Do You Need to be PCI Compliant if Using a Payment Gateway?

Giulio Saggin
Giulio Saggin
Tuesday 28 November 2023
Do You Need to be PCI Compliant if Using a Payment Gateway?
Unsplash - Stock photo of the Business Man with a credit card by rupixen

Some entities needing to attain PCI compliance may have to meet more than 300 security controls listed in the PCI DSS. If that sounds daunting, the PCI Council has 1,800+ pages of documentation relating to the PCI DSS, which equates to around three days of solid reading!

One way around spending goodness-knows-how-many worker hours reading, reading, reading is to employ the services of a payment gateway, an external e-commerce business that handles and authorises the processing of credit card payments.

However, a payment gateway doesn't relieve an entity of showing PCI compliance. What it does is greatly reduce the number of security controls from 300-odd to around 20. They do this by ensuring the credit card data processed by a business is handled off-site.

The payment gateway service is integrated into an entity's website and takes control of the credit card data the moment it is entered, so it never reaches a website's servers. This ensures that the website is removed from many of the PCI compliance security controls.

SecAlerts uses Stripe and their site has a page dedicated to PCI compliance and what Stripe can do to assist a business. This is usually via a Self-Assessment Questionnaire (SAQ) - there are several - that have been created by the PCI Council. In some cases, Stripe even fills in the details of the SAQ and it's a simple case of downloading the ready-to-use form.

So, in short ... yes, you still need to show PCI compliance if using a payment gateway, but the pain is greatly reduced.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.


SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203