Does PCI DSS apply to my app if I use Stripe?

Yes, but with greatly reduced scope. Using Stripe, Braintree, or similar tokenized payment providers means your app never touches raw card numbers - Stripe handles that. You're still subject to PCI DSS, but at the lowest compliance burden (typically SAQ A or SAQ A-EP). You need to confirm your integration doesn't inadvertently expose card data, maintain secure HTTPS connections, and complete the appropriate Self-Assessment Questionnaire annually.

What are the PCI DSS compliance levels?

Level 1: 6+ million transactions/year - requires annual on-site audit by a QSA (Qualified Security Assessor) and quarterly network scans. Level 2: 1-6 million transactions/year - annual SAQ and quarterly network scans. Level 3: 20,000-1 million e-commerce transactions/year - annual SAQ and quarterly scans. Level 4: fewer than 20,000 e-commerce or up to 1 million other transactions/year - annual SAQ and quarterly scans. Most startups and mid-size businesses fall in Level 3 or 4.

How much does PCI DSS compliance cost?

For apps using tokenized payment providers (Stripe, Braintree), PCI compliance adds $5K-$15K to the build. For apps that handle raw card data directly, expect $50K-$200K+ for the full set of security controls, network segmentation, and ongoing monitoring. Level 1 merchants also need annual on-site audits ($30K-$100K+). The cost difference makes tokenization the obvious choice for most businesses.

What happens if I'm not PCI DSS compliant?

Payment processors can fine you $5,000-$100,000 per month of non-compliance. After a data breach, you'll face forensic investigation costs ($20K-$100K+), notification costs, potential lawsuits, and brand damage. In the worst case, your acquiring bank terminates your merchant account - meaning you can't accept card payments at all. Payment brands can also place you on the MATCH list (Member Alert to Control High-Risk Merchants), which makes it extremely difficult to get a new merchant account.

What changed in PCI DSS v4.0?

PCI DSS v4.0 became mandatory in March 2025 (replacing v3.2.1). Key changes: stronger multi-factor authentication requirements (MFA for all access to cardholder data, not just remote access), expanded encryption requirements, new e-commerce anti-skimming protections (monitoring payment page scripts), targeted risk analysis for certain controls, and a shift toward continuous compliance monitoring rather than point-in-time assessments. The standard also allows 'customized approach' implementations alongside the traditional 'defined approach.'

Industry Playbooks

PCI DSS Compliance: Payment Security Laws for App Builders

By Riya ThambirajFebruary 26, 202611 min read

What Matters

-PCI DSS applies to every business that touches credit card data - it's enforced by payment processors, not government regulators
-Non-compliance can cost $5,000-$100,000/month in fines and you can lose the ability to process card payments entirely
-The smartest compliance strategy is reducing your PCI scope - use Stripe, Braintree, or similar tokenization to avoid handling raw card data
-PCI DSS v4.0 became mandatory in March 2025 with stronger authentication, encryption, and continuous monitoring requirements
-Your compliance level (1-4) depends on transaction volume - most small-to-mid businesses fall in Level 3 or 4 with simpler requirements

In 2024, a mid-size e-commerce company discovered that a JavaScript skimmer had been injecting malicious code into their checkout page for three months. The skimmer captured credit card numbers as customers typed them and sent the data to an attacker-controlled server. Over 50,000 cards were compromised.

The forensic investigation cost $85,000. The fines from payment processors topped $200,000. And the company lost its ability to process cards for 6 weeks while it rebuilt its payment infrastructure from scratch.

The root cause? They'd integrated a payment form directly into their page instead of using an iframe-based tokenization approach. Their checkout page had access to raw card numbers - and so did every third-party script running on that page.

PCI DSS exists to prevent exactly this scenario. And if your app touches payment card data in any way, it applies to you.

TL;DR

PCI DSS applies to every business that stores, processes, or transmits credit card data. It's not a law - it's a contractual requirement enforced by Visa, Mastercard, and payment processors, with fines of $5,000-$100,000/month and potential loss of card processing ability. The smartest move for most apps: use tokenization (Stripe, Braintree, Adyen) to keep raw card data off your servers entirely. This drops your compliance from 300+ requirements to under 30. PCI DSS v4.0 became mandatory in March 2025 with stronger authentication and anti-skimming rules.

Who PCI DSS Applies To

PCI DSS applies to every entity that stores, processes, or transmits cardholder data. There's no minimum size threshold, no revenue requirement, no exemption for small businesses.

If your app accepts credit card payments - even one transaction per year - PCI DSS applies.

Cardholder data includes:

Primary Account Number (PAN) - the credit card number
Cardholder name
Expiration date
Service code

Sensitive authentication data (never store this):

Full magnetic stripe data
CVV/CVC (the 3-4 digit security code)
PIN/PIN block

The critical distinction: you can store cardholder data (encrypted, with access controls). You can never store sensitive authentication data after authorization, even encrypted.

The Scope Question: How Much Does PCI DSS Affect You?

Your PCI compliance burden depends entirely on how much contact your systems have with cardholder data. This is where architecture decisions made before development starts can save you hundreds of thousands of dollars.

The Scope Spectrum

Full scope (you handle raw card data):

Your servers receive, process, or store primary account numbers
All 12 PCI DSS requirement categories apply (300+ individual controls)
Annual audits, quarterly scans, penetration testing
Network segmentation, intrusion detection, file integrity monitoring
Cost: $50K-$200K+ for compliance infrastructure

Reduced scope (tokenized payments):

Your app uses Stripe Elements, Braintree Drop-in, or similar hosted payment fields
Card data goes directly from the user's browser to the payment provider
Your servers never see the card number - only a token
You still need PCI compliance, but at a fraction of the requirements (SAQ A or SAQ A-EP)
Cost: $5K-$15K for compliance infrastructure

The obvious strategy: Don't handle raw card data. Use tokenization. Stripe, Braintree, Adyen, and Square all provide hosted payment fields that handle PCI-scoped data processing for you. Your app gets a token representing the card, and the token is useless to attackers.

Tokenization doesn't eliminate PCI scope

Using Stripe doesn't make you "PCI exempt." You're still subject to PCI DSS. But it reduces your scope from the full 300+ controls to the 20-30 controls in SAQ A or SAQ A-EP. The difference in cost and complexity is enormous.

PCI DSS v4.0: What Changed

PCI DSS v4.0 became mandatory in March 2025. If your app was built to v3.2.1, you need to update. Key changes:

Stronger authentication:

MFA required for all access to the cardholder data environment (not just remote access)
Passwords must be at least 12 characters (up from 7)
Automated mechanisms to detect and protect against phishing

E-commerce anti-skimming (Requirement 6.4.3):

All payment page scripts must be inventoried and authorized
Script integrity must be verified (preventing Magecart-style attacks)
Unauthorized scripts must be detected and alerted
This applies even if you use hosted payment fields - your payment page still runs other scripts

Continuous monitoring:

Shift from point-in-time annual compliance to continuous monitoring
Automated log review (no more manual quarterly log reviews)
Real-time alerting on security events

Customized approach:

v4.0 lets you meet requirements through a "customized approach" - you define the control and prove it meets the security objective, rather than following the prescribed implementation
Only for mature organizations with strong security programs
Most businesses should stick with the "defined approach"

The 12 PCI DSS Requirements (Simplified)

PCI DSS has 12 high-level requirements grouped into 6 categories. Here's what each means for your app:

Build and Maintain a Secure Network

Requirement 1: Install and maintain network security controls - Firewalls, network segmentation, and access control lists to isolate systems that handle cardholder data.

Requirement 2: Apply secure configurations to all system components - No vendor-supplied default passwords, unnecessary services disabled, secure configurations documented.

Protect Account Data

Requirement 3: Protect stored account data - Encrypt stored cardholder data (AES-256), mask PAN when displayed (show only last 4 digits), implement key management. With tokenization, this requirement is mostly handled by your payment provider.

Requirement 4: Protect cardholder data with strong cryptography during transmission - TLS 1.2+ for all cardholder data transmission. No exceptions.

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems and networks from malicious software - Anti-malware on systems that can be infected, regular updates, phishing protection mechanisms.

Requirement 6: Develop and maintain secure systems and software - Secure development practices, code reviews, vulnerability scanning, and the new Requirement 6.4.3 for payment page script management.

Implement Strong Access Control

Requirement 7: Restrict access to system components and cardholder data by business need-to-know - Role-based access, documented access policies, regular access reviews.

Requirement 8: Identify users and authenticate access - Unique user IDs, MFA for all cardholder data access (v4.0), 12-character minimum passwords, account lockout mechanisms.

Requirement 9: Restrict physical access to cardholder data - Physical security controls for on-premises systems. Less relevant for cloud-hosted apps, but cloud provider compliance matters.

Regularly Monitor and Test Networks

Requirement 10: Log and monitor all access to system components and cardholder data - Audit logging for all access to cardholder data, automated log review, time synchronization across systems, log retention for at least 12 months.

Requirement 11: Test security of systems and networks regularly - Quarterly vulnerability scans by an ASV (Approved Scanning Vendor), annual penetration testing, wireless access point detection, file integrity monitoring.

Maintain an Information Security Policy

Requirement 12: Support information security with organizational policies and programs - Documented security policy, risk assessment, security awareness training, incident response plan, third-party service provider management.

How PCI DSS Affects Your App Architecture

If you're using tokenization (and you should be), here's what you still need to implement:

Requirement	Architecture Impact
Payment page script management (6.4.3)	Inventory all JavaScript on checkout pages, implement Content Security Policy headers, monitor for unauthorized script changes
TLS encryption (Req 4)	Enforce TLS 1.2+ sitewide, especially on payment pages. HSTS headers. No mixed content.
Access controls (Req 7-8)	Role-based access for admin panels, MFA for any interface that manages payment configuration
Logging (Req 10)	Audit logs for payment-related administrative actions, log retention, automated alerting
Vulnerability management (Req 6, 11)	Secure development practices, quarterly ASV scans, annual penetration test
Incident response (Req 12)	Documented plan for responding to payment data incidents

If you're handling raw card data, add: network segmentation, encryption at rest, key management, intrusion detection, file integrity monitoring, and significantly more testing.

