The PCI requirements that apply to a merchant depend on the number of transactions – online and in-person – that they process annually per card brand. If the organisation process more than 6 million transactions of Visa or Mastercard, or more than 2.5 million transactions of Amex, or are otherwise deemed to be “Level 1” by any of the card networks, they will need to go through a more detailed PCI compliance process.
Stripe will notify you ahead of the 6 million Level 1 threshold so you have time to prepare for validating to the full PCI DSS. For Level 1 merchants, we also provide a PCI-packet that can generally help reduce PCI validation time from months to days. If you need to work with a PCI Qualified Security Assessor (QSA), we can also connect you with auditors who are familiar with Stripe’s integration methods.
You can find more information on the level definitions in our Guide to PCI Compliance.