The Payment Security Stack: What 3,200 Websites Reveal About Payment Infrastructure
Payment processing is a $36 billion market growing at 34.5% annually. Stripe, PayPal, and Square collectively handle the majority of online transactions. But these platforms don't exist in isolation — every site that embeds stripe.js or loads paypalobjects.com also makes choices about its web server, DNS provider, mail infrastructure, and content quality.
We detected payment provider signatures across 3,224 websites in LLMSE's database and cross-referenced them with SEO, EEAT, WCAG accessibility, readability, server, DNS, and mail provider data. The goal: map the complete infrastructure profile of sites by payment provider choice.
The findings reveal three distinct ecosystems with almost no overlap. Your payment provider doesn't just process transactions — it predicts your entire technology stack.
The Data
LLMSE detects payment providers through HTML signatures — script imports, CDN references, and platform-specific class patterns. We identified 12 payment providers across 3,371 detections on 3,224 unique domains.
Payment Provider Market Share
| Rank | Provider | Domains | Share |
|---|---|---|---|
| 1 | Square | 1,593 | 49.4% |
| 2 | PayPal | 1,049 | 32.5% |
| 3 | Stripe | 585 | 18.1% |
| 4 | Apple Pay | 65 | 2.0% |
| 5 | Klarna | 26 | 0.8% |
| 6 | Google Pay | 21 | 0.7% |
| 7 | Razorpay | 20 | 0.6% |
| 8 | Adyen | 6 | 0.2% |
| 9 | Mollie | 5 | 0.2% |
| 10 | Braintree | 4 | 0.1% |
Square leads in our dataset at 49.4%, followed by PayPal at 32.5% and Stripe at 18.1%. The remaining providers collectively account for less than 5%.
Zero overlap. Not a single domain in our dataset uses more than one of the top three providers. These are completely separate ecosystems — sites choose Stripe or PayPal or Square, never a combination.
The Industry Split: Three Different Webs
The most striking finding isn't about payment processing — it's about what kind of websites choose each provider.
Stripe: The Developer Web
| Category | Domains | Share |
|---|---|---|
| Computer & Electronics | 148 | 25.3% |
| Gambling | 142 | 24.3% |
| Sports Betting | 111 | 19.0% |
| Business & Industry | 72 | 12.3% |
| Entertainment | 55 | 9.4% |
Stripe sites skew heavily toward technology (25.3%) and gambling (43.3% combined). The technology concentration reflects Stripe's developer-first API design — sites built by developers tend to choose developer-friendly tools.
PayPal: The Gambling Web
| Category | Domains | Share |
|---|---|---|
| Gambling | 378 | 36.0% |
| Casinos | 346 | 33.0% |
| Entertainment | 125 | 11.9% |
| Business & Industry | 111 | 10.6% |
| Computer & Electronics | 90 | 8.6% |
69% of PayPal-detected sites are gambling or casino websites. PayPal's long history in online payments — predating Stripe by over a decade — and its early adoption by iGaming operators makes it the dominant payment brand in regulated gambling.
Square: The Business Web
| Category | Domains | Share |
|---|---|---|
| Computer & Electronics | 503 | 31.6% |
| Business & Industry | 342 | 21.5% |
| Business Services | 145 | 9.1% |
| Arts & Entertainment | 118 | 7.4% |
| Entertainment | 110 | 6.9% |
Square has the most diverse category distribution and the lowest gambling concentration (8.4%). Its roots in point-of-sale hardware for small businesses translate into web presence: restaurants, retail shops, service providers, and local businesses with websites that happen to accept online payments.
SEO: PayPal Sites Win, Barely
We define "passing" as SEO grades A, B, or C. The web average pass rate is 1.9%.
| Provider | Graded | A | B | C | D | F | Pass Rate |
|---|---|---|---|---|---|---|---|
| PayPal | 609 | 3 | 5 | 36 | 26 | 539 | 7.2% |
| Stripe | 515 | 0 | 2 | 5 | 8 | 500 | 1.4% |
| Square | 1,292 | 0 | 3 | 15 | 52 | 1,222 | 1.4% |
| Web average | 885,800 | 453 | 3,735 | 13,491 | 35,323 | 832,798 | 1.9% |
PayPal sites pass SEO at 3.8x the rate of Stripe and Square sites, and 3.8x the web average. This seems counterintuitive for a provider dominated by gambling — but gambling operators invest heavily in SEO to capture high-value search traffic in a competitive market.
