This is one of the most important questions we get asked and so it begins our FAQs page. Security is one of the biggest considerations in everything we do. We use Stripe which has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
SECURE SOCKET LAYER AND HSTS
Stripe forces HTTPS for all e-commerce and other services. HTTPS (the 'S' stands for secure) is displayed in your address bar to indicate that the website you are visiting is secure rather than HTTP which is not secure. To obtain HTTPS websites are required to have an SSL Certificate (Secure Socket Layer). SSL encrypts all data using 256 bit technology.
Stripe regularly audits implementation details such as the certificates served, the certificate authorities used, and the ciphers that are supported. Stripe uses HSTS to ensure browsers interact with Stripe only over HTTPS. Stripe is also on the HSTS preloaded lists for Chrome, Safari, Bing, and Firefox.
The Caravan Supermarket employs the highest level of validation by using EV SSL certification. EV SSL Certificates provide the strongest encryption level available and enable the organisation behind a website to present its own verified identity to website visitors. EV SSL Certificates offer a stronger guarantee that the owner of the website passed a thorough, and globally standardised, identity verification process defined within the EV guidelines (a set of vetting principles and policies ratified by the CA/Browser forum). The Extended Validation identity verification process requires the applicant to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorised the issuance of the Certificate. A visitor can easily recognise EV SSL certification on any website they are visiting by looking at the address bar. The 'https://' will be green, and the padlock icon will be present with the name of the certificate authority that issued the EV SSL Certificate.
All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of Stripe's internal servers and daemons are able to obtain plain text card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. Stripe's infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn't share any credentials with Stripe's primary services (API, website, etc.).
A lot of jargon above but to put it simply: you're safe and secure when you buy from us.