Since 2005, more than 10 billion consumer records have been compromised from more than 9,000 data breaches in the US. These are the latest numbers from the Privacy Rights Clearinghouse, which reports on data breaches and security breaches impacting consumers dating back to 2005. To improve the safety of consumer data and trust in the payment ecosystem, a minimum standard for data security was created. Visa, Mastercard, American Express, Discover, and JCB formed the Payment Card Industry Security Standards Council (PCI SSC) in 2006 to administer and manage security standards for companies that handle credit card data.
The Payment Card Industry Data Security Standard (PCI DSS) is the global security standard for all entities that store, process, or transmit cardholder data and/or sensitive authentication data. PCI DSS sets a baseline level of protection for consumers and helps reduce fraud and data breaches across the entire payment ecosystem. It is applicable to all organizations that accept or process payment cards, and there are significant penalties, fines, and costs for organizations that do not meet these standards.
PCI DSS compliance involves three main components:
- Handling the entry of credit card data from customers; namely, that sensitive card details are collected and transmitted securely
- Storing data securely—which is outlined in the 12 security domains of the PCI standard—such as encryption, ongoing monitoring, and security testing of access to card data
- Validating annually that the required security controls are in place, which can include forms, questionnaires, external vulnerability scanning services, and third-party audits (see the step-by-step guide below for a table with the four levels of requirements)
All businesses that accept credit card payments must comply with PCI DSS, regardless of volume, geographic region, or integration method. By complying with this framework, businesses can:
- Build customer trust by ensuring their card data is secure
- Protect themselves from fraud and data breaches
- Avoid fines for PCI compliance violations
Disclaimer: This article should be used only for guidance purposes and should not be taken as definitive advice. We recommend consulting a Payment Card Industry Data Security Standard (PCI DSS) Qualified Security Assessor (QSA) for clarification.
How Stripe helps organizations achieve and maintain PCI compliance
If your business model requires you to handle card data, you might be required to meet each of the 300+ security controls in PCI DSS. There are more than 1,800 pages of official documentation, published by the PCI Security Standards Council, about PCI DSS, and more than 300 pages just to understand which form(s) to use when validating compliance.
Stripe can help significantly reduce the PCI burden for companies by providing a variety of tokenized integration methods (e.g., Checkout, Elements, mobile SDKs, Terminal SDKs), avoiding the need to directly handle sensitive credit card data.
- Stripe Checkout and Stripe Elements use a hosted payment field for handling all payment card data, so the cardholder enters all sensitive payment information in a payment field that originates directly from our PCI DSS–validated servers.
- Stripe mobile and Terminal SDKs also enable the cardholder to send sensitive payment information directly to our PCI DSS–validated servers.
For all our users, regardless of integration type, Stripe acts as a PCI advocate and can help in a few different ways.
- Our Stripe PCI wizard analyzes your integration method and advises you on how to reduce your compliance burden.
- We’ll notify you ahead of time if a growing transaction volume will require a change in how you validate compliance.
- For large or enterprise businesses that need to work with a PCI QSA because they store credit card data or have a more complex payment flow, there are more than 400 such QSA companies around the world. We can connect you with several auditors that deeply understand the different Stripe integration methods.
Step-by-step guide to PCI DSS compliance
1. Know your PCI level
The first step in achieving PCI compliance is knowing which requirements apply to your organization. There are four different PCI compliance levels, typically based on the volume of credit card transactions your business processes during a 12-month period.
Depending on your level, you will have different requirements, including regular vulnerability scans from an Approved Scanning Vendor (ASV). There are also additional requirements for service providers, which are business entities directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity (e.g., payment gateways, payment service providers, and independent sales organizations).
Compliance level
|
Applies to
|
Requirements
|
---|---|---|
Level 1
|
|
|
Level 2
|
|
|
Level 3
|
|
|
Level 4
|
|
|
2. Know your integration type and documentation requirements
Once you know your PCI level, the next step is to determine which PCI documents you need to complete to validate your compliance, based on the type of integration you use with Stripe, if you are a service provider, etc.
Level 1 users
Level 1 businesses are not eligible to use an SAQ to prove PCI compliance. They need to complete an ROC signed by a QSA to validate their PCI compliance annually.
Level 2–4 users
For Level 2–4 users, there are different SAQ types depending on your payment integration method. If you are unsure what SAQ type is right for you, the Stripe PCI wizard will automatically determine the type of documentation that is appropriate for your business.
Integration
|
Requirement
|
Recommendation
|
---|---|---|
Checkout or Elements
|
SAQ A |
Checkout and Stripe.js and Elements host all card data collection inputs within an iframe served from Stripe’s domain (not yours), so your customers’ card information never touches your servers.
