Payment security & PCI compliance

If you accept card payments, you have probably heard the term "PCI compliance." It sounds intimidating, but for most small businesses using modern payment processors, the heavy lifting is already done for you. This guide explains what it means and what your responsibilities are.

What PCI DSS is

PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of security rules created by the major card networks (Visa, Mastercard, American Express, etc.) to protect cardholder data.

Any business that accepts, stores, transmits, or processes card payment data must comply with PCI DSS. Non-compliance can result in fines from your processor or the card networks — and in the event of a breach, significant financial and reputational damage.

The good news is that most small businesses using a hosted payment processor are in a very good position without doing much extra work.

How Stripe and PayPal handle compliance for you

When you use Stripe or PayPal's hosted checkout tools, the customer's card details are entered directly into a form or page that Stripe or PayPal controls — not your website. This means:

• Raw card numbers never pass through your server. Your website never sees, stores, or touches the card data.
• Stripe and PayPal are PCI-compliant on your behalf. Both are certified at the highest PCI DSS level (Level 1).
• Your compliance scope is significantly reduced. You are responsible for securing your own systems, but you are not responsible for the card data itself.

"The most effective way to reduce your PCI scope is to not touch cardholder data at all — which is exactly what hosted payment forms achieve."

Your responsibilities

Even though Stripe and PayPal handle the hard parts, you still have obligations:

1. Never store card numbers yourself. Do not write down or save card numbers, CVVs, or full track data anywhere — not in a spreadsheet, not in an email, not in a note. If you need to charge someone again, use your processor's stored payment methods feature.

2. Keep your website software updated. An outdated WordPress installation or plugin can be exploited, even if card data is hosted elsewhere. See WordPress updates explained and Keeping your store secure.

3. Use strong, unique passwords. Protect your processor dashboard (Stripe, PayPal) with a strong password and two-factor authentication. See Strong passwords and Two-factor authentication explained.

4. Only give access to people who need it. Do not share your Stripe or PayPal login with everyone in the business. Use role-based access to limit who can see payment data.

5. Complete your processor's SAQ if required. Stripe asks merchants to complete a brief Self-Assessment Questionnaire (SAQ) to confirm their compliance posture. This is usually a short online form in your Stripe Dashboard.

SSL (HTTPS) and payment security

Your website must use HTTPS (the padlock icon in the browser bar) for all pages, especially checkout pages. HTTPS encrypts the connection between your visitor's browser and your website.

Stripe and PayPal require HTTPS. If your site is not on HTTPS, payment integrations may refuse to load. See What is SSL & HTTPS? for more detail.

Fraud prevention tools

Both Stripe and PayPal include built-in fraud detection. Stripe's tool is called Radar. It analyzes each transaction using machine learning and flags suspicious patterns. You can also set custom rules (for example, block all transactions from specific regions) in your Stripe Dashboard.

You do not need to configure Radar manually for it to work — the default settings are effective for most businesses.

Common questions

Related guides

• How online payments work
• Stripe basics for business owners
• Keeping your store secure (WooCommerce)
• PCI compliance basics (WooCommerce)
• SSL & HTTPS explained
• Two-factor authentication explained

Learn more

• PCI Security Standards Council
• Stripe: PCI compliance
• PayPal: Security and compliance