When accepting payments, you must do so in a PCI compliant manner.
The simplest way for you to be PCI compliant is to never see (or have access to) card data at all.
If you’re not sure how to prove that your business is PCI compliant (e.g., your integration was built by a third-party), Stripe determines what documentation might be required based on how you’re processing payments and provides this information in your account’s compliance settings.
For users that have developed their own integration and are using either Checkout or and Elements to collect card details from customers, you are eligible for the simplest method of PCI validation: SAQ A.
You can refer to our Elements migration guide to learn how to migrate your checkout flow to Elements.
As such, we advise our users to rely on our official SDKs for i OS or Android, or to build a payment form with Elements in a Web View, to be eligible for the simplest form of PCI validation: SAQ A.You are then responsible for ensuring the protection of card data in accordance with the PCI compliance requirements.You’ll be required to upload your SAQ C-VT annually to prove your business is PCI compliant.If you only use our mobile SDKs or an Elements-based Web View, you can inform your PCI auditor that card numbers pass directly from your customers to Stripe.Should you do otherwise, such as writing your own code to send card information to the Stripe API, you may be responsible for additional PCI DSS requirements (6.3 - 6.5) and not be eligible for an SAQ A.
Search for validating methods:
Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standards (PCI DSS).