Self-Assessment Questionnaires: Which One Are You?

PCI compliance validation depends on your transaction volume and how you handle card data:

SAQ Type	Applies To	Requirements
SAQ A	Card-not-present merchants using fully hosted payment pages (Stripe Checkout, PayPal hosted)	~30 questions. Simplest.
SAQ A-EP	E-commerce merchants using embedded payment fields (Stripe Elements) where your page controls the user experience	~140 questions. More complex because your page hosts the payment form.
SAQ D	Merchants who store, process, or transmit cardholder data directly	300+ questions. Full PCI compliance.

The practical advice: architect your payment integration to qualify for SAQ A when possible. If you need more control over the checkout experience, SAQ A-EP with Stripe Elements is the next best option. Only go to SAQ D if you have a specific business requirement that mandates handling raw card data.

What PCI DSS Compliance Costs

Approach	Build Cost	Annual Maintenance
Tokenized (SAQ A)	$5K-$10K	$2K-$5K (ASV scans, SAQ completion)
Tokenized (SAQ A-EP)	$10K-$20K	$5K-$10K (ASV scans, penetration test, SAQ)
Full scope (SAQ D)	$50K-$200K+	$30K-$100K+ (QSA audit, continuous monitoring, pen tests)

The build cost for tokenized approaches covers: secure payment page implementation, CSP headers, script monitoring, admin access controls, logging, and documentation.

The full-scope cost covers everything above plus: network segmentation, encryption infrastructure, intrusion detection, file integrity monitoring, and significantly more testing and documentation.

Questions to Ask Your Development Partner

"How do you recommend integrating payments?" - The right answer involves tokenization (Stripe Elements, Braintree Drop-in, or similar). If they suggest building a custom payment form that collects card numbers on your servers, ask why.
"Which PCI SAQ will our architecture qualify for?" - They should be able to explain whether you'll qualify for SAQ A, SAQ A-EP, or SAQ D based on the integration approach.
"How do you handle Requirement 6.4.3 (payment page scripts)?" - This is a v4.0 requirement that many teams miss. Look for CSP headers, script inventory, and integrity monitoring.
"Have you built PCI-compliant payment systems before?" - Past experience matters. Ask about specific integrations, how they handled ASV scans, and what SAQ type their previous apps qualified for.
"How do you handle PCI compliance during development?" - They should never use real card numbers in development or testing. Test cards only. Production payment configuration should be separate from development environments.

Your PCI DSS Compliance Checklist

Before development starts:

Choose a tokenized payment provider (Stripe, Braintree, Adyen, Square)
Determine your target SAQ type (A, A-EP, or D)
Identify your compliance level (1-4) based on expected transaction volume
Register with your payment processor's compliance program

During development:

Integrate payments using hosted/tokenized approach (never handle raw card data if possible)
Implement TLS 1.2+ sitewide with HSTS headers
Implement Content Security Policy headers on payment pages
Build script inventory and integrity monitoring for payment pages
Build role-based access controls for payment administration
Build audit logging for payment-related operations
Use test cards only - never real card numbers in dev/staging
Follow secure coding practices per Requirement 6

Before launch:

Complete an ASV (Approved Scanning Vendor) vulnerability scan
Complete the appropriate SAQ
Conduct a penetration test (required annually for SAQ A-EP and D)
Document your incident response plan for payment data incidents
Train staff on PCI requirements relevant to their roles
Verify all third-party payment-related services are PCI compliant
Submit compliance documentation to your acquiring bank/processor

PCI DSS compliance is annual. ASV scans are quarterly. New requirements in v4.0 push toward continuous monitoring. Build the architecture right from the start and ongoing compliance becomes a routine rather than a fire drill.

Frequently asked questions

PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards created by Visa, Mastercard, American Express, Discover, and JCB. It applies to any organization that stores, processes, or transmits cardholder data. Unlike GDPR or HIPAA, PCI DSS isn't a government law - it's a contractual requirement enforced by payment card brands and processors. But the consequences of non-compliance are just as serious: fines, higher fees, and losing the ability to accept card payments.

HIPAA Compliance for Apps: What Healthcare Businesses Must Know

Building a health app without HIPAA compliance isn't just risky - it's a federal offense. Here's what the law actually requires, how it changes your app architecture, and the questions to ask before your development partner writes a line of code.

Jan 26, 202612 min read

Financial compliance professionals reviewing documents and transaction data at a meeting table

Industry Playbooks

AI Agents for KYC and AML Automation: What Fintech Teams Get Wrong

A full KYC review takes 7-10 days manually. An AI agent cuts that to under 10 minutes. Here's what to build, how to build it compliantly, and where teams go wrong.

Apr 3, 20269 min read

Buyer's Playbook

App Compliance Laws Every Business Owner Should Know Before Building

GDPR, HIPAA, PCI DSS, SOC 2 - if you're building an app, the wrong compliance miss can cost millions. Here's every regulation you need to know, mapped by geography, industry, and data type.

Nov 21, 202511 min read