PCI Compliance for Stripe Users: What Stripe Actually Covers (And What It Doesn’t)
Stripe handles some PCI DSS 4.0.1 requirements — but not all. Here's exactly what you still own as a merchant, and how to close the compliance gap fast.
Your Shopify store processed a chargeback last month. Your acquiring bank is now asking for a completed SAQ and an ASV scan certificate. You assumed Shopify handled all of this. It doesn’t; not entirely.
Here’s exactly what falls on you, what falls on Shopify, and how to close the gap without overspending or overcomplicating it.
Shopify is a PCI DSS Level 1 certified service provider, which covers the platform infrastructure. However, Shopify merchants are still independently responsible for their own PCI compliance scope; including completing the correct Self-Assessment Questionnaire (SAQ), maintaining their network environment, and in many cases completing an annual ASV vulnerability scan on any IP addresses that form part of their Cardholder Data Environment (CDE). Under PCI DSS 4.0.1, failing to do so puts your merchant account and card acceptance at risk.
Shopify operates at PCI DSS Service Provider Level 1; the highest level of certification. This covers:
What it does not cover:
This is the shared responsibility model — and misunderstanding it is the single most common reason Shopify merchants fail their annual compliance review.
Your SAQ type determines your compliance workload. Under PCI DSS 4.0.1, the applicable SAQ depends entirely on how your store handles cardholder data.
Shopify Configuration | Applicable SAQ | ASV Scan Required? |
|---|---|---|
Shopify Payments, hosted checkout, no custom code | SAQ A | No |
Redirect to third-party processor (e.g. PayPal, Stripe) | SAQ A | No |
JavaScript-based payment form embedded on your domain | SAQ A-EP | Yes |
Custom checkout with direct POST to processor | SAQ D (Merchant) | Yes |
Headless Shopify with self-hosted payment component | SAQ D (Merchant) | Yes |
Shopify Plus with custom app handling PANs | SAQ D (Merchant) | Yes |
Key insight: Most standard Shopify merchants using Shopify Payments and the default hosted checkout qualify for SAQ A — the lightest-touch option. However, if you’ve installed a custom checkout app, a payment extension, or a conversion-optimisation tool that injects JavaScript into your payment flow, you likely shift into SAQ A-EP territory, which mandates an ASV scan.
This is the hidden compliance trap that catches mid-market Shopify operators off guard.
An Approved Scanning Vendor (ASV) scan is a quarterly external vulnerability scan of your internet-facing IP addresses that are in scope for PCI. It is required when:
If you use standard Shopify Payments with default checkout: You do not need an ASV scan for your own infrastructure; Shopify’s scan covers the platform. But your bank may still request evidence of your SAQ completion.
If you run any custom checkout component, headless architecture, or embedded JS payment form: Your domain and hosting IPs enter your CDE scope and require quarterly ASV scanning.
After running thousands of ASV scans, the failure patterns on Shopify-adjacent infrastructure are predictable:
PCI DSS 4.0.1 became the only active version as of 31 March 2025. The transition grace period is over. Key changes with direct relevance to Shopify merchants:
Requirement | Change Under 4.0.1 | Shopify Impact |
|---|---|---|
Req 6.4.3 | All payment page scripts must be authorised and integrity-checked | Any third-party JS on your checkout page (analytics, chatbots, A/B tools) must be inventoried and validated |
Req 11.3.2 | Quarterly ASV scans mandatory for in-scope IPs | Headless/custom checkout operators cannot skip this |
Req 12.3.2 | Targeted Risk Analysis (TRA) now required for customised controls | Custom Shopify Plus configurations need formal risk documentation |
Req 4.2.1 | TLS 1.0/1.1 explicitly prohibited | Any infrastructure in your CDE must enforce TLS 1.2 minimum |
Req 8.3.6 | Passwords minimum 12 characters for system components | Admin access to any self-hosted Shopify middleware must comply |
Requirement 6.4.3 is the one most Shopify operators are unprepared for. If you have Google Tag Manager, Hotjar, a live chat widget, or a review platform script loading on your checkout page, you are now required to maintain an inventory of those scripts, confirm their purpose, and verify their integrity. A breach via a third-party script (Magecart-style attack) is now explicitly your liability.
For standard Shopify Payments merchants (SAQ A):
Most Shopify merchants don’t need an enterprise-priced scanning platform. They need accurate results, fast turnaround, and a clear pass certificate they can send to their bank.
Secusy delivers exactly that:
Pricing that matches your scope:
Scope | Annual Price |
|---|---|
1 IP | $80/year |
5 IPs | $350/year |
10 IPs | $600/year |
For the majority of Shopify operators with a small CDE footprint, that’s the full annual cost of ASV compliance. No per-scan fees, no enterprise contracts.
For a full breakdown of what ASV scanning covers and how the process works end-to-end, read our comprehensive PCI ASV guide.
If your Shopify setup puts you in SAQ A-EP or SAQ D territory, quarterly ASV scanning is not optional; it's a condition of your merchant agreement. The cost of non-compliance is card acceptance suspension. The cost of compliance with Secusy starts at $80.