Verifying and validating requirements
To be eligible for the simplest form of PCI validation, SAQ A, only collect card information using Checkout, and Elements, or our mobile SDKs.
You can also make use of a third-party integration, such as an invoicing service or online marketplace, to ensure that you’re processing charges in a secure manner.
You are then responsible for ensuring the protection of card data in accordance with the PCI compliance requirements.
Stripe has been audited by an independent PCI Qualified Security Assessor (QSA) and is certified as a PCI Level 1 Service Provider.
If you only use our mobile SDKs or an Elements-based Web View, you can inform your PCI auditor that card numbers pass directly from your customers to Stripe.
Should you do otherwise, such as writing your own code to send card information to the Stripe API, you may be responsible for additional PCI DSS requirements (6.3 - 6.5) and not be eligible for an SAQ A.
These require that businesses use input fields hosted by a payments provider in order to be eligible for the simplest PCI validation method.
We’ve designed both Checkout and Elements with these changes in mind so that you can continue to validate using SAQ A without losing much of the flexibility and customizability of a form hosted on your website.