Critical actions to secure your Stripe and PayPal accounts

In this article:

• Overview
• 2-step verification (two-factor authentication [2FA]) in Stripe and PayPal
• Define roles for your team members in Stripe and PayPal
• Additional resources from Stripe and PayPal
• How to get in touch with Stripe and PayPal about security issues

Overview

This article describes actions to take directly in your Stripe and PayPal accounts; this is not about actions you need to take in your LGL account.

Stripe and PayPal are likely among the most sensitive services you are using as a nonprofit organization. Access to your Stripe and PayPal accounts need to be carefully guarded.

The single most important step to take is to enable and enforce 2-step verification (two-factor authentication [2FA]) in your Stripe and PayPal accounts. That added layer of security goes a long way toward reducing the risk of a phishing email or password-guessing scheme of working.

2-step verification (two-factor authentication [2FA]) in Stripe and PayPal

Two-step verification, or two-factor authentication, is a critical way to protect against unauthorized access because it requires a second method of authentication to log into an account. So, even in the horrible case that someone has gained access to your username and password, they would not be able to log in, because they would not be able to confirm on a second device or via a second method.

See this Stripe article on two-step authentication. Here is a key excerpt from the article:

“Stripe supports three primary methods of two-step authentication: 

• Text messaging (SMS) authentication
• Mobile apps authentication
• Hardware security keys

If you are the administrator of a Stripe merchant, you can require all team members to use two-step authentication on the Team settings page.”

And see this PayPal article on two-step verification. Here’s a key line from this article:

“You can set up 2-step verification using an authenticator app (like Google authenticator and Microsoft authenticator.)” 

Define roles for your team members in Stripe and PayPal

You may need to set up access to your Stripe account for some of your team members. When you do that be sure to give those additional users the lowest level of access they need to perform their tasks. If a user does not need to be able to generate new payments or manage payouts, then do not give them permission to perform those sensitive tasks.

• Stripe article about adding team members and setting roles
• PayPal article about adding team members and setting privilege levels for team members

Additional resources from Stripe and PayPal

• Stripe article on overall security 
• Stripe Payment Fraud Protection & Prevention How-to Guide
• PayPal article on overall security

How to get in touch with Stripe and PayPal about security issues

Stripe

Stripe support is best reached through the Dashboard in your Stripe account. If you are not able to log in (for example, if Stripe has shut down your access), the account owner can also regain access by submitting a request through Stripe’s account recovery form.

PayPal

You can contact PayPal about security issues here:

https://www.paypal.com/us/security