Why companies that use Stripe still need PCI compliance
Stripe is an incredibly common tool for businesses of all sizes today, from one-person freelancers to large-scale, multinational corporations. Stripe takes care of one of the most complex and risky parts of doing business: processing payments.
But that leaves many businesses to wonder, “If I use Stripe, does that take away my need for PCI compliance?” After all, if Stripe is processing your customers’ payments, which takes the payment processing out of your hands, shouldn’t Stripe need PCI compliance instead of you?
It’s not quite that simple. Let’s take a closer look at Stripe and its PCI compliance, and how it affects your own compliance needs.
Is Stripe PCI compliant?
If you’re trusting Stripe with your customers’ payment data, you need to know that they have protocols and protections in place to keep it safe. For this reason, it’s important to know that Stripe does have up-to-date PCI compliance. They are a compliant level 1 service provider.
Because Stripe is a level 1 service provider, it means that they have gone through the strictest PCI compliance process required of service providers. Not only do they adhere to the 12 requirements of PCI DSS and all the sub-requirements within them, but they have been evaluated by an independent auditor to ensure that this is the case.
Does using Stripe eliminate my need for PCI compliance?
Here’s where it gets tricky: No, using Stripe does not mean that your business is already PCI compliant.
PCI DSS applies to everyone involved in collecting, processing, and storing payment data. This includes both you and Stripe - your customers’ security is a shared responsibility. Stripe may be processing the data, but your system is playing a role in this process too, so your system needs to be just as secure.
In fact, Stripe requires all its customers to validate their PCI compliance each year. So, in order to adhere to Stripe’s terms of service, your business needs to be PCI compliant.
Many companies choose to complete a self-assessment questionnaire (SAQ) or Report on Compliance (ROC) because they want to demonstrate to their customers and prospects that they take cardholder data security seriously. PCI compliance demonstrates a company’s security posture and helps a business obtain more deals, while instilling trust with customers.
How can I become PCI compliant while using Stripe?
Whether or not you’re already using Stripe to process payments for your business, becoming PCI compliant as quickly as possible will help you prevent a costly data breach, earn the trust of your customers and partners, and avoid potential problems like non-compliance fees or the inability to use Stripe. Follow these straightforward steps to become compliant.
1. Check where you stand
There are 12 requirements you need to meet for PCI compliance, along with sub-requirements within them. For many companies, the most time-consuming part of PCI compliance is digging into their system to see which of those requirements they already meet and which ones they need to work on.
You can skip that extra time with automated compliance software. This software scans your system in-depth and looks for the PCI compliance criteria. It then gives you a thorough report of which requirements you meet and which you don’t. Effectively, this gives you a streamlined to-do list to become PCI compliant.
2. Complete your remaining requirements
Now that you have a full list of the PCI compliance requirements you don’t yet meet, you can take care of them one by one. This could be a process that requires a lot of resources or it could be quick and simple depending on the security protocols you already have in place.
3. Complete your PCI compliance documentation
While you’re technically complying with PCI standards after you’ve finished that checklist and you meet all 12 requirements, you’ll need to validate your compliance for it to be recognized. Stripe requires this validation for all its customers.
Your documentation can vary. Any merchant that receives less than six million transactions per year will need three pieces of documentation:
- A SAQ
- A passing vulnerability scan of your system from an approved scanning vendor or ASV
- An Attestation of Compliance (AOC)
Keep in mind that there are some variations. There are several different types of SAQs, and the one you need will depend on how you’ve integrated Stripe or how you’re processing payments. The vulnerability scan can vary too because it’s not required for all types of SAQs.
Note that the three documents above are for businesses with less than six million transactions per year. If your business performs more than six million annual transactions, you’ll need to take the added step of hiring a third-party PCI compliance auditor to do an on-site review of your system.
Get PCI compliant
As useful as Stripe is as a convenient, safe, and efficient way to process customer payments, it doesn’t give you a pass on PCI compliance. Follow the three steps above, starting with Vanta’s PCI compliance software, to bring your business into compliance and to protect the financial health of your company and your customers.
More about PCI
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC