Why companies that use Stripe still need PCI compliance

Written by

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Stripe is an incredibly common tool for businesses of all sizes today, from one-person freelancers to large-scale, multinational corporations. Stripe takes care of one of the most complex and risky parts of doing business: processing payments.

But that leaves many businesses to wonder, “If I use Stripe, does that take away my need for PCI compliance?” After all, if Stripe is processing your customers’ payments, which takes the payment processing out of your hands, shouldn’t Stripe need PCI compliance instead of you?

It’s not quite that simple. Let’s take a closer look at Stripe and its PCI compliance, and how it affects your own compliance needs.

‍

Is Stripe PCI compliant?

‍

If you’re trusting Stripe with your customers’ payment data, you need to know that they have protocols and protections in place to keep it safe. For this reason, it’s important to know that Stripe does have up-to-date PCI compliance. They are a compliant level 1 service provider.

Because Stripe is a level 1 service provider, it means that they have gone through the strictest PCI compliance process required of service providers. Not only do they adhere to the 12 requirements of PCI DSS and all the sub-requirements within them, but they have been evaluated by an independent auditor to ensure that this is the case.

‍

Does using Stripe eliminate my need for PCI compliance?

‍

Here’s where it gets tricky: No, using Stripe does not mean that your business is already PCI compliant.

PCI DSS applies to everyone involved in collecting, processing, and storing payment data. This includes both you and Stripe - your customers’ security is a shared responsibility. Stripe may be processing the data, but your system is playing a role in this process too, so your system needs to be just as secure.

In fact, Stripe requires all its customers to validate their PCI compliance each year. So, in order to adhere to Stripe’s terms of service, your business needs to be PCI compliant.

Many companies choose to complete a self-assessment questionnaire (SAQ) or Report on Compliance (ROC) because they want to demonstrate to their customers and prospects that they take cardholder data security seriously. PCI compliance demonstrates a company’s security posture and helps a business obtain more deals, while instilling trust with customers.

‍

How can I become PCI compliant while using Stripe?

‍

Whether or not you’re already using Stripe to process payments for your business, becoming PCI compliant as quickly as possible will help you prevent a costly data breach, earn the trust of your customers and partners, and avoid potential problems like non-compliance fees or the inability to use Stripe. Follow these straightforward steps to become compliant.

‍

1. Check where you stand

There are 12 requirements you need to meet for PCI compliance, along with sub-requirements within them. For many companies, the most time-consuming part of PCI compliance is digging into their system to see which of those requirements they already meet and which ones they need to work on.

You can skip that extra time with automated compliance software. This software scans your system in-depth and looks for the PCI compliance criteria. It then gives you a thorough report of which requirements you meet and which you don’t. Effectively, this gives you a streamlined to-do list to become PCI compliant.

‍

2. Complete your remaining requirements

Now that you have a full list of the PCI compliance requirements you don’t yet meet, you can take care of them one by one. This could be a process that requires a lot of resources or it could be quick and simple depending on the security protocols you already have in place.

‍

3. Complete your PCI compliance documentation

While you’re technically complying with PCI standards after you’ve finished that checklist and you meet all 12 requirements, you’ll need to validate your compliance for it to be recognized. Stripe requires this validation for all its customers.

Your documentation can vary. Any merchant that receives less than six million transactions per year will need three pieces of documentation:

A SAQ
A passing vulnerability scan of your system from an approved scanning vendor or ASV
An Attestation of Compliance (AOC)

Keep in mind that there are some variations. There are several different types of SAQs, and the one you need will depend on how you’ve integrated Stripe or how you’re processing payments. The vulnerability scan can vary too because it’s not required for all types of SAQs.

Note that the three documents above are for businesses with less than six million transactions per year. If your business performs more than six million annual transactions, you’ll need to take the added step of hiring a third-party PCI compliance auditor to do an on-site review of your system.

‍

Get PCI compliant

‍

As useful as Stripe is as a convenient, safe, and efficient way to process customer payments, it doesn’t give you a pass on PCI compliance. Follow the three steps above, starting with Vanta’s PCI compliance software, to bring your business into compliance and to protect the financial health of your company and your customers.

‍

More about PCI

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail