PCI-DSS Compliance Checklist Template

Yes, but your scope is significantly reduced. Using Stripe.js (client-side tokenization) or Stripe Checkout (hosted page) means your servers never touch raw card data. This qualifies you for SAQ A (iframe/redirect) or SAQ A-EP (API integration). You still need to secure your website (HTTPS, no mixed content), protect your API keys, and maintain an information security policy. Full PCI-DSS (SAQ D) applies only if your server-side code processes, stores, or transmits cardholder data directly.

SAQ A applies when all payment processing is fully outsourced via iframe or redirect (e.g., Stripe Checkout hosted page). Your website never directly interacts with cardholder data. SAQ A-EP applies when your website controls the page that collects payment data (e.g., Stripe.js/Elements embedded in your page) but card data is tokenized client-side and sent directly to the processor. SAQ A has 22 requirements. SAQ A-EP has 139 requirements. For a fuller picture of payment infrastructure decisions, the [glossary entry on technical debt](/glossary/technical-debt) covers how payment architecture choices compound over time.

Major changes: MFA now required for all access to the CDE (not just remote access). Minimum password length increased to 12 characters (or 8 with complexity). Phishing protections are now explicitly required. Web application protection must be continuous and automated (not just annual WAF review). A "customized approach" allows organizations to meet requirements through alternative controls with targeted risk analysis. System and application account management has new specific requirements. All future-dated requirements became mandatory March 31, 2025.

Compliance validation is annual. The method depends on your transaction volume and service type. Most merchants processing fewer than 6 million transactions complete an annual SAQ. Merchants above 6 million need an annual Report on Compliance (ROC) by a QSA. Service providers processing above 300,000 transactions need a ROC. Additionally, ASV vulnerability scans are required quarterly, and internal pen tests are required annually. Your acquiring bank dictates the exact requirements based on your merchant level.

Yes. Network segmentation is the primary strategy for reducing PCI scope. Systems that do not store, process, or transmit cardholder data can be placed outside the CDE if properly segmented. Effective segmentation requires validated network controls (firewalls, VLANs, security groups) that prevent out-of-scope systems from communicating with the CDE. Segmentation must be verified by penetration testing at least annually. Cloud architectures using VPCs and security groups are well-suited to segmentation. ---