Our Stripe extension collects card data using Stripe Elements, which embeds a Stripe-hosted interface on your site via an iframe. While it may look like a customer is entering their card details directly into your site, that data is actually collected by an interface hosted on Stripe’s servers.
This means that Stripe (certified as a Level 1 Service Provider) is the only entity that handles card data. Your site never stores, processes, or transmits it.
Most merchants using the Stripe extension can validate their PCI compliance via Self-Assessment Questionnaire (SAQ) A. However, depending on factors (like your PCI level), Stripe may require a different SAQ type or ask that your SAQ be signed by a PCI Qualified Security Assessor (QSA).
To confirm which validation process applies to your account, contact Stripe.
NOTE: Using our Stripe extension reduces the burden of PCI compliance, but merchants are still responsible for other PCI DSS requirements, like regular vulnerability scans from an Approved Scanning Vendor (ASV) and maintaining good security hygiene to protect your site and your customers’ data.
For further reading:
- Stripe’s PCI Compliance Guide
- Stripe’s Security Guide
- The WooCommerce PCI Compliance Guide