|
Connect
|
SAQ A | If you exclusively collect card data through a Connect platform (for example, Squarespace), we can determine whether the platform provides the necessary PCI documentation. |
Mobile SDK
|
SAQ A |
Stripe’s mobile SDK development and change control complies with PCI DSS (requirements 6.3–6.5) and deploys through our PCI validated systems. When you only use UI components from our official SDKs for iOS or Android, or build a payment form with Elements in a WebView, card numbers pass directly from your customers to Stripe, so you have the lightest PCI compliance burden. If you do otherwise, such as writing your own code to handle card information, you might be responsible for additional PCI DSS requirements (6.3–6.5) and would be ineligible for an SAQ A. Talk to a PCI QSA to determine how to best validate your compliance according to the current guidance from the PCI Security Standards Council. If your application requires your customers to enter their information on their own devices, then you qualify for SAQ A. If your application accepts card information for multiple customers on your device (for example, a point-of-sale app), consult a PCI QSA to learn how to best validate your PCI compliance. |
Stripe.js v2
|
SAQ A-EP |
Using Stripe.js v2 to pass card data entered in a form hosted on your own site requires completing the SAQ A-EP annually to prove your business is PCI compliant. Alternatively, both Checkout and Elements allow you the flexibility and customizability of a self-hosted form, while also meeting PCI eligibility for the SAQ A. |
Terminal
|
SAQ C |
If you exclusively collect card data through Stripe Terminal, you can validate using SAQ C. If you integrate with Stripe using additional methods listed in this table, you must illustrate compliance for them separately as described. |
Dashboard
|
SAQ C-VT |
Manual card payments through the Dashboard are possible for exceptional circumstances only, not routine payment processing. Provide a suitable payment form or mobile application for your customers to enter their card information. We can’t verify that manually entered card information is secure outside of Stripe, so you must protect card data in accordance with PCI compliance requirements and complete the SAQ C-VT annually to prove your business is PCI compliant. |
Direct API
|
SAQ D |
When you pass card information directly to Stripe’s API, your integration is directly handling that data, and you’re required to annually prove your PCI compliance using the SAQ D—the most demanding of the SAQs. To reduce this burden:
In addition, Radar, our fraud prevention tool that includes risk evaluation and rules, is only available when using any of our methods for client-side tokenization. |
Service providers
If you are directly involved in the processing, storage, or transmission of cardholder data (CHD) and/or sensitive authentication data (SAD) on behalf of another entity (e.g., payment gateways, payment service providers, and independent sales organizations), you may be classified as a service provider. This means you will have additional requirements that you are required to validate.
3. Complete your assessment, and submit your SAQ documentation
Once you have identified which assessment you need to complete, the next step is to perform the assessment, complete the relevant SAQ or ROC documentation, and submit it to Stripe for review.
High-volume users will want to secure the services of a QSA who is registered to operate in regions where you are operating. The QSA will help review your systems against the PCI requirements and advise on remediation for any deficiencies. They will also produce and sign the appropriate documentation for you to then share with Stripe annually.
Level 3 and 4 users will likely need to complete the PCI DSS Self-Assessment Questionnaire that is appropriate for their line of business. More merchant resources are available for you through the PCI Security Standards Council. Stripe is also here to assist, as our customized wizard on your PCI Dashboard will ask a series of questions and generate required documentation for you. You can use the Stripe PCI Dashboard to upload any self-completed SAQ or ROC documentation.
4. Monitor and maintain
It’s important to note that PCI compliance is not a one-time event. It’s an annual process to ensure your business remains compliant even as data flows and customer touchpoints evolve.
PCI DSS sets important standards for handling and storing cardholder data, but it does not provide sufficient protection for every payment environment on its own. Instead, moving to a safer card acceptance method that uses tokenized data (such as Stripe Checkout, Elements, and mobile SDKs) is a much more effective way to protect your organization. This approach provides agile businesses a way to mitigate a potential data breach and avoid the time-consuming and costly historical approach to PCI validation.
As a company grows, so will the core business logic and processes, which means compliance requirements will evolve as well. An online business, for example, might decide to open physical stores, enter new markets, or launch a customer support center. If anything new involves payment card data, it’s a good idea to proactively check whether this has any impact on the chosen PCI validation method, and revalidate PCI compliance as necessary.
For more information about the complex world of PCI compliance, head to the PCI Security Standards Council website. If you only read this guide and a few other PCI docs, we recommend starting with these:
- Prioritized approach for PCI DSS
- SAQ instructions and guidelines
- FAQ about using SAQ eligibility criteria to determine on-site assessment requirements
- FAQ about obligations for businesses that develop apps for consumer devices that accept payment card data
How Stripe helps organizations maintain PCI compliance
Stripe, a PCI Level 1 service provider, is certified annually by an independent PCI Qualified Security Assessor against all PCI DSS requirements. This means that all of our products are secure by default, reducing your compliance requirements.
For all our users, regardless of integration type, Stripe acts as a PCI advocate and can help in a few different ways.
Support for our smaller businesses
Stripe significantly simplifies the PCI burden for our smaller users by offering a customized compliance journey, including prefilled SAQs and guided flows for some users leveraging more secure integration methods such as Checkout, Elements, mobile SDKs, and Terminal SDKs.
Customized Dashboard experience
Once you become a Stripe customer, we will analyze your transaction history and advise you on how to reduce your compliance burden through a customized Dashboard experience.
Support as your business grows
As your annual transaction volume increases, you might find that you change PCI levels within a year. Stripe supports you through these transitions by alerting you of new requirements as you approach your PCI renewal date.
More than one service provider
If your business uses more than one processor, your PCI compliance process can become confusing. Stripe makes it easy by supporting submission of AOCs from your providers to ease your path to compliance.