Stripe and Square sites both fall below the web average, suggesting that payment processing integration alone doesn't correlate with SEO investment.
EEAT: The Trust Gap
EEAT (Experience, Expertise, Authoritativeness, Trustworthiness) measures content credibility signals. For sites handling payments, trust should be foundational.
| Provider | Graded | A | B | C | D | F | Pass Rate (A+B+C) |
|---|---|---|---|---|---|---|---|
| PayPal | 470 | 1 | 7 | 383 | 71 | 8 | 83.2% |
| Square | 1,062 | 3 | 91 | 416 | 526 | 26 | 48.0% |
| Stripe | 401 | 3 | 16 | 63 | 316 | 3 | 20.4% |
| Web average | 694,862 | 25,810 | 143,802 | 167,142 | 322,201 | 35,907 | 48.4% |
PayPal sites have an 83.2% EEAT pass rate — 1.7x the web average and 4x Stripe's rate. Gambling operators, despite the industry's reputation, invest in trust signals: about pages, company information, licensing badges, and regulatory disclosures that score well on EEAT metrics.
Stripe sites score worst at 20.4%, less than half the web average. Many Stripe-integrated sites are developer tools, SaaS dashboards, or API-first products where content trust signals aren't the primary focus.
WCAG Accessibility: Small Samples, Big Gaps
Accessibility data is available for a smaller subset. The web average WCAG pass rate (A+B+C) is 52.6%.
| Provider | Graded | A+B+C (Pass) | D+F (Fail) | Pass Rate |
|---|---|---|---|---|
| Stripe | 30 | 20 | 10 | 66.7% |
| Square | 219 | 119 | 100 | 54.3% |
| PayPal | 209 | 20 | 189 | 9.6% |
| Web average | 143,551 | 75,520 | 68,031 | 52.6% |
PayPal sites have a 9.6% WCAG pass rate — 5.5x worse than the web average. The gambling sector's accessibility deficit, documented in our Gambling Industry Web Quality Report, drives this: casino and betting interfaces prioritize conversion over accessibility.
Stripe and Square sites meet or exceed the web average, though Stripe's sample (30 sites) is too small for strong conclusions.
Readability: Square Writes Clearest
Readability pass (A+B) means content at an 8th-grade level or below. The web average is 35.3%.
| Provider | Graded | A+B (Pass) | C | D+F (Fail) | Pass Rate |
|---|---|---|---|---|---|
| Square | 224 | 90 | 55 | 79 | 40.2% |
| Stripe | 34 | 8 | 8 | 18 | 23.5% |
| PayPal | 228 | 29 | 189 | 10 | 12.7% |
| Web average | 149,889 | 52,962 | 43,686 | 53,241 | 35.3% |
Square leads readability — consistent with its small-business audience that communicates in plain language. PayPal's 12.7% reflects the gambling sector's tendency toward dense terms and conditions, promotional copy, and regulatory language.
The Server Stack
Each payment provider's sites cluster around different server infrastructure:
| Server | Stripe | PayPal | Square |
|---|---|---|---|
| nginx | 252 (43.1%) | 396 (37.7%) | 271 (17.0%) |
| Cloudflare | 106 (18.1%) | 450 (42.9%) | 259 (16.3%) |
| Apache | 80 (13.7%) | 86 (8.2%) | 402 (25.2%) |
| LiteSpeed | 5 (0.9%) | 19 (1.8%) | 31 (1.9%) |
| Netlify | 13 (2.2%) | 5 (0.5%) | 26 (1.6%) |
Stripe sites run nginx (43.1%) — the developer's server of choice. PayPal sites run Cloudflare (42.9%) — the security-first option that gambling operators favor for DDoS protection. Square sites run Apache (25.2%) — the established server for traditional business hosting, with more balanced distribution across all three major servers.
DNS Infrastructure
| DNS Tier | Stripe | PayPal | Square |
|---|---|---|---|
| Enterprise (Cloudflare, AWS, Google, NS1, DNSMadeEasy) | 76.8% | 49.7% | 43.7% |
| Registrar (GoDaddy, Namecheap, OVH, IONOS) | 10.1% | 5.8% | 24.8% |
| Other | 12.9% | 44.4% | 31.3% |
Stripe sites have the highest enterprise DNS adoption at 76.8% — nearly 4 in 5 use Cloudflare, AWS Route 53, or DNSMadeEasy. This reflects the developer audience's preference for programmatic DNS management.
PayPal's "Other" category at 44.4% is dominated by RedirectDom (313 sites) — a domain redirect service. Many PayPal-detected domains are redirect or affiliate sites rather than primary storefronts.
