# PCI FAQ

### Is Stripe PCI compliant? Can I see Stripe's documentation?
Yes. Stripe is PCI Level 1. Verify at [Visa's registry](https://www.visa.com/splisting/searchGrsp.do?companyNameCriteria=stripe) and download the AoC from your dashboard.
### I use a third-party plugin — do I still need to complete PCI documentation?
Yes. PCI compliance applies to your Stripe account regardless of the platform or plugin you use. Your dashboard will show your specific requirements based on how card data flows through your integration.
### Why do I have to fill out SAQ D?
This is most likely because your integration passes raw card numbers through your own code before they reach Stripe. Your server environment is therefore in PCI scope. To reduce this to SAQ A, migrate to Stripe Elements, Checkout, or a mobile SDK.
### Does Stripe have a Responsibility Matrix?
Yes. Download it from [the Dashboard](https://dashboard.stripe.com/settings/compliance/documents). It maps every PCI requirement to whether Stripe, you, or both are responsible — and it varies by integration type.
### Does Stripe provide ASV scanning?
No. If you need ASV scans, engage a [PCI-approved vendor](https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors). You keep the results yourself — they don't need to be submitted to Stripe unless requested.
### Should I expect my PCI level to change? How often does this happen?
Your PCI level is determined by your card transaction volume, based on the last 365 rolling days. Stripe blends card-brand requirements. If a merchant is Level 2 for one brand, they must meet Level 2 requirements for all, regardless of individual transaction counts.
### What happens when my compliance level changes?
When your level changes to a level you have not been prior, you will be provided with a 365-day grace period to get to know your new level and complete your new documentation.
### What are the common terms used in PCI compliance?
- Term
- Meaning
---
- PCI DSS
- Payment Card Industry Data Security Standard
---
- PAN
- Primary Account Number (the full card number)
---
- SAQ
- Self-Assessment Questionnaire
---
- AoC
- Attestation of Compliance
---
- RoC
- Report on Compliance (full audit report for Level 1)
---
- QSA
- Qualified Security Assessor — a PCI-certified third-party auditor
---
- ISA
- Internal Security Assessor — a PCI-certified in-house auditor (Level 2)
---
- ASV
- Approved Scanning Vendor — performs quarterly vulnerability scans
---
- CDE
- Cardholder Data Environment — all systems that touch card data
---
- Tokenization
- Replacing a card number with a non-sensitive token