A guide to PCI compliance

The Payment Card Industry Data Security Standard (PCI DSS) sets the minimum standard for data security. Here’s a step-by-step guide to maintaining compliance and how Stripe can help.

Payments
Payments

Accept payments online, in person, and around the world with a payments solution built for any business—from scaling startups to global enterprises.

Learn more 
  1. Introduction
  2. How Stripe helps organizations achieve and maintain PCI compliance
  3. Step-by-step guide to PCI DSS compliance
    1. 1. Know your PCI level
    2. 2. Know your integration type and documentation requirements
    3. 3. Complete your assessment, and submit your SAQ documentation
    4. 4. Monitor and maintain
  4. How Stripe helps organizations maintain PCI compliance
    1. Support for our smaller businesses
    2. Customized Dashboard experience
    3. Support as your business grows
    4. More than one service provider

Since 2005, more than 10 billion consumer records have been compromised from more than 9,000 data breaches in the US. These are the latest numbers from the Privacy Rights Clearinghouse, which reports on data breaches and security breaches impacting consumers dating back to 2005. To improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data.

The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem. It is applicable to all organizations that accept or process payment cards, and there are significant penalties, fines, and costs for organizations that do not meet these standards.

PCI DSS compliance involves three main components:

  1. Handling the entry of credit card data from customers; namely, that sensitive card details are collected and transmitted securely
  2. Storing data securely—which is outlined in the 12 security domains of the PCI standard—such as encryption, ongoing monitoring, and security testing of access to card data
  3. Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services, and third-party audits (see the step-by-step guide below for a table with the four levels of requirements)

All businesses that accept credit card payments must comply with PCI DSS, regardless of volume, geographic region, or integration method. By complying with this framework, businesses can:

  • Build customer trust by ensuring their card data is secure
  • Protect themselves from fraud and data breaches
  • Avoid fines for PCI compliance violations

Disclaimer: This article should be used only for guidance purposes and should not be taken as definitive advice. We recommend consulting a Payment Card Industry Data Security Standard (PCI DSS) Qualified Security Assessor (QSA) for clarification.

How Stripe helps organizations achieve and maintain PCI compliance

If your business model requires you to handle card data, you might be required to meet each of the 300+ security controls in PCI DSS. There are more than 1,800 pages of official documentation, published by the PCI Security Standards Council, about PCI DSS, and more than 300 pages just to understand which form(s) to use when validating compliance.

Stripe can help significantly reduce the PCI burden for companies by providing a variety of tokenized integration methods (e.g., Checkout, Elements, mobile SDKs, Terminal SDKs), avoiding the need to directly handle sensitive credit card data.

  • Stripe Checkout and Stripe Elements use a hosted payment field for handling all payment card data, so the cardholder enters all sensitive payment information in a payment field that originates directly from our PCI DSS–validated servers.
  • Stripe mobile and Terminal SDKs also enable the cardholder to send sensitive payment information directly to our PCI DSS–validated servers.

For all our users, regardless of integration type, Stripe acts as a PCI advocate and can help in a few different ways.

  • Our Stripe PCI wizard analyzes your integration method and advises you on how to reduce your compliance burden.
  • We’ll notify you ahead of time if a growing transaction volume will require a change in how you validate compliance.
  • For large or enterprise businesses that need to work with a PCI QSA because they store credit card data or have a more complex payment flow, there are more than 400 such QSA companies around the world. We can connect you with several auditors that deeply understand the different Stripe integration methods.

Step-by-step guide to PCI DSS compliance

1. Know your PCI level

The first step in achieving PCI compliance is knowing which requirements apply to your organization. There are four different PCI compliance levels, typically based on the volume of credit card transactions your business processes during a 12-month period.

Depending on your level, you will have different requirements, including regular vulnerability scans from an Approved Scanning Vendor (ASV). There are also additional requirements for service providers, which are business entities directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity (e.g., payment gateways, payment service providers, and independent sales organizations).

