Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). PCI compliance is a shared responsibility and applies to both Stripe and your business.

When accepting payments, you must do so in a PCI compliant manner. The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. To facilitate this, you can integrate using Checkout, Elements, or our mobile SDKs. These integrations collect payment information and transmit it directly to our servers. We strongly recommend that all users integrate with these methods.

However, some Stripe users may have integrations which require that they, or a third party, take on a greater degree of this shared responsibility. This is generally required if your servers directly handle card data and pass it to Stripe. If this applies to you, you'll need to provide Stripe with documentation describing the technical and compliance measures taken to protect the security of cardholders' data. This documentation must be provided each year.

To enable this functionality, please use this link to contact our support team and:

• Provide a brief written description of the systems and services in your application which handle card data. If you fully outsource this activity to a PCI DSS compliant third party, please provide the name of that service provider.
• Attach one of the following documents:
  • A current, complete PCI DSS Self-assessment Questionnaire (SAQ) D, or
  • If you meet the qualifications of a Level 1 Merchant or Service Provider, a current PCI DSS Attestation of Compliance for Onsite Assessment, or
  • If you fully outsource the handling of card data to a PCI DSS compliant third party service provider, only accept online or mail order/telephone order (MOTO) payments, and otherwise qualify, a Self-Assessment Questionnaire (SAQ) A. This document must list your entity's information and list the third-party service provider in Part 2f.

Our guide to PCI Compliance can help you choose the appropriate forms.

If you are working with a third-party platform which is requesting that you enable this feature on your Stripe account, please contact that platform to obtain the necessary documentation. If you are a Connect platform which requires this feature for connected merchants, you only need to enable it on the platform account.

If you require access to this feature solely for testing purposes, will use it entirely with Stripe's test mode, and cannot make use of Stripe's pre-tokenized cards, please contact our support team and we'll enable this feature for you—no documentation of compliance is required. However, in order to use this feature in live mode, you'll need to supply the appropriate compliance documentation as described above.