Anyone involved with the processing, transmission, or storage of card data must comply with the Payment Card Industry Data Security Standard (PCI DSS). Your business and Stripe share responsibility for PCI compliance.

When accepting payments, you must do so in a PCI-compliant manner. The simplest way for you to be PCI compliant is to never see, or have access to, card data. To facilitate this, you can integrate using Checkout, Elements, or our mobile SDKs. These integrations collect payment information and transmit it directly to our servers. We strongly recommend that all users integrate with these methods.

However, some Stripe users may have integrations which require that they, or a third party, take on a greater degree of this shared responsibility. This is generally required if your servers directly handle card data and pass it to Stripe. If this applies to you, you need to provide Stripe with documentation each year describing the technical and compliance measures taken to protect the security of cardholders' data.

To enable raw card data APIs on your account, please contact our support team with the following information:

• A brief written description of the systems and services in your application which handle card data. If you fully outsource this activity to a PCI DSS-compliant third party, please provide the name of that service provider.
• One of the following documents:
  • A current, complete PCI DSS Self-assessment Questionnaire (SAQ) D.
  • If you meet the qualifications of a Level 1 Merchant or Service Provider, a current PCI DSS Attestation of Compliance for Onsite Assessment.
  • If you fully outsource the handling of card data to a PCI DSS-compliant third-party service provider, only accept online or mail order/telephone order (MOTO) payments, and otherwise qualify, a Self-Assessment Questionnaire (SAQ) A. This document must list your entity's information and list the third-party service provider in Part 2f.

Follow our guide to PCI Compliance to choose the appropriate forms.

If you're working with a third-party platform that is requesting that you enable this feature on your Stripe account, contact that platform to obtain the necessary documentation. If you're a Connect platform that requires this feature for your connected accounts, you only need to enable it on your platform account.

If you require access to this feature solely for testing purposes, and can't make use of Stripe's pre-tokenized cards, contact our support team to enable this feature—no compliance documentation is required. To use this feature in live mode, you'll need to supply the appropriate documentation as described above.