> we see that one of the main limits on Stripe's growth is the number of successful startups in the world. [...] If we can cheaply help increase that number, it makes a lot of business sense for us to do so.
This approach lends itself to spending on many cheap things which, e.g. in this case, might not even have quantifiable benefits.
I'll extend OP's curiosity and wonder how the team behind Stripe press plans on measuring the success of their initiative, and what milestone hits/misses are needed to determine the success or failure state of the project.
---
Separately, my background includes vendor risk assessments. This is the kind of thing that makes me question long term investment in a platform. It's admittedly a lower risk than many technical findings, but it's not something to discount when evaluating the use of a startup for critical infrastructure (payment). Knowing Stripe's size, the various risks that PCI participants have to account for (and that's just PCI DSS specifically), and the trouble many larger organizations and startups have in meeting those obligations also makes me that much more likely to strictly score Stripe on the next vendor risk assessment when I see spend of this sort on ancillary/non-critical measures.
I'm sharing how I think because I'd be surprised if others in my field didn't think the same way.
From one vendor assessor to another: that is an odd hill to die on in your report, and it’s indistinguishable to Stripe from the general preference in payments for established companies. I would like to see the risk model that measurably connects small marketing expenses to poor data handling.
On a similar note, I've seen one large client's PCI compliance team tell us that we couldn't use Stripe for their integration, primarily because it's seen as a payment processor for startups and not for the "enterprise." It didn't help that Stripe doesn't give out Merchant IDs. Additional risks have been that Stripe has made breaking changes without an api version update and the number of data issues/edge cases we've run into with automatic reconciliation reports.
Not much, but the assessors are human and often take into account subjective factors like that when making their determination. Or threaten to, which is as good as making it a part of their checklist. That’s here in Australia, anyway, about 5 years ago, nothing to do with stripe but they definitely cared about what our processors reputation looked like
This approach lends itself to spending on many cheap things which, e.g. in this case, might not even have quantifiable benefits.
I'll extend OP's curiosity and wonder how the team behind Stripe press plans on measuring the success of their initiative, and what milestone hits/misses are needed to determine the success or failure state of the project.
---
Separately, my background includes vendor risk assessments. This is the kind of thing that makes me question long term investment in a platform. It's admittedly a lower risk than many technical findings, but it's not something to discount when evaluating the use of a startup for critical infrastructure (payment). Knowing Stripe's size, the various risks that PCI participants have to account for (and that's just PCI DSS specifically), and the trouble many larger organizations and startups have in meeting those obligations also makes me that much more likely to strictly score Stripe on the next vendor risk assessment when I see spend of this sort on ancillary/non-critical measures.
I'm sharing how I think because I'd be surprised if others in my field didn't think the same way.