PCI Compliance for Cloud and SaaS: Stripe, Cloud Storage, and Pen Testing
Learn how PCI compliance works for cloud and SaaS companies using Stripe, cloud storage, and pen testing. Covers scope reduction and common pitfalls.
Most SaaS founders we work with assume that using Stripe means PCI compliance is handled. That is partially true — but the gap between partially and fully compliant is where security incidents and failed audits happen.
PCI compliance stripe integration does not automatically make your SaaS application PCI compliant. While payment processors like Stripe handle the heaviest PCI DSS requirements by managing cardholder data directly, your application, infrastructure, and processes still have compliance obligations. If you build on cloud infrastructure (AWS, GCP, Azure) and use payment processors, you need to understand exactly where PCI responsibilities begin and end in your environment.
This guide covers PCI compliance when using Stripe, requirements for PCI compliant cloud storage, penetration testing obligations under PCI DSS, strategies for reducing your PCI scope in the cloud, and the most common PCI pitfalls for SaaS companies.
PCI Compliance When Using Stripe
Stripe is a PCI DSS Level 1 service provider — the highest level of compliance. When you use Stripe to process payments, Stripe handles the storage, processing, and transmission of cardholder data. But your PCI obligations depend on how your application integrates with Stripe.
Integration Types and SAQ Implications
| Integration Method | Your PCI Scope | SAQ Type | Complexity |
|---|---|---|---|
| Stripe Checkout (hosted page) | Minimal — card data never touches your servers | SAQ A (~25 questions) | Low |
| Stripe Elements (embedded form) | Low — card data goes directly to Stripe via iframe/JS | SAQ A or SAQ A-EP | Low-Medium |
| Stripe API (server-side) | Higher — your server handles card data temporarily | SAQ D (~330 questions) | High |
What Stripe Handles vs. Your Responsibility
Stripe handles: Storing cardholder data, PCI-compliant processing infrastructure, tokenization, encryption of stored card data, and their own PCI Level 1 audit.
Your responsibility: Securing your website/application from tampering (CSP headers, subresource integrity), managing API keys securely, implementing TLS for your site, completing the appropriate SAQ, maintaining evidence of compliance, and ensuring your checkout flow does not inadvertently capture card data.
Common Mistakes with Stripe
- Logging API requests that include card numbers in error messages or debug logs
- Using Stripe API directly when Stripe Elements would suffice (unnecessarily expanding scope)
- Not securing Stripe API keys (storing them in client-side code or unencrypted config files)
- Assuming Stripe's compliance covers your entire application
For the full PCI DSS framework, see our PCI DSS compliance guide.
PCI-Compliant Cloud Storage
If your application stores cardholder data (or if you are a service provider managing card data), your cloud storage must meet PCI DSS requirements. PCI compliant cloud storage requires:
Encryption Requirements
- Encryption at rest — All stored cardholder data must be encrypted using strong cryptography (AES-256). Cloud providers offer this natively: AWS S3 server-side encryption, Azure Storage Service Encryption, GCP default encryption
- Key management — Encryption keys must be managed separately from the encrypted data. Use cloud KMS services (AWS KMS, Azure Key Vault, GCP Cloud KMS) rather than managing keys alongside data
- Encryption in transit — TLS 1.2+ for all data movement between services, applications, and clients
Access Controls
- Implement IAM policies that restrict cloud storage access to authorized services and personnel only
- Use separate accounts or projects for PCI-scoped workloads
- Enable logging and monitoring on all storage access (CloudTrail, Azure Monitor, GCP Audit Logs)
- Implement network controls (VPC, private endpoints) to prevent public access to cardholder data
Cloud Provider Compliance
All three major cloud providers maintain PCI DSS Level 1 compliance for their infrastructure:
| Provider | PCI Compliance | Key PCI Services |
|---|---|---|
| AWS | Level 1 service provider | AWS GovCloud, KMS, CloudHSM, GuardDuty, Config |
| Azure | Level 1 service provider | Azure Key Vault, Sentinel, Defender, Policy |
| GCP | Level 1 service provider | Cloud KMS, Security Command Center, VPC Service Controls |
However, the cloud shared responsibility model means the provider secures the infrastructure and you secure the configuration. An improperly configured S3 bucket or overly permissive IAM policy can create PCI compliance gaps regardless of the provider's certification status.