Compliance level
Applies to
Requirements
Level 1
  • Organizations that annually process more than 6 million transactions of Visa or Mastercard, or more than 2.5 million for American Express; or
  • Have experienced a data breach; or
  • Are deemed “Level 1” by any card association (Visa, Mastercard, etc.)
  • Attestation of Compliance (AOC) or annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA)
  • Quarterly network scan by an Approved Scanning Vendor (ASV)
Level 2
  • Organizations that process between 1–6 million transactions annually
  • Self-Assessment Questionnaire (SAQ), or Attestation of Compliance (AOC), or Report on Compliance (ROC)
  • SAQ A, SAQ A-EP, and SAQ D documentation must be signed by a PCI Qualified Security Assessor (QSA) or a PCI-Certified Internal Security Assessor (ISA).1
  • Quarterly network scan by an Approved Scanning Vendor (ASV)
Level 3
  • Organizations that process between 20,000–1 million online transactions annually
  • Organizations that process fewer than 1 million total transactions annually
  • Level 3 and Level 4 users are automatically enrolled in our Risk Management Program, which provides a customized and simplified experience based on various factors, including integration type. This may include completing one or more PCI DSS Self-Assessment Questionnaires (SAQs).
  • Level 3 users must also complete quarterly network scans by an Approved Scanning Vendor (ASV).
Level 4
  • Organizations that process fewer than 20,000 online transactions annually; or
  • Organizations that process up to 1 million total transactions annually
  • Level 4 users must also complete quarterly network scans by an Approved Scanning Vendor (ASV).
1 Level 2 merchants completing SAQ A, SAQ A-EP, or SAQ D must engage a QSA for compliance validation

2. Know your integration type and documentation requirements

Once you know your PCI level, the next step is to determine which PCI documents you need to complete to validate your compliance, based on the type of integration you use with Stripe, if you are a service provider, etc.

Level 1 users

Level 1 businesses are not eligible to use an SAQ to prove PCI compliance. They need to complete an ROC signed by a QSA to validate their PCI compliance annually.

Level 2–4 users

For Level 2–4 users, there are different SAQ types depending on your payment integration method. If you are unsure what SAQ type is right for you, the Stripe PCI wizard will automatically determine the type of documentation that is appropriate for your business.

Integration
Requirement
Recommendation
Checkout or Elements
SAQ A
Checkout and Stripe.js and Elements host all card data collection inputs within an iframe served from Stripe’s domain (not yours), so your customers’ card information never touches your servers.
Connect
SAQ A If you exclusively collect card data through a Connect platform (for example, Squarespace), we can determine whether the platform provides the necessary PCI documentation.
Mobile SDK
SAQ A

Stripe’s mobile SDK development and change control complies with PCI DSS (requirements 6.3–6.5) and deploys through our PCI validated systems. When you only use UI components from our official SDKs for iOS or Android, or build a payment form with Elements in a WebView, card numbers pass directly from your customers to Stripe, so you have the lightest PCI compliance burden.

If you do otherwise, such as writing your own code to handle card information, you might be responsible for additional PCI DSS requirements (6.3–6.5) and would be ineligible for an SAQ A. Talk to a PCI QSA to determine how to best validate your compliance according to the current guidance from the PCI Security Standards Council.

If your application requires your customers to enter their information on their own devices, then you qualify for SAQ A. If your application accepts card information for multiple customers on your device (for example, a point-of-sale app), consult a PCI QSA to learn how to best validate your PCI compliance.

Stripe.js v2
SAQ A-EP

Using Stripe.js v2 to pass card data entered in a form hosted on your own site requires completing the SAQ A-EP annually to prove your business is PCI compliant.

Alternatively, both Checkout and Elements allow you the flexibility and customizability of a self-hosted form, while also meeting PCI eligibility for the SAQ A.

Terminal
SAQ C

If you exclusively collect card data through Stripe Terminal, you can validate using SAQ C.

If you integrate with Stripe using additional methods listed in this table, you must illustrate compliance for them separately as described.

Dashboard
SAQ C-VT

Manual card payments through the Dashboard are possible for exceptional circumstances only, not routine payment processing. Provide a suitable payment form or mobile application for your customers to enter their card information.

