Staying Out of PCI-DSS Scope: Card Data Never Touches Your Server with Stripe Elements

You run an 18-table restaurant and want guests to pay by card straight from the QR menu. The moment a raw PAN touches your server, you fall into PCI-DSS SAQ-D territory — pen-tests, ASV scans, segmentation audits, easily $8,000+ per year. With the right architecture, the bill is zero.

SAQ-A vs SAQ-D: why scope matters

SAQ-A is the lightest PCI-DSS self-assessment questionnaire — 22 yes/no questions for merchants who fully outsource card data to a PCI-validated processor. Legal review cost: effectively $0. You can complete it yourself in an afternoon.

SAQ-D is the opposite end: applies the second a card number touches your systems — memory, logs, temporary variables, anything. Quarterly ASV scans, annual penetration test, IDS, network segmentation. Plan for $8,000-15,000 in ongoing compliance overhead.

The Stripe Elements tokenization pattern

Stripe.js Elements render the card input inside an iframe served from js.stripe.com. The PAN, CVV, and expiry never share an origin with your application — your JavaScript cannot read them even if it tries.

• Customer types card number → trapped inside Stripe's iframe
• Frontend calls stripe.confirmCardPayment(clientSecret) → returns a token (pi_xxx)
• Your server only ever sees the token, never raw PAN data

Why thMenu uses this by default

thMenu's Platinum tier ships Stripe Elements out of the box. There is no opt-in checkbox to "send card to server" because the backend code never references a PAN. You don't need a log-redaction policy, you don't need card-data retention rules — the data is simply not in your system.

On top of that, 3D Secure 2.0 and PSD2 Strong Customer Authentication are handled inside Stripe's flow. Whether you operate in the EU, UK, or Turkey, the compliance load stays on Stripe's side.

FAQ

Do I still need an annual audit under SAQ-A? No — it is a self-assessment. You complete it once a year and attest to your acquiring bank.

Does Stripe webhook data put me back in scope? No. Webhooks contain last-4, brand, expiry month/year — never the full PAN. Outside scope.

What about phone orders where staff types the card? That moves you into SAQ-D. Use Stripe Terminal or send a Payment Link instead, keeping tokenization intact.

Found this helpful? Share it.