Anyone involved in the processing, transmission or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS). PCI compliance is a shared responsibility and applies to both Stripe and your business.
When accepting payments, you must do so in a PCI-compliant manner. The simplest way for you to be PCI compliant is to never see (or have access to) card data at all. To facilitate this, you can integrate using Checkout, Elements or our mobile SDKs. These integrations collect payment information and transmit it directly to our servers. We strongly recommend that all users integrate with these methods.
However, some Stripe users may have integrations which require that they, or a third party, take on a greater degree of this shared responsibility. This is generally required if your servers handle card data directly and then pass it on to Stripe. If this applies to you, you'll need to provide Stripe with documentation that describes the technical and compliance measures taken to protect the security of cardholders' data. This documentation must be provided each year.
To enable this functionality, please use this link to contact our support team and:
Our guide to PCI compliance can help you choose the appropriate forms.
If you are working with a third-party platform which is requesting that you enable this feature on your Stripe account, please contact the platform to obtain the necessary documentation. If you are a Connect platform which requires this feature for connected merchants, you only need to enable it on the platform account.
If you require access to this feature solely for testing purposes, will use it in Stripe's test mode only and cannot make use of Stripe's pre-tokenised cards, please contact our Support team and we'll enable this feature for you – no documentation of compliance is required. However, in order to use this feature in live mode, you'll need to supply the appropriate compliance documentation as described above.