GyuriMajercsik
commented
4 years ago Thanks @ezet for the fast response.
I believe you can't get a SAQ A validation, which is the simplest way to be compliant.
Based on Stripe documentation from https://stripe.com/docs/security/guide#validating-pci-compliance:
Stripe’s mobile SDK development and change control is done in accordance with PCI DSS (requirements 6.3 - 6.5) and is delivered via our PCI validated systems. As such, we advise our users to rely on UI components from our official SDKs for iOS or Android, or to build a payment form with Elements in a WebView, to be eligible for the simplest form of PCI validation: SAQ A. If you only use our mobile SDKs or an Elements-based WebView, you can inform your PCI auditor that card numbers pass directly from your customers to Stripe.
Should you do otherwise, such as writing your own code to handle card information, you may be responsible for additional PCI DSS requirements (6.3 - 6.5) and not be eligible for an SAQ A. In this case, we’d suggest you reach out to a PCI Qualified Security Assessor (QSA) to determine how best to validate your compliance according to the current guidance from the PCI Council.
ezet
I think that depends on your implementation. If any sensitive information, such as card-data, is ever sent to your server, your system will probably have to comply with the full PCI regulation. If you only collect card-details locally on the device, and can guarantee that these details never leave the device except for the call to Stripe to obtain a token, you are likely PCI compliant. If in doubt, I recommend contacting Stripe directly.