-1

I have what I believe is a simple question but am having trouble finding an authoritative answer... If I use Stripe as the payment gateway on my website, if I have a dedicated IP Address, SSL, and use Stripe correctly do I need to pass a PCI Compliance Inspection? In other words, do I need to have some organization actually go through my website and ensure it is compliant or can I be safe not going through that?

Cœur
  • 37,241
  • 25
  • 195
  • 267
Brad Mash
  • 69
  • 6
  • 1
    I'm voting to close this question as off-topic because it is not about software development. – nobody May 03 '15 at 02:27

2 Answers2

2

During the payment page, if your application is taking the Card information and passing it to Stripe via API or similar, then you will need to be PCI compliant.

If for example, your /payment page is directly going to Stripe or Paypal page then you don't need to have PCI compliance.

Basically in short, if Card information is passed through your servers / networks then you have to be compliant :)

zealvora
  • 85
  • 9
0

You'd want to fill out and have on file a PCI DSS SAQ A v3. This is just a self-attestation and is what most people use just starting out under a certain volume and basically just states that you don't handle any credit card info. Once you get so a certain level of Volume, Visa would require additional things like maybe a pen test or a QSA to verify that and in that case your credit card processor (since they have an agreement with a bank and them to Visa) would let you know of what else is needed.

Matthew Arkin
  • 4,460
  • 2
  • 27
  • 28