Information Security
mobile pci-dss pci-scope payment-gateway
Updated Fri, 23 Sep 2022 22:47:24 GMT

When to complete PCI DSS Compliance Paperwork

I am working for a startup that will soon begin processing payments with Stripe.

Looking at their documentation, it seems we will have to file an SAQ A, SAQ A-EP, or an SAQ D depending on our integration method.

How soon will we need to submit one of these documents? It seems they are filed on an annual basis, but does it need to be done before accepting payments, or is something that can be filed within a year from when we first start accepting payments?

Additionally, is there a certain threshold - $'s or # of transactions - that changes the answer to that question? Since we are a new business, it may take some time for us to reach 20k transaction threshold.

Thanks in advance !


As you'll be processing payments, your acquirer should ask you to demonstrate compliance. Alternatively, other partners may request you demonstrate compliance. It's entirely possible no one will ask you to demonstrate compliance for some time.

If you're a merchant and transacting less than 6 million Visa or Mastercard transactions per year, you can self-assess using the relevant SAQ.

If you're a service provider and transacting less than 250k Visa or Mastercard transactions per year, you can self-assess using SAQ D.

If you are above either of the above thresholds, you're a Level 1 Merchant or Service Provider and will not be able to self-assess. You will need a QSA to perform an on-site assessment and complete a Report on Compliance.

If no one asks you to demonstrate compliance, you should still ensure you're familiar with the requirements and have the requisite security processes in place.

External Links

External links referenced by this document: