Stripe | Vendor Intelligence

How This Briefing Works

This report opens with key findings, then maps the gaps between what Stripe discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

26 detections across 20 sites42% pre-consent activity

HIGH

Pre-Consent Activity

Stripe was observed loading and executing before user consent was obtained on 42% of sites where it was detected.

GDPRePrivacy

Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

Pending Analysis

UNKNOWN

They Claim

“Claims extraction pending”

Observed Behavior

CDT analysis required for privacy policy and DPA review

Customer Impact

What This Means For You

Sites embedding Stripe inherit fingerprinting and session recording liability from script load, not just checkout interaction. Distorted attribution measurement from cross-domain tracking undermines true conversion analysis. GDPR exposure exists if consent banner loads after Stripe.js initialization.

Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Stripe

→Audit Stripe.js load timing vs. consent banner - defer script until user interaction if possible
→Review DPA terms for fingerprinting data retention and cross-merchant sharing
→Consider server-side Stripe integration to eliminate client-side surveillance

If You're Evaluating Stripe

→Alternative payment processors with minimal client-side footprint
→Consent-first payment UX that delays Stripe.js load until checkout initiation

Negotiation Leverage

→Stripe DPA permits device fingerprinting for fraud detection but lacks clear retention limits or cross-merchant sharing restrictions
→Session recording capability not disclosed in public documentation, discovered via runtime observation
→Client-side fingerprinting creates pre-consent liability that Stripe contract does not indemnify

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Stripe scripts employ obfuscation and anti-detection methods to conceal fingerprinting activity from browser privacy controls.

BTI-C07Session Recording

Full session replay

Impact: Captures user interaction patterns and form behavior beyond payment fields, creating unnecessary surveillance surface.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Synchronizes device fingerprints across Stripe merchant network, enabling cross-site tracking of user payment behavior.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Fingerprinting and session capture initiate on script load, before payment interaction or user consent signal.

BTI-C10Fingerprinting

Device identification

Impact: Collects browser, device, and behavioral signals to create persistent identifier for fraud detection and analytics.

BTI-C14Identity Resolution

PII deanonymization

Impact: Links device fingerprints to payment identities, enabling long-term user tracking across merchant properties.

IOC Manifest

13 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK

*q.stripe.com/*

Tracking script

Ecosystem

Ecosystem & Supply Chain

Stripe dominates online payment processing with 40%+ market share, making its embedded surveillance infrastructure nearly unavoidable for e-commerce sites requiring card processing.

Loaded By (4)

Calendly Ipapi Co Delphi Ai Replit

Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

20 detection signatures across scripts, domains, cookies, and network endpoints