Square sites use the most registrar-default DNS (24.8%), consistent with small businesses that register a domain and leave DNS settings at defaults.
Mail Security
| Mail Tier | Stripe | PayPal | Square |
|---|---|---|---|
| Enterprise Security (Proofpoint, Mimecast, Barracuda) | 0 | 4 | 21 |
| Business Standard (Google Workspace, Microsoft 365, Zoho) | 50 (54.9%) | 25 (25.3%) | 162 (45.0%) |
| Privacy-Focused (ProtonMail, Fastmail) | 7 (7.7%) | 5 (5.1%) | 9 (2.5%) |
| Budget/Hosting | 34 (37.4%) | 65 (65.7%) | 168 (46.7%) |
| Mail data coverage | 91 / 585 | 99 / 1,049 | 360 / 1,593 |
Square sites lead in enterprise mail security — 21 sites use Proofpoint, the highest of any provider. This makes sense: Square's traditional business customers are more likely to invest in email protection. Stripe's zero enterprise security providers contrasts with its 7.7% privacy-focused adoption (ProtonMail, Fastmail) — the developer mindset values privacy over enterprise compliance.
PayPal sites have the highest budget/hosting mail rate (65.7%), consistent with the redirect and affiliate site patterns in its portfolio.
The Language Surprise
| Language | Stripe | PayPal | Square |
|---|---|---|---|
| English | 362 (61.9%) | 275 (26.2%) | 1,047 (65.7%) |
| German | 11 (1.9%) | 413 (39.4%) | 77 (4.8%) |
| French | 18 (3.1%) | 109 (10.4%) | 94 (5.9%) |
PayPal's dominant language isn't English — it's German (39.4%). Germany's strong online gambling market, combined with PayPal's early European adoption, created a PayPal-centric ecosystem in German-language gambling. Only 26.2% of PayPal-detected sites are English-language.
Full-Stack Security: The 2% Club
We defined "full-stack security" as: Cloudflare server + enterprise DNS provider + business-grade or enterprise mail provider. How many payment-accepting sites achieve all three?
| Provider | Full Stack | Total | Rate |
|---|---|---|---|
| Square | 32 | 1,593 | 2.0% |
| Stripe | 12 | 585 | 2.0% |
| PayPal | 4 | 1,049 | 0.4% |
Only 2% of payment-accepting sites have enterprise-grade infrastructure across all three layers. PayPal sites fare worst at 0.4%, dragged down by the redirect/affiliate sites in its ecosystem.
What This Means
Payment provider detection acts as a surprisingly effective proxy for an entire site's technology and quality profile:
Stripe = developer-built, nginx-served, enterprise DNS, privacy-conscious mail, low EEAT but technically competent infrastructure. The engineering-first stack.
PayPal = gambling-dominated, Cloudflare-protected, redirect-heavy, German-language skew, highest EEAT but worst accessibility. The legacy payment brand with a specific industry niche.
Square = diversified business, Apache-served, registrar DNS, highest enterprise mail adoption, best readability. The small-business stack.
These aren't just payment choices. They're infrastructure identity markers. A site using Stripe is statistically likely to run nginx with Cloudflare DNS. A site using PayPal is statistically likely to be a German-language gambling site behind Cloudflare's CDN. A site using Square is statistically likely to be a local business running Apache with GoDaddy DNS.
For security professionals assessing risk, payment provider detection may be a more efficient initial signal than individual infrastructure audits. For platform teams at Stripe, PayPal, and Square, these quality profiles reflect directly on their brand — whether they realize it or not.
Methodology
All data from LLMSE's classification database as of March 2026 (1.5M classified URLs). Payment providers detected through HTML signature analysis (script imports, CDN references, platform-specific patterns). Quality grades (SEO, EEAT, WCAG, readability) from LLMSE's automated analysis pipeline. Server detection from HTTP response headers. DNS and mail providers from NS and MX record resolution. See LLMSE methodology for grading criteria.
Limitations: Payment detection requires client-side integration signatures (e.g., stripe.js). Server-side-only integrations (direct API calls without frontend scripts) are not detected. WCAG and readability samples are smaller than SEO and EEAT due to content requirements for analysis.
This analysis was conducted using LLMSE, which has classified over 1.5 million websites across SEO, EEAT, WCAG accessibility, readability, and GARM brand safety dimensions. All data reflects the database as of March 2026. To analyze your own site, visit llmse.ai/classify.