We can’t verify that manually entered card information is secure outside of Stripe, so you must protect card data in accordance with PCI compliance requirements and complete the SAQ C-VT annually to prove your business is PCI compliant.

Direct API
SAQ D

When you pass card information directly to Stripe’s API, your integration is directly handling that data, and you’re required to annually prove your PCI compliance using the SAQ D—the most demanding of the SAQs. To reduce this burden:

In addition, Radar, our fraud prevention tool that includes risk evaluation and rules, is only available when using any of our methods for client-side tokenization.

Service providers

If you are directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity (e.g., payment gateways, payment service providers, and independent sales organizations), you may be classified as a service provider. This means you will have additional requirements that you are required to validate.

3. Complete your assessment, and submit your SAQ documentation

Once you have identified which assessment you need to complete, the next step is to perform the assessment, complete the relevant SAQ or ROC documentation, and submit it to Stripe for review.

High-volume users will want to secure the services of a QSA who is registered to operate in regions where you are operating. The QSA will help review your systems against the PCI requirements and advise on remediation for any deficiencies. They will also produce and sign the appropriate documentation for you to then share with Stripe annually.

Level 3 and 4 users will likely need to complete the PCI DSS Self-Assessment Questionnaire that is appropriate for their line of business. More merchant resources are available for you through the PCI Security Standards Council. Stripe is also here to assist, as our customized wizard on your PCI Dashboard will ask a series of questions and generate required documentation for you. You can use the Stripe PCI Dashboard to upload any self-completed SAQ or ROC documentation.

4. Monitor and maintain

It’s important to note that PCI compliance is not a one-time event. It’s an annual process to ensure your business remains compliant even as data flows and customer touchpoints evolve.

PCI DSS sets important standards for handling and storing cardholder data, but it does not provide sufficient protection for every payment environment on its own. Instead, moving to a safer card acceptance method that uses tokenized data (such as Stripe Checkout, Elements, and mobile SDKs) is a much more effective way to protect your organization. This approach provides agile businesses a way to mitigate a potential data breach and avoid the time-consuming and costly historical approach to PCI validation.

As a company grows, so will the core business logic and processes, which means compliance requirements will evolve as well. An online business, for example, might decide to open physical stores, enter new markets, or launch a customer support center. If anything new involves payment card data, it’s a good idea to proactively check whether this has any impact on the chosen PCI validation method, and revalidate PCI compliance as necessary.

For more information about the complex world of PCI compliance, head to the PCI Security Standards Council website. If you only read this guide and a few other PCI docs, we recommend starting with these:

How Stripe helps organizations maintain PCI compliance

Stripe, a PCI Level 1 service provider, is certified annually by an independent PCI Qualified Security Assessor against all PCI DSS requirements. This means that all of our products are secure by default, reducing your compliance requirements.

For all our users, regardless of integration type, Stripe acts as a PCI advocate and can help in a few different ways.

Support for our smaller businesses

Stripe significantly simplifies the PCI burden for our smaller users by offering a customized compliance journey, including prefilled SAQs and guided flows for some users leveraging more secure integration methods such as Checkout, Elements, mobile SDKs, and Terminal SDKs.

Customized Dashboard experience

Once you become a Stripe customer, we will analyze your transaction history and advise you on how to reduce your compliance burden through a customized Dashboard experience.

Support as your business grows

As your annual transaction volume increases, you might find that you change PCI levels within a year. Stripe supports you through these transitions by alerting you of new requirements as you approach your PCI renewal date.

More than one service provider

If your business uses more than one processor, your PCI compliance process can become confusing. Stripe makes it easy by supporting submission of AOCs from your providers to ease your path to compliance.

Ready to get started?

Create an account and start accepting payments—no contracts or banking details required. Or, contact us to design a custom package for your business.
Payments

Payments

Accept payments online, in person, and around the world with a payments solution built for any business.

Payments docs

Find a guide to integrate Stripe's payments APIs.