A $1,100 MRR payment app hits an unresolved PCI scope question
A payment module is being built for small-business online services to embed. It connects to Stripe but focuses on the transaction records accountants need for audits instead of offering only general payment features. Three pilot customers are using it, producing about $1,100 in .
The next version would store . Stripe’s software kit keeps raw card details out of the module, which stores only s that stand in for those details. Even so, its exact PCI DSS obligations remain unclear.
Stripe’s appears to place the setup under SAQ A, but different sections of the PCI council’s guidance can lead to another interpretation. Two lawyers charging $500 an hour reached opposite conclusions, so the question remains unresolved despite the expense.
Key points
- The Stripe-based module can be embedded in online services for small businesses.
- It has three pilot customers and about $1,100 in .
- It stores s to , not raw card details.
- Stripe’s and the PCI council’s guidance do not produce a clear, consistent answer.
- Two lawyers charging $500 an hour gave opposite opinions.