Yes, Stripe is a PCI Level 1 Service Provider but depending your integration, your business is still responsible for ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS).
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect card information during and after a financial transaction. Compliance involves adhering to 12 requirements, ranging from installing and maintaining a secure network to implementing strong access control measures. Read our full guide here.
How to be compliant using Stripe
Stripe's products are designed to handle sensitive card data securely, thereby reducing the scope of your PCI DSS responsibilities:
- Stripe Checkout and Elements: These tools use hosted payment fields, ensuring that sensitive payment information is transmitted directly to Stripe's PCI DSS–validated servers without touching your servers.
- Mobile and Terminal SDKs: Stripe's SDKs for mobile and in-person payments also send sensitive information directly to Stripe, minimizing your PCI scope.
| Stipe Integration | SAQ Required | Reason |
|---|---|---|
| Stripe Checkout (hosted payment page) | SAQ A | No cardholder data touches your server |
| Stripe Elements (embedded fields)* | SAQ A* | Elements securely transmit data to Stripe* |
| Stripe.js v2 with custom UI | SAQ A-EP* | Your frontend affects transaction security |
| Direct API (card data on your server) | SAQ D | You store, process and/or transmit car data |
*You now need to monitor dependencies on payment pages, more below.
- If you use Stripe Checkout (hosted payment page), you qualify for SAQ A.
- If you use Stripe Elements (embedded fields that send data directly to Stripe), you qualify for SAQ A.
- If you use Stripe’s Mobile or Terminal SDKs, payment data is securely processed by Stripe, keeping you in SAQ A.
- If you collect and store cardholder data or use a direct API integration, you must complete SAQ D and implement full PCI controls.
If you qualify for SAQ A, your PCI DSS responsibilities are minimal because Stripe handles the sensitive card data.
If you require SAQ A-EP or SAQ D, you take on more responsibility for securing transactions.
If your business processes or stores cardholder data (SAQ D), you must:
- Implement strong encryption for payment data.
- Set up firewall and access control policies.
- Conduct quarterly network scans with an Approved Scanning Vendor (ASV).
- Complete a full PCI DSS audit if you’re a Level 1 merchant (6M+ transactions/year).
*Monitoring dependencies for SAQ A compliance
As per the January 2025 update, the PCI Security Standards Council emphasized the importance of monitoring dependencies. This includes both first-party and third-party scripts on websites. This update requires merchants to ensure their sites are not susceptible to attacks originating from these scripts.
Please find Stripe’s documentation surrounding PCI DSS here.
Determine your PCI compliance level
| Level | Criteria | Validation Requirement |
|---|---|---|
| Level 1 | Over 6 million transactions annually | Full onsite audit by a QSA + SAQ D |
| Level 2 | 1 to 6 million transactions annually | SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC) |
| Level 3 | 20,000 to 1 million online transactions annually | SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC) |
| Level 4 | Less than 20,000 online transaction OR up to 1 million total transactions | SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC) |
- Level 1 = Must do a ROC (Full PCI DSS Assessment with Full Report on Compliance by QSA)
- Level 2 = Must do at least an SAQ with third party QSA or ISA attestation
- Level 3 = Must do SAQ
- Level 4 = Optional
Identify your integration type and required documentation
Complete the appropriate SAQOnce you've identified the correct SAQ based on your integration method, complete it thoroughly. Stripe provides a PCI wizard in your Dashboard to guide you through this process.
Submit your documentationAfter completing the SAQ, submit it along with any required Attestation of Compliance (AOC) or Report on Compliance (ROC) to Stripe for review. Stripe's Dashboard allows you to upload these documents directly.
Maintain ongoing compliancePCI compliance is not a one-time task but an ongoing process. Regularly monitor your systems, maintain secure coding practices, and stay updated with PCI DSS requirements to ensure continuous compliance.