Re: Tarsnap died

[Norman Gray <gray@nxg.name>]

Greetings

[trimming the CCs...]

This thread popped back into my head today, when I received a regular reminder from another service I use, that it was about to renew.  The alignment of emails prompts me to offer the observations below as points of information, rather than necessarily advocating for anything in particular

Short version: payment processing companies exist, and seem to do a respectable job, in various senses.

I'm another person who thinks tarsnap's payment model is cute (and long may it continue), but who would be more comfortable with a more conventional one, as an option.

An email just appeared in my inbox saying

> Your subscription will renew soon This is a friendly reminder that your XXX subscription for XXX will automatically renew on March 15, 2024. Your payment method on file will be charged at that time. If your billing information has changed, you can update your payment details (https://XXX) now. Or if you would like to cancel, please visit our
> website. Questions? Contact us at XXX@XXX.
>
> Powered by    stripe logo  (https://stripe.com)  |   Learn more about Stripe Billing (https://stripe.com/billing)

That ticks a lot of boxes for me.  It reminds me that Subscription X is ongoing, it reassures me that I've got nothing to do, and it's clear what to do if I decide to discontinue the service.  Good work, Subscription X -- keep it up!

If I click on the 'learn more about Stripe Billing' link, I can find more about compliance stuff, which includes documentation addressed to the service owner [1] saying 'Checkout and Stripe.js and Elements host all card data collection inputs within an iframe served from Stripe’s domain (not yours) so your customers’ card information never touches your servers.'  And lots more, more than I have the patience to read.  That is, the nice people at Subscription X (probably) _don't_ have my card details stored locally.  However I'm fairly confident that Subscription X (which includes being somewhat privacy-focused amongst its declared goals) really _has_ read all that documentation.

Personally, I find this _more_ reassuring than if Subscription X were managing this stuff themselves.  And more reassuring than if they were doing something Imaginative and Creative about billing.  'Imaginative', 'creative' and 'billing' are not words that go well together in a sentence!

Of course, there's the matter of trust.

I don't trust Stripe to be nice people, in a 'would I lend them money' sense.  I've no reason to believe they're not sunlight-and-kittens (though... financial organisation... the priors aren't good), but that trust isn't part of the transaction.  I do, however, trust them to look after my card details reasonably well, because doing so is the entire point of their business, and if they were to visibly screw up here, it could be devastating for them.  That's a very concrete incentive.

There's more I could say here, but: for billing I want boring.

Best wishes,

Norman


[1] https://docs.stripe.com/security/guide#validating-pci-compliance


-- 
Norman Gray  :  https://nxg.me.uk