant's JavaScript submits this token/ID to the merchant's server
  5. The merchant's server charges the card via the Stripe API server-to-server

3D Secure and SCA For payments requiring 3D Secure authentication, Stripe.js opens an iframe or popup to the card's issuer bank authentication page. The SDK manages the redirect flow and confirmation via stripe.handleCardAction() or stripe.confirmPayment(). Domains involved include hooks.stripe.com and issuer bank authentication URLs.

Fraud Detection Stripe.js collects browser signals to power Stripe Radar fraud detection:

  • Browser fingerprint: User-Agent, screen dimensions, timezone, language, installed plugins
  • Behavioral signals: mouse movement entropy, keystroke timing on payment fields
  • Device signals: touch capability, hardware concurrency, memory class
  • Network signals: IP address and connection type (collected server-side) These signals are sent to q.stripe.com for risk scoring. Stripe Radar uses this data to assign a fraud risk score to each payment attempt.

Cookies set (on stripe.com domain):

  • __stripe_mid (first-party on stripe.com, 1 year) — machine identifier for fraud detection
  • __stripe_sid (first-party on stripe.com, 30 minutes) — session identifier for fraud detection

These cookies are set under stripe.com, not the merchant domain. On the merchant domain, Stripe.js does not set cookies — it uses the iframe isolation boundary.

Domains contacted: js.stripe.com, api.stripe.com, q.stripe.com, hooks.stripe.com, r.stripe.com (error reporting)

Consent & Compliance

GDPR/ePrivacy: Stripe.js is necessary for processing payments, covered by contractual necessity under GDPR Article 6(1)(b). Fraud detection processing is justified under legitimate interest (Article 6(1)(f)) — Stripe and the merchant both have a legitimate interest in preventing fraudulent transactions. Cookies set under stripe.com during a payment flow initiated by the user fall under the ePrivacy strictly necessary exemption for cookies needed to complete a user-requested transaction. Stripe acts as a data processor for the merchant and as an independent controller for fraud and risk data.

CCPA/CPRA: Payment data processing for transaction completion and fraud prevention is a necessary business operation exempt from opt-out requirements under CCPA.

EU-US Data Transfers: Stripe Inc. participates in the EU-US Data Privacy Framework (DPF) and offers Standard Contractual Clauses for EU payment data processing by Stripe's US entity.

PCI-DSS: Stripe.js's iframe architecture is designed to limit the merchant's PCI-DSS scope to SAQ A, the lowest level, as raw card data never enters the merchant's environment.

Consent category: Essential (payment processing) and Functional (saved payment methods, address collection).

Should You Block This Without Consent?

No. Stripe.js provides essential payment processing infrastructure. Blocking it prevents customers from completing purchases and renders the checkout page non-functional. The fraud detection data collection is a necessary security measure for payment processing under both GDPR legitimate interest and CCPA business necessity. Disclose Stripe as a payment processor in the site's privacy policy.

Visit website

Products (5)

Stripe Billing
Stripe Billing
Stripe Billing is Stripe's subscription and recurring revenue management module. Scripts embedded in checkout and account pages handle subscription lifecycle events, billing cycles, proration calculations, and payment retry logic. Stores session data and payment method tokens to support subscription management flows.
Stripe Connect
Stripe Connect
Stripe Connect is Stripe's platform payments product enabling marketplaces and SaaS platforms to process payments on behalf of third-party sellers. Scripts manage connected account onboarding flows, payment routing, and split payment configurations. OAuth tokens and account identifiers are stored to facilitate multi-party transactions.
Stripe Identity
Stripe Identity
Stripe Identity is a document-based identity verification service. Scripts load a verification flow that captures government-issued ID images and selfie photos via device camera, transmitting them to Stripe for automated document analysis and liveness detection. Collected biometric data and document details are processed to verify user identity.
Stripe Radar
Stripe Radar
Stripe Radar is Stripe's machine learning-based fraud detection system. Scripts collect browser signals including device fingerprints, behavioral patterns, and network metadata during payment flows to assess transaction risk. This data is used to score transactions and trigger 3D Secure challenges for suspicious activity.
Stripe Tax
Stripe Tax
Stripe Tax is an automated tax calculation and collection module integrated into Stripe checkout flows. Scripts calculate applicable sales tax, VAT, or GST in real time based on customer location and product type during payment. Tax calculations and jurisdiction data are transmitted to Stripe's servers for compliance reporting.

Consent Categories

Essential
Functional

Also Known As

Stripe.jsStripe paymentsStripe fraud detectionpayment processingStripe ElementsStripe checkoutcard tokenization

Industries

Computers Electronics and TechnologyProgramming and Developer Software

Tracked Domains (2)

stripe.comFunctional
stripe.networkFunctional

Frequently Asked Questions

Does Stripe require cookie consent?

No. Stripe.js is essential payment processing infrastructure. Its fraud detection cookies (__stripe_mid, __stripe_sid) are set on the stripe.com domain during user-initiated payment flows, qualifying for the ePrivacy strictly necessary exemption. GDPR legal basis is contract performance and legitimate interest for fraud prevention.

What cookies does Stripe set?

Stripe sets __stripe_mid (1-year expiry) and __stripe_sid (30-minute expiry) on the stripe.com domain for fraud detection and session identification. No cookies are set on the merchant's own domain. Script loads originate from js.stripe.com/v3/ and API calls go to api.stripe.com and q.stripe.com.

How does ConsentStack handle Stripe?

ConsentStack classifies Stripe as essential and functional, and never blocks it. It is detected via js.stripe.com/v3/ script loads. Blocking Stripe would prevent checkout from functioning entirely, so ConsentStack allows it unconditionally and recommends disclosing it in the site privacy policy.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Stripe

ConsentStack automatically detects and manages Stripe trackers so your site stays compliant with global privacy regulations.

Get started