Skip to main content
QuantLab Logo

MOFU Compliance Checklist · 2026

PCI-DSS Compliance for SaaS: A 2026 Founder's Checklist

PCI-DSS 4.0 hit mandatory enforcement on March 31, 2025. Here is the checklist for SaaS founders — how to stay on the SAQ-A track with Stripe, reduce scope, and avoid the SAQ-D trap that costs 30x more.

By Bill Beltz, founder of QUANT LAB USA INC · Published May 12, 2026

Quick answer: how do I get PCI-compliant as a SaaS?

If you use Stripe Checkout or Payment Element so card numbers never touch your servers, you qualify for SAQ-A — a 22-question self-attestation that takes a few hours a year. Add an annual external vulnerability scan from an Approved Scanning Vendor, a one-page incident response plan, MFA on admin access, and a security awareness program for your team. Total annual cost: $500 to $3,000. The trap is accepting raw card data anywhere, which escalates you to SAQ-D and a $30K-plus annual program.

PCI-DSS compliance is one of those topics where the lazy advice is "use Stripe" and the lazy advice is correct for 80% of SaaS — but the remaining 20% gets eaten alive when they accidentally take a payment outside the Stripe iframe and find themselves looking at SAQ-D. This checklist is what we hand clients during every Stripe build at QUANT LAB USA.

Background reading you might want first: What is PCI-DSS and our Next.js Stripe integration guide.

The PCI-DSS validation paths for SaaS

PathWho it applies toAnnual effortAnnual cost
SAQ-AFully outsourced (Stripe iframe / redirect)A few hours$500 to $3K
SAQ-A-EPeCommerce with redirect but your server affects checkout page1 to 2 weeks$3K to $10K
SAQ-D MerchantCard data touches your servers2 to 4 months$30K to $80K
SAQ-D Service ProviderYou enable others to take payments (Connect platforms)3 to 5 months$40K to $120K
Level 1 RoC6M+ Visa transactions or designated by acquirer4 to 9 months$80K to $300K+

The 12 PCI-DSS requirements decoded for SaaS

  1. Network security controls. Firewall rules, WAF, deny-by-default ingress on production VPCs. For Stripe-iframe SaaS, this is largely about your hosting provider's defaults.
  2. Secure configurations. No default passwords, hardened images, disabled unnecessary services. CIS benchmarks on AWS or GCP cover this.
  3. Protect stored cardholder data. Do not store it. If you must, encrypt with strong keys and keep PAN truncated (last 4 only).
  4. Strong cryptography in transit. TLS 1.2+ everywhere, no SSLv3, no weak ciphers, HSTS. This is one line of Cloudflare config in 2026.
  5. Anti-malware. On any system that could process card data. Modern SaaS hosted on PaaS (Vercel, Render) inherits this from the platform.
  6. Secure development. Code review, dependency scanning, SAST in CI, separate dev/staging/prod. The basics every reputable SaaS already does.
  7. Need-to-know access. Role-based access at the data layer. Engineers do not have prod database creds by default.
  8. User identification. SSO, MFA, unique accounts (no shared credentials). PCI 4.0 expanded MFA scope significantly.
  9. Physical access. Mostly inherited from your cloud provider's SOC reports.
  10. Log and monitor. Audit logs of access to cardholder data systems, 12-month retention, alerting on anomalies.
  11. Regular testing. Quarterly external ASV scans, annual internal/external pentest (SAQ-D), file integrity monitoring, IDS.
  12. Security policy. Written documents covering acceptable use, incident response, vendor management, security awareness.

The SAQ-A path: 22 questions, $1K a year

SAQ-A is the holy grail for SaaS founders. To qualify, you must:

  • Use a fully-outsourced payment page (Stripe Checkout redirect or hosted Payment Element).
  • Never store, process, or transmit cardholder data on your servers — not even briefly.
  • Have written agreements with your payment processor confirming their PCI compliance.
  • Maintain controls over any system that could affect the integrity of the redirect page (your marketing site, your JS bundle, your CDN).

If you check those four boxes, you fill out SAQ-A annually, run quarterly ASV scans (about $300 to $1,500/year), and self-attest. Done.

