This recipe produces a complete payment processing compliance implementation — covering PCI DSS level determination and SAQ completion, payment provider selection and integration, cross-border regulatory compliance (PSD2/SCA for EU, money transmitter licensing for US), and KYC/AML program setup. The output is a production-ready payment system that passes PCI compliance validation, handles multi-region transactions legally, and scales without accumulating regulatory debt. [src1]
Which path?
├── Ecommerce startup (selling own products) AND US or US+EU
│ └── PATH A: Stripe Checkout — hosted redirect, SAQ A, fastest setup
├── SaaS with subscriptions AND any market
│ └── PATH B: Stripe Elements + Billing — embedded payment form, SAQ A, recurring billing
├── Marketplace/platform (facilitating payments between parties)
│ └── PATH C: Stripe Connect — platform payments, KYC handled by Stripe, MTL exemption possible
└── Fintech or custom payment flow (holding/transmitting funds)
└── PATH D: Adyen + custom compliance — dedicated merchant account, full PCI program, MTL required| Path | Tools | Setup Cost | Per-Transaction | Compliance Burden |
|---|---|---|---|---|
| A: Stripe Checkout | Stripe Checkout | $0 | 2.9% + $0.30 | SAQ A (29 items) — lightest |
| B: Stripe Elements + Billing | Stripe Elements, Billing | $0 | 2.9% + $0.30 + 0.5% Billing | SAQ A (29 items) — light |
| C: Stripe Connect | Stripe Connect, Dashboard | $0 | 2.9% + $0.30 + Connect fees | SAQ A + Connect compliance — moderate |
| D: Adyen + Custom | Adyen, compliance platform | $500-5,000 setup | 0.12-0.15% + $0.12-$0.30 | SAQ D or ROC + MTL — heaviest |
Duration: 30 minutes · Tool: PCI SSC documentation
Identify your compliance level based on projected annual card transaction volume. This determines whether you need an SAQ or a full QSA audit. [src6]
PCI DSS Merchant Levels:
Level 1: > 6 million transactions/year → Full QSA audit (ROC), $15K-$50K+/yr
Level 2: 1-6 million transactions/year → Annual SAQ + quarterly ASV scans
Level 3: 20K-1M e-commerce txn/year → Annual SAQ + quarterly ASV scans
Level 4: < 20K e-commerce txn/year → Annual SAQ (ASV recommended)
Most startups: Level 3 or Level 4
SAQ Type Selection:
SAQ A: Card data fully outsourced (Stripe Checkout/Elements) → 29 requirements
SAQ A-EP: Partial outsourcing (your server controls page) → 139 requirements
SAQ D: All other / service providers → 260+ requirementsVerify: Projected volume maps to a specific level and integration approach maps to a specific SAQ type. · If failed: If volume is uncertain, assume Level 3 and SAQ A.
Duration: 1-3 days · Tool: Stripe (Path A/B/C) or Adyen (Path D)
For most startups, Stripe with Checkout or Elements provides the fastest path to PCI-compliant payment acceptance. Hosted payment fields ensure cardholder data never touches your servers. [src8]
PATH A — Stripe Checkout (Redirect):
1. Create Stripe account at https://dashboard.stripe.com/register
2. Complete business verification (EIN, business address, bank account)
3. Integrate Stripe Checkout (server-side session creation)
4. Enable 3D Secure for EU transactions (automatic with Stripe Radar)
5. Configure webhook endpoint for payment confirmations
PATH B — Stripe Elements (Embedded):
1-2. Same as above
3. Add Stripe.js to payment page (loads from Stripe CDN)
4. Mount Payment Element with appearance customization
5. Set up CSP headers: frame-src https://js.stripe.com; script-src https://js.stripe.com;
PATH C — Stripe Connect (Marketplace):
1-2. Same as above
3. Apply for Stripe Connect (platform account)
4. Set up connected account onboarding flow
5. Stripe handles KYC/AML for connected accounts
PATH D — Adyen (Custom/Fintech):
1. Apply at https://www.adyen.com/ (underwriting: 1-4 weeks)
2. Integrate Adyen Drop-in or API
3. Implement full PCI DSS program (SAQ D: 260+ requirements)Verify: Process a test transaction end-to-end in sandbox mode. · If failed: If Stripe verification stalls, check business information matches state registration exactly.
Duration: 1-5 days (SAQ A) or 2-8 weeks (SAQ D) · Tool: PCI SSC SAQ forms or compliance platform
Complete the applicable SAQ and implement all required controls. SAQ A has 29 requirements focusing on access controls, vendor management, and policy documentation. [src1]
SAQ A Key Requirements (PCI DSS 4.0.1):
Req 2: Secure default configurations — change all default passwords
Req 6: Secure systems — CSP headers for iframe; patched systems
Req 7: Restrict access — need-to-know on payment dashboards
Req 8: Authentication — MFA, 12-char passwords, lockout after 10 failures
Req 11: Security testing — quarterly ASV scans ($100-$500/quarter)
Req 12: Security policies — documented policies, annual training, IR planVerify: All SAQ questions answered “Yes” or justified “N/A.” ASV scan shows no high/critical vulnerabilities. · If failed: Remediate vulnerabilities and re-scan (unlimited re-scans within quarter).
Duration: 1-3 days (Stripe/Adyen) or 2-4 weeks (custom) · Tool: Payment provider SCA features
If accