Stripe Tax, Stripe Identity, Stripe’s Missed Opportunity

Posted on Author by Ben Thompson

Good morning,

After yesterday’s Daily Update about Shopify embracing their consumer brand, today’s is about a company that is a little bit more reticent.

On to the update:

Stripe Tax

From CNBC:

Stripe on Thursday debuted a new product that it says will make it easier for businesses to calculate and collect sales taxes, marking the digital payment giant’s latest push into other areas of finance. The service, called Stripe Tax, will automate the calculation and collection of sales tax, value-added tax and goods and services tax for transactions made through Stripe’s platform…

Businesses can enable Stripe Tax by adding a single line of code to their website, the company said. Stripe will use data like a customer’s location and the product or service being sold to work out how much tax is due. Stripe makes money by taking a small cut of the transaction from its merchants.

Stripe Tax makes sense for lots of reasons; start with the Supreme Court, specifically 2018’s South Dakota v. Wayfair decision which overruled 1992’s Quill Corp. v. North Dakota, which held that companies didn’t need to collect sales tax in locations where they were not physically located. I worried at the time about the impact on small businesses:

The issue is that while the Quill ruling absolutely gave an advantage to e-commerce companies, its revocation does the opposite: a brick-and-mortar retailer only needs to concern itself with the sales tax of the locality where it operates. An e-commerce seller, on the other hand, has to concern itself with every single sales tax regime in the entire country, including not just state sales taxes but municipal ones as well; the dissenting opinion notes that “Over 10,000 jurisdictions levy sales taxes, each with ‘different tax rates, different rules governing tax-exempt goods and services, different product category definitions, and different standards for determining whether an out-of-state seller has a substantial presence’ in the jurisdiction”.

This will inevitably prove to be a massive burden for small players; the solution will be obvious: simply sell on Amazon instead, and pay the behemoth whatever price they deem appropriate to handle this incredible complexity. Indeed, this ruling is rather quite ironic: pursued for years with the intent of limiting Amazon, it seems certain to only entrench the company.

Whereas Stripe Payments makes it easy for online businesses to collect money from anywhere in the world, Stripe Tax will make it far easier to collect and remit the appropriate taxes; this is a natural extension of Stripe’s existing product offerings and very much in the spirit of the company’s goal to “increase the GDP of the Internet.”

It’s also another way in which Stripe can increase its margin on Payments; the company previously offered (and still supports) the free Tax Rates API, which applies taxes according to a schedule provided and maintained by the Stripe customer; Stripe Tax, on the other hand, maintains a global rate schedule and applies the correct tax automatically for 0.5% per transaction (0.4% if you process over $100,000/month, and of course custom rates are available for large customers).

To that end, one of the more helpful bits of yesterday’s Stripe Sessions keynote was this graphic, explaining how Stripe’s myriad of product offerings fit together:

Stripe's new product matrix

Generally speaking, products that drive more payments — Checkout, Billing, Terminal — are free, while products that help Stripe customers save money — whether that be through compliance costs (Tax), fraud prevention (Radar), analysis (Sigma) — cost money. What is common to everything, though, is that it is built on Payments, Stripe’s original product.

There is, though, one new exception: Identity.

Stripe Identity

From ZDNet:

Stripe on Monday announced the launch of Stripe Identity, an identity verification system for online businesses. The self-service tool is designed to let businesses deploy a verification flow fully hosted by Stripe as a means of reducing fraud, preventing account takeovers, and stopping bad actors…

Stripe Identity can be integrated via either a low-code or a no-code option. The low-code integration is hosted by Stripe lets businesses get up and running with verification in minutes, Stripe said. The no-code option lets fraud and risk teams generate verification links to assess suspicious transactions or high-risk users.

Identity is a bit of a surprising product for Stripe; start with the way it is monetized: it is not an add-on to Payments, or even related to Payments in any way. It’s a standalone product.

That’s not to say there isn’t a Payments-related connection: many companies dealing with money have Know-Your-Customer (KYC) requirements, and Identity is a natural fit there. It is interesting, though, that the demo of Stripe Identity in the Stripe Sessions keynote was for a (made-up) house rental company that didn’t have KYC requirements, but rather wanted to “increase trust in their marketplace”:

Rob Daly, the Engineering Manager for Stripe Identity who did the demo, suggested that Identity was more about productizing a product that Stripe had already built for its own use:

Some of the best technology products of the Internet era were originally built by businesses for their own use. Just look at AWS, or Slack. At Stripe we spent the last decade onboarding millions of users to our products ensuring they are who they say they are. So we’ve packaged up what we’ve built for Stripe and are now offering it as a service to Internet businesses with Stripe Identity, a simple and programmable way to verify identities online.

Tanya Khakbaz, Head of Product Marketing, made a directionally similar argument as Daly, but added in Stripe Tax as well:

Taxes and identity verification. These are just a slog for most companies. We spent the better part of a decade slogging through these ourselves, building tax and identity verification tools for Stripe. We’re excited to externalize them to all of you to spare you that work. If it’s not unique to your business, you shouldn’t have to do it.

There is a sort of progression of justifications here:

  • Identity is often a necessary ingredient for businesses that use Payments
  • The underlying infrastructure for Identity was already built so might as well productize it
  • Stripe wants to relieve online businesses of drudgerous work that is better offered as a service

Perhaps I am nattering at pedantic details, but the fuzziness as to why Stripe built this product strikes me as a problem, particularly once you dive into some of the implementation details.

Stripe’s Missed Opportunity

More from the ZDNet article:

As part of the identity verification process, users take a photo of their government ID and a live selfie, which Stripe’s machine learning then matches to the ID. Businesses can also request that users provide additional information that can be checked against third-party records. The information collected is encrypted and sent directly to Stripe, which means no sensitive, personal information is ever stored on a business’s own servers. The entire verification process for an individual user can be completed in 15 seconds, Stripe said.

This seems right, and in line with Stripe’s payment business, where one of the features, both for businesses and customers, is the fact that Stripe holds the credit card details, not the individual business. I certainly want no part of any of your credit card numbers!

In fact, though, that’s not quite right: you can export your customers’ credit card information from Stripe; after all, it is your data. Stripe notes in the introduction of that documentation:

We believe that our customers should own the sensitive data they entrust to Stripe, and we work hard to ensure your access to this data—even if you are moving elsewhere.

At the same time, Stripe won’t just send credit card data anywhere, because they can’t:

To meet PCI compliance obligations, we can only transfer your card data to another PCI DSS Level 1-compliant payment processor. Stripe requires the following information about the processor receiving the data:

  • The processor’s current PCI Attestation of Compliance (AOC), or their listing on Visa’s Global Registry of Service Providers.
  • The processor’s PGP public encryption key, which must be 4096 bits or greater in length. This key must be hosted over HTTPS on one of the processor’s domain names referenced in their AOC or Visa Registry listing.

PCI compliance is not federal law, but rather mandated by network providers like Visa and Mastercard; the difficulty of compliance is one of the reasons why Stripe got a foothold in the first place. What Stripe perhaps underestimated, though, is how PCI compliance obligations helps them square the circle of serving their customers (businesses) while generating trust further downstream (with their customers’ customers).

The policies around Stripe Identity show what I mean: in-line with Stripe’s belief that their customers’ data is their data, businesses that use Stripe Identity have API-level access to not only a customer’s verification status, but also the images that are captured of their ID, their selfie, and whatever data is extracted from said images, including name, date of birth, and ID number (Stripe does not share the biometric identifiers it uses to compare the selfie to the ID photo, and discards them automatically). In other words, the ZDNet summary — and, I bet, the expectations of many of you — is wrong. There is absolutely nothing preventing your “sensitive, personal information [from being] stored on a business’s own servers”.

Again, I can see how Stripe ended up here; CEO Patrick Collison said in the Stripe Sessions keynote (from the text summary):

Stripe’s mission is to grow the GDP of the Internet, but it’s also our strategy. We’re building economic infrastructure. The foundation is our global payments and treasury network, which allows businesses to accept and pay out money around the world, abstracting over all the regional differences that exist. On top of that, we’ve built a set of tools to simplify every aspect of running an Internet business — from incorporation all the way through to fraud, analytics, issuing cards, managing subscriptions, extending loans, and more.

Identity verification is just more infrastructure, right? And hey, Stripe already built the functionality for itself. I think, though, this roll-out is a missed opportunity to not just build infrastructure but also build trust: Stripe is making it trivial for anyone to collect identity data, but without any real guidelines as to how that identity data might be used, or abused. Again, the company didn’t have to worry about that with credit cards, thanks to PCI rules, but there are no PCI rules about identity information.

What would be more compelling to me would be an Identity product that sought to standardize the entire industry. First, Identity would have two models: one where the business requesting verification would never get customer information, simply a response of “verified/not verified”; this could be clearly communicated to consumers, in all likelihood making them more likely to be willing to submit to verification. This, though, means that Stripe needs to start thinking about itself as more of a consumer brand than it does currently.

Secondly, Stripe could build a specific set of policies around sharing identity information, in-line with PCI policies around credit card information, with specific carve-outs for companies that are required to hold identity information for regulatory reasons. The company is becoming large enough and influential enough that this could become an industry standard, and, in conjunction with the company’s more visible brand (which is leveraged in areas like Checkout) could actually position Stripe to become the dominant player in the identity space.

The absence of this approach is why I nit-picked about the mix of justifications for Identity: an Amazon-style approach of making cost-centers external products is very compelling, but the moment any company breaks out of its core product it is worth a top-to-bottom reassessment of how it is thinking about its new market. Everything Stripe has done previously was, whether the company realized it or not, under the auspices of PCI — which drove the initial 2011 product — and the consumer protections that entailed; it makes sense for the company to eliminate more drudgery than payments, but to do so with maximum effectiveness means viewing new opportunities from the perspective as a massive company with huge influence and growing customer awareness, not simply a startup trying to make things easier for fellow startups.

This Daily Update will be available as a podcast later today. To receive it in your podcast player, visit Stratechery.

The Daily Update is intended for a single recipient, but occasional forwarding is totally fine! If you would like to order multiple subscriptions for your team with a group discount (minimum 5), please contact me directly.

Thanks for being a supporter, and have a great day!