Stripe is an incredibly common tool for businesses of all sizes today, from one-person freelancers to large-scale, multinational corporations. Stripe takes care of one of the most complex and risky parts of doing business: processing payments.
But that leaves many businesses to wonder, “If I use Stripe, does that take away my need for PCI compliance?” After all, if Stripe is processing your customers’ payments, which takes the payment processing out of your hands, shouldn’t Stripe need PCI compliance instead of you?
It’s not quite that simple. Let’s take a closer look at Stripe and its PCI compliance, and how it affects your own compliance needs.
Is Stripe PCI compliant?
If you’re trusting Stripe with your customers’ payment data, you need to know that they have protocols and protections in place to keep it safe. For this reason, it’s important to know that Stripe does have up-to-date PCI compliance. They are a compliant level 1 service provider.
Because Stripe is a level 1 service provider, it means that they have gone through the strictest PCI compliance process required of service providers. Not only do they adhere to the 12 requirements of PCI DSS and all the sub-requirements within them, but they have been evaluated by an independent auditor to ensure that this is the case.
Does using Stripe eliminate my need for PCI compliance?
Here’s where it gets tricky: No, using Stripe does not mean that your business is already PCI compliant.
PCI DSS applies to everyone involved in collecting, processing, and storing payment data. This includes both you and Stripe - your customers’ security is a shared responsibility. Stripe may be processing the data, but your system is playing a role in this process too, so your system needs to be just as secure.
In fact, Stripe requires all its customers to validate their PCI compliance each year. So, in order to adhere to Stripe’s terms of service, your business needs to be PCI compliant.
Many companies choose to complete a self-assessment questionnaire (SAQ) or Report on Compliance (ROC) because they want to demonstrate to their customers and prospects that they take cardholder data security seriously. PCI compliance demonstrates a company’s security posture and helps a business obtain more deals, while instilling trust with customers.
How can I become PCI compliant while using Stripe?
Whether or not you’re already using Stripe to process payments for your business, becoming PCI compliant as quickly as possible will help you prevent a costly data breach, earn the trust of your customers and partners, and avoid potential problems like non-compliance fees or the inability to use Stripe. Follow these straightforward steps to become compliant.
1. Check where you stand
There are 12 requirements you need to meet for PCI compliance, along with sub-requirements within them. For many companies, the most time-consuming part of PCI compliance is digging into their system to see which of those requirements they already meet and which ones they need to work on.
You can skip that extra time with automated compliance software. This software scans your system in-depth and looks for the PCI compliance criteria. It then gives you a thorough report of which requirements you meet and which you don’t. Effectively, this gives you a streamlined to-do list to become PCI compliant.
2. Complete your remaining requirements
Now that you have a full list of the PCI compliance requirements you don’t yet meet, you can take care of them one by one. This could be a process that requires a lot of resources or it could be quick and simple depending on the security protocols you already have in place.
3. Complete your PCI compliance documentation
While you’re technically complying with PCI standards after you’ve finished that checklist and you meet all 12 requirements, you’ll need to validate your compliance for it to be recognized. Stripe requires this validation for all its customers.
Your documentation can vary. Any merchant that receives less than six million transactions per year will need three pieces of documentation:
- A SAQ
- A passing vulnerability scan of your system from an approved scanning vendor or ASV
- An Attestation of Compliance (AOC)
Keep in mind that there are some variations. There are several different types of SAQs, and the one you need will depend on how you’ve integrated Stripe or how you’re processing payments. The vulnerability scan can vary too because it’s not required for all types of SAQs.
Note that the three documents above are for businesses with less than six million transactions per year. If your business performs more than six million annual transactions, you’ll need to take the added step of hiring a third-party PCI compliance auditor to do an on-site review of your system.
Get PCI Compliant
As useful as Stripe is as a convenient, safe, and efficient way to process customer payments, it doesn’t give you a pass on PCI compliance. Follow the three steps above, starting with Vanta’s PCI compliance software, to bring your business into compliance and to protect the financial health of your company and your customers.
More about PCI