For broader cloud compliance considerations, see our guide on SOC 2 for cloud infrastructure providers.
PCI Penetration Testing Requirements
PCI pen testing is mandated under PCI DSS Requirement 11.4. The requirements were strengthened in PCI DSS 4.0:
What PCI DSS Requires
- External penetration testing — At least annually and after any significant infrastructure or application change
- Internal penetration testing — At least annually and after any significant change
- Network segmentation testing — If you use segmentation to reduce PCI scope, penetration testing must verify the segmentation is effective (at least every six months for service providers)
- Application-layer testing — Must test for at least the vulnerabilities listed in Requirement 6.2.4 (including OWASP Top 10)
Qualified Testing
PCI DSS requires that penetration testing be performed by a qualified internal resource or external third party. While PCI does not mandate specific certifications, testers should have relevant qualifications (OSCP, GPEN, CEH, or equivalent experience). Many organizations engage QSA-approved penetration testing firms for added credibility.
Reporting and Remediation
Penetration test findings must be documented and remediated based on severity. Exploitable vulnerabilities must be corrected, and a retest must confirm the remediation is effective. Maintain test reports, remediation evidence, and retest results for your QSA or SAQ documentation.
For deeper coverage of penetration testing in a compliance context, see our articles on penetration testing compliance and cost efficiency and whether SOC 2 requires penetration testing.
Reducing Your PCI Scope in the Cloud
The most effective strategy for PCI compliance as a SaaS company is minimizing your cardholder data environment (CDE) scope. Fewer systems in scope means fewer controls to implement, lower audit costs, and reduced risk.
Tokenization
Use your payment processor's tokenization capabilities to replace cardholder data with non-sensitive tokens throughout your application. When you use Stripe, card data is tokenized before reaching your systems — you only store tokens that are useless without Stripe's infrastructure.
Network Segmentation
Isolate PCI-scoped systems in dedicated network segments (VPCs, subnets) with strict access controls. Properly verified segmentation reduces the number of systems that require PCI controls from your entire environment to just the segmented CDE.
Outsource Payment Handling
Use hosted payment pages (Stripe Checkout, PayPal hosted buttons) rather than building custom payment forms. This shifts the PCI burden to the payment processor and reduces your SAQ from potentially 330 questions (SAQ D) to 25 questions (SAQ A).
Reduce Data Retention
Do not store cardholder data longer than necessary. If you do not need to store card numbers for recurring billing (Stripe handles this via tokens), do not store them at all. Define and enforce data retention policies that minimize the cardholder data in your environment.
Common PCI Pitfalls for SaaS Companies
Logging Sensitive Data
Application logs, error reporting tools (Sentry, Datadog), and analytics platforms can inadvertently capture cardholder data. Audit all logging pathways to ensure card numbers, CVVs, and expiration dates are never logged, even in error conditions.
Inadequate Access Controls
Overly broad access to production environments, shared credentials for cloud infrastructure, and lack of MFA on administrative accounts are common audit findings. Implement least-privilege access, require MFA for all administrative access, and conduct quarterly access reviews.
Third-Party Vendor Gaps
Every third-party service that touches your payment flow must be PCI compliant. This includes hosting providers, CDN services, analytics tools (if they can access payment pages), and any service with access to your cardholder data environment.
Ignoring Requirement 11 (Testing)
Many SaaS companies implement strong access controls and encryption but neglect the testing requirements — vulnerability scanning, penetration testing, and file integrity monitoring. These are commonly cited findings in PCI assessments.
Need help navigating PCI compliance for your SaaS application? Contact Agency for a scoping assessment that minimizes your compliance burden while ensuring complete coverage.
Frequently Asked Questions
Agency Team
Agency Insights
Expert guidance on cybersecurity compliance from Agency's advisory team.
LinkedIn