Mistakes that break the SAQ-A path

We have audited dozens of Stripe integrations. The five most common SAQ-A-killing mistakes:

  1. Logging request bodies that contain card data. Even a debug log that captured a single Stripe form post can blow your scope wide open. Sanitize at the proxy layer.
  2. Custom payment forms instead of Stripe Elements. If your React form collects the PAN and posts it to your backend, you are SAQ-D. Use Stripe Elements or Checkout.
  3. Storing the BIN (first 6 digits) for analytics. First-6 is still cardholder data under 4.0.
  4. Saving the CVV anywhere, ever. Not in logs, not in support tools, not in CRM. CVV storage is a flat-out violation.
  5. Letting third-party scripts inject on the checkout page. PCI 4.0 expanded scope for any script that runs in the cardholder data environment. Analytics tags on the checkout page need to be inventoried.

What changed in PCI-DSS 4.0

Version 4.0 added or strengthened several requirements that affect SaaS:

  • MFA expansion (8.4): MFA on all access into the cardholder data environment, not just remote admin access. Most SaaS already have this.
  • Targeted risk analysis (12.3.1): You can use a risk-based approach for certain controls instead of the prescriptive default. Requires written justification.
  • Customized approach: Lets organizations meet objectives through alternative controls. Mostly useful for larger orgs.
  • Script inventory (6.4.3): Must inventory and authorize all scripts running on payment pages. Big change for marketing-tag-heavy checkouts.
  • Service provider expectations (12.8, 12.9): Tighter contractual obligations between service providers and merchants.
  • Anti-phishing (5.4.1): Mechanisms to detect and protect against phishing attacks.

Scope reduction: the techniques that pay back

Scope reduction is the single highest-leverage PCI activity. Smaller scope means smaller audit, fewer controls, cheaper insurance. Techniques in priority order:

  1. Iframe everything. Stripe Checkout redirect > Payment Element iframe > Stripe.js Elements > custom form. The further to the left, the smaller your scope.
  2. Tokenize aggressively. Use Stripe Customer + Payment Method tokens. Your database stores token IDs, not PANs.
  3. Sanitize at the edge. Strip card data from logs at the WAF / reverse proxy layer.
  4. Segment networks. If you must touch card data, isolate the systems that do behind their own VPC.
  5. Outsource refunds and chargebacks. Use Stripe's hosted dispute tooling rather than building your own.
  6. Audit your CDN and analytics. Make sure no third-party scripts hit your checkout page.

Marketplace and Connect platforms: the service provider trap

If your SaaS lets other companies accept payments — Stripe Connect platforms, marketplace builds, embedded finance — you are likely a PCI Service Provider, not just a merchant. That changes the program meaningfully:

  • You owe your sub-merchants written PCI responsibility allocations.
  • Annual ASV scans are required regardless of transaction count.
  • You must complete SAQ-D Service Provider (not SAQ-A) in most cases.
  • Quarterly attestation and SOC-style reporting to acquirers may be required.

Building a marketplace? See our Stripe Connect Marketplace Architecture guide — we cover the compliance posture as part of the architecture.

Sample evidence package (for your QSA or auditor)

For any path beyond SAQ-A, you will need an evidence package. The artifacts we collect at scoping:

  • Network diagram showing cardholder data flow
  • Asset inventory with CDE designation
  • Annual pentest report (see our pentest cost guide)
  • Quarterly ASV scan reports
  • SAQ or RoC document
  • Incident response plan
  • Vendor management documentation (Stripe AOC, etc.)
  • Information security policy
  • Training records for security awareness
  • Sample audit logs showing 12 months retention

Stacking PCI with SOC 2

Most SaaS founders end up needing both PCI and SOC 2. The good news: about 60% of the evidence overlaps. The bad news: the frameworks are not designed to be combined, so you still produce two reports.

Build the SOC 2 program first if you have the choice — it is broader. Then layer PCI scope artifacts on top. See our SOC 2 pentest prep guide for the SOC 2 path.

FAQ

What is PCI-DSS 4.0 and when did it take effect?

PCI-DSS 4.0 is the latest version of the Payment Card Industry Data Security Standard. Version 4.0 was finalized in March 2022, with mandatory enforcement of all new requirements as of March 31, 2025. Any merchant or service provider handling cardholder data is now expected to comply with 4.0 — there is no fallback to 3.2.1.

Does my SaaS need to be PCI-compliant if I use Stripe?

