Skip to main content
Blog
Blog

Is Stripe PCI Compliant? What Merchants Still Need to Do

Stripe holds PCI Level 1 certification. Merchants remain responsible for payment page script monitoring under §6.4.3 and §11.6.1.

Mar 21, 2025 7 min read
Stripe PCI DSS compliance illustration

TL;DR: Stripe PCI DSS compliance

  • Stripe handles PCI DSS Level 1 compliance for the card processing itself, which is why merchants often say they are 'PCI compliant with Stripe.' That is half true.
  • Merchants still own PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 on their own site even when Stripe processes the card. These cover script inventory and payment-page tamper detection on your domain.
  • Stripe Elements minimizes but does not eliminate the merchant's scope. SAQ-A merchants using Stripe Elements still need to satisfy 6.4.3 and 11.6.1, and cside's free tier covers both.

Yes, Stripe holds PCI DSS Level 1 certification, the highest level available. That certification covers Stripe's infrastructure. It does not cover your website. If your payment page loads any script you control, analytics, live chat, consent management, A/B testing, two PCI DSS 4.0.1 requirements remain your responsibility that Stripe cannot satisfy on your behalf: §6.4.3 and §11.6.1.

What Stripe's PCI compliance actually covers

Stripe's Level 1 service provider status is verified annually by a Qualified Security Assessor (QSA) and listed on the Visa Global Registry of Service Providers. The certification confirms that Stripe's data centers, card processing systems, and internal infrastructure meet PCI DSS standards.

What this covers:

  • Transmission and storage of card data within Stripe's systems
  • Stripe Checkout and Elements iframes, which load from Stripe's PCI-certified domain
  • Stripe's mobile and Terminal SDKs

What this does not cover:

  • JavaScript running on your web pages in your customers' browsers
  • Analytics, chat, consent, or any other third-party script on pages that redirect to or load a payment form
  • Your HTTP security headers or cookie configurations

The boundary is Stripe's servers. Your payment page, the page that collects or redirects card data, runs in your customers' browsers, and that surface is yours.

How to be compliant using Stripe

Stripe's products are designed to handle sensitive card data securely, reducing the scope of your PCI DSS responsibilities:

  • Stripe Checkout and Elements: These tools use hosted payment fields, ensuring that sensitive payment information is transmitted directly to Stripe's PCI DSS-validated servers without touching your servers.
  • Mobile and Terminal SDKs: Stripe's SDKs for mobile and in-person payments also send sensitive information directly to Stripe, minimizing your PCI scope.
Stripe Integration SAQ Required Reason
Stripe Checkout (hosted payment page) SAQ A No cardholder data touches your server
Stripe Elements (embedded fields)* SAQ A* Elements securely transmits data to Stripe*
Stripe.js v2 with custom UI SAQ A-EP* Your frontend affects transaction security
Direct API (card data on your server) SAQ D You store, process and/or transmit card data

*You must now monitor dependencies on payment pages, more below.

  • If you use Stripe Checkout (hosted payment page), you qualify for SAQ A.
  • If you use Stripe Elements (embedded fields that send data directly to Stripe), you qualify for SAQ A.
  • If you use Stripe's Mobile or Terminal SDKs, payment data is securely processed by Stripe, keeping you in SAQ A.
  • If you collect and store cardholder data or use a direct API integration, you must complete SAQ D and implement full PCI controls.

If you qualify for SAQ A, your PCI DSS responsibilities are minimal because Stripe handles the sensitive card data.

If you require SAQ A-EP or SAQ D, you take on more responsibility for securing transactions.

Which PCI DSS requirements Stripe does not cover

PCI DSS 4.0.1 introduced two requirements targeting the browser layer, both mandatory since March 31, 2025:

Requirement 6.4.3, Script authorization on payment pages

You must maintain a documented inventory of every script authorized to run on your payment pages. For each script, you need a method to confirm its integrity, that the code has not been modified since you last reviewed it. This applies whether the script is yours or a third party's (analytics, support chat, A/B testing tools).

Requirement 11.6.1, HTTP header change detection

You must deploy a mechanism that detects unauthorized changes to HTTP security headers and cookie attributes on your payment pages and generates alerts.

Stripe has no visibility into these scripts or headers. Both requirements address what happens in your customers' browsers on your web page, a surface entirely outside Stripe's environment.

The PCI Security Standards Council's January 2025 update to SAQ A confirmed this: even merchants using fully hosted Stripe Checkout must satisfy §6.4.3 and §11.6.1 if their checkout flow passes through any page that loads external scripts. See our January 2025 SAQ A update breakdown for details.

For a full technical breakdown of what Stripe covers and what it does not for §6.4.3 and §11.6.1, see our post: Does Stripe make you PCI compliant for requirements 6.4.3 and 11.6.1?

Script monitoring for SAQ A compliance

As per the January 2025 update, the PCI Security Standards Council emphasized the importance of monitoring dependencies. This includes both first-party and third-party scripts on websites.

A client-side monitor satisfies §6.4.3 and §11.6.1 by running in your customers' browsers, inventorying every script on each payment page visit, and alerting when a script changes or a new one appears. cside monitors scripts and HTTP headers in real visitors' browsers, including conditional payloads that appear clean to scanners but activate in production traffic.

Please find Stripe's documentation surrounding PCI DSS here.

Related reading: our PCI DSS 6.4.3 and 11.6.1 compliance guide · Adyen's PCI DSS shared responsibilities

Determine your PCI compliance level

Level Criteria Validation Requirement
Level 1 Over 6 million transactions annually Full onsite audit by a QSA + SAQ D
Level 2 1 to 6 million transactions annually SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC)
Level 3 20,000 to 1 million online transactions annually SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC)
Level 4 Less than 20,000 online transactions OR up to 1 million total transactions SAQ A, SAQ A-EP, or SAQ D + Attestation of Compliance (AOC)
  • Level 1 = Must complete a ROC (Full PCI DSS Assessment with Report on Compliance by QSA)
  • Level 2 = Must complete at least an SAQ with third-party QSA or ISA attestation
  • Level 3 = Must complete an SAQ
  • Level 4 = Optional

The PCI DSS Attestation of Compliance for Stripe merchants

The PCI DSS Attestation of Compliance (AoC) for a Stripe merchant is a document a QSA (or an authorised internal signer under SAQ) produces at the end of an assessment cycle, stating which SAQ level the merchant qualifies for and that all applicable controls are in place. For most e-commerce Stripe merchants that means an SAQ A (fully outsourced payment page) or SAQ A-EP (checkout hosted on the merchant's site) attestation.

The important operational point is that Stripe's AoC covers Stripe. It does not cover the merchant. Even when using Stripe Elements or Checkout, the merchant still holds an AoC obligation because the payment page runs on the merchant's domain and the merchant is responsible for scripts loaded on that page under 6.4.3 and 11.6.1. Enterprise procurement teams frequently ask for both AoCs during vendor onboarding.

cside supplies the evidence trail that supports the merchant's own SAQ A or SAQ A-EP AoC: continuous script inventory, integrity monitoring, and audit-ready 6.4.3 / 11.6.1 evidence that a QSA can pull without a scramble.

Identify your integration type and required documentation

Complete the appropriate SAQ Once you have identified the correct SAQ based on your integration method, complete it thoroughly. Stripe provides a PCI wizard in your Dashboard to guide you through this process.

Submit your documentation After completing the SAQ, submit it along with any required Attestation of Compliance (AOC) or Report on Compliance (ROC) to Stripe for review. Stripe's Dashboard allows you to upload these documents directly.

Maintain ongoing compliance PCI compliance requires continuous monitoring. Review your script inventory regularly, keep your SAQ current, and monitor payment page headers for unauthorized changes.

The same gap between processor certification and merchant obligation applies when using Adyen or PayPal and Braintree as your payment processor.

Simon Wijckmans
Founder & CEO

Founder and CEO of cside. Previously a product manager on Cloudflare Page Shield (now Cloudflare Client-Side Security). Co-chair of the W3C Anti-Fraud Community Group and a Forbes 30 Under 30 honoree. Building accessible security against client-side attacks, web security is not an enterprise-only problem.

FAQ

Frequently Asked Questions

No. Stripe's PCI Level 1 certification covers Stripe's infrastructure and hosted payment fields. Your obligations under PCI DSS 4.0.1, including script authorization on the payment page (§6.4.3) and HTTP header change detection (§11.6.1), remain your responsibility regardless of which payment processor you use.

Stripe Checkout and Stripe Elements reduce scope but do not exempt you from PCI DSS 4.0.1 sections 6.4.3 and 11.6.1. Anything on the payment page, your own scripts, analytics, A/B tests, still needs to be inventoried, authorized, and monitored for tampering.

Use Stripe Elements or Checkout, then layer a client-side monitor like cside on top to track every script and CSP header on the payment page. Together they cover the Stripe-hosted fields and your own page surface.

Requirement 6.4.3 mandates that merchants maintain an authorized inventory of all scripts on their payment pages and confirm each script's integrity. Requirement 11.6.1 requires a change-detection mechanism for HTTP security headers and cookie settings on payment pages. Both became mandatory for all merchants on March 31, 2025.

Yes. Stripe holds PCI DSS Level 1 certification, verified annually by a Qualified Security Assessor. This certifies Stripe's own infrastructure and data handling, it does not extend coverage to scripts running on your payment pages.

Yes. cside is AWS's preferred vendor for PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1, backed by a global partnership. Merchants adopting cside for browser-layer script monitoring can procure through the AWS Marketplace and align the deployment with their existing AWS security tooling and compliance workflows.

Monitor and Secure Your Third-Party Scripts

Gain full visibility and control over every script delivered to your users to enhance site security and performance.

Start free, or try Business with a 14-day trial.

cside dashboard interface showing script monitoring and security analytics
Related Articles
Book a demo