Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). PCI compliance is a shared responsibility and applies to both Stripe and your business.
When accepting payments, you must do so in a PCI compliant manner. The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. To facilitate this, you can integrate using Checkout, Elements, or our mobile SDKs. These integrations collect payment information and transmit it directly to our servers. We strongly recommend that all users integrate with these methods.
However, some Stripe users may have integrations which require that they, or a third party, take on a greater degree of this shared responsibility. This is generally required if your servers directly handle card data and pass it to Stripe. If this applies to you, you'll need to provide Stripe with documentation describing the technical and compliance measures taken to protect the security of cardholders' data. This documentation must be provided each year.
To enable this functionality, please use this link to contact our support team and:
Our guide to PCI Compliance can help you choose the appropriate forms.
If you are working with a third-party platform which is requesting that you enable this feature on your Stripe account, please contact that platform to obtain the necessary documentation. If you are a Connect platform which requires this feature for connected merchants, you only need to enable it on the platform account.
If you require access to this feature solely for testing purposes, will use it entirely with Stripe's test mode, and cannot make use of Stripe's pre-tokenized cards, please contact our support team and we'll enable this feature for you—no documentation of compliance is required. However, in order to use this feature in live mode, you'll need to supply the appropriate compliance documentation as described above.