Yes, but at the lightest validation level. If your SaaS uses Stripe Elements, Checkout, or Payment Element such that the card number never touches your servers, you can self-attest with SAQ-A. That is a 22-question form, not a full audit. The moment you accept raw card data on your servers (even briefly), you escalate to SAQ-D — which is dramatically more expensive.

What does SAQ-A actually require?

SAQ-A applies to merchants who fully outsource cardholder data to a PCI-validated third party (Stripe, Adyen, Braintree). The 22 questions cover service provider management, secure storage of paper records, employee security awareness, vulnerability scanning of any system that affects the payment iframe page, and incident response. Most Stripe-only SaaS can complete SAQ-A in a few hours per year.

When do I need SAQ-D instead of SAQ-A?

Three triggers: you handle raw card numbers anywhere (even passing through your servers via a custom integration), you process more than 6 million Visa transactions per year (Level 1), or you store cardholder data. SAQ-D has 329 questions and typically requires a formal Report on Compliance (RoC) signed by a Qualified Security Assessor. Annual program cost typically $30K to $100K+.

What is the cheapest path to PCI compliance for a SaaS startup?

Use Stripe Checkout or Payment Element with the redirect/iframe model so your servers never see card numbers, qualify for SAQ-A, run an annual vulnerability scan via an Approved Scanning Vendor, write a short incident response plan, and self-attest. Total annual cost: $500 to $3K. We help clients land here as part of every Stripe integration.

What are the 12 PCI-DSS requirements?

1. Install and maintain network security controls. 2. Apply secure configurations to system components. 3. Protect stored cardholder data. 4. Protect cardholder data with strong cryptography during transmission. 5. Protect systems against malware. 6. Develop and maintain secure systems and software. 7. Restrict access by need-to-know. 8. Identify users and authenticate access. 9. Restrict physical access to cardholder data. 10. Log and monitor access. 11. Test security regularly. 12. Maintain an information security policy.

Do I need a penetration test for PCI-DSS?

Yes if you handle cardholder data (SAQ-D path) or are a service provider. Annual internal and external penetration testing is mandatory under requirement 11.4. Pure SAQ-A merchants do not require a pentest under PCI rules, but their cyber insurance often demands one. Plan on $10K to $35K annually depending on scope. See our penetration test cost guide.

How does PCI-DSS 4.0 differ from 3.2.1?

Five big changes: stronger authentication (MFA on all admin access, not just remote), targeted risk analysis replacing some prescriptive controls, expanded scope for scripts running on payment pages, customized approaches alongside defined approaches, and clearer service provider responsibilities. The practical impact for SaaS: tighter MFA, more documentation of risk decisions, and more attention to client-side script loading on checkout pages.

What is a PCI-DSS Service Provider versus a Merchant?

A Merchant accepts card payments for their own business. A Service Provider stores, processes, or transmits cardholder data on behalf of another entity. Many SaaS companies are both. If your platform lets your customers accept payments (think Stripe Connect marketplaces), you are likely a Service Provider, which is a heavier compliance burden. See our Stripe Connect marketplace architecture guide.

How do I reduce PCI scope?

Five proven techniques: redirect all payment forms to Stripe Checkout (iframe model), never log requests that contain card data, use network segmentation to isolate any system that touches cardholder data, encrypt at the application layer before storage and treat the encrypted form as out-of-scope only if the key is properly managed off-network, and tokenize aggressively. Scope reduction usually saves 60 to 90% of annual compliance cost.

Does PCI compliance satisfy SOC 2?

There is meaningful overlap (access controls, logging, vulnerability management) but neither replaces the other. PCI is prescriptive and narrow (card data). SOC 2 is principles-based and broad (overall security posture). Most regulated SaaS pursue both. The good news: a well-run SOC 2 program covers about 60% of PCI evidence requirements.

How long does PCI compliance take to achieve?

SAQ-A self-attestation: 4 to 8 weeks if your stack is already clean. SAQ-D with a QSA-led RoC: 12 to 24 weeks for a first audit, 8 to 12 weeks for subsequent renewals. Service Provider Level 1 onboarding: 4 to 9 months. Plan budget and timeline accordingly.

Related reading and next steps

Get your Stripe integration PCI-clean.

Free 30-minute Stripe + PCI review. We will tell you whether you are SAQ-A clean, what to change to get there, and what it would cost to stay there.

Or call Bill at (770) 652-1282

More compliance + payments reading

All posts
All blog postsUpdated May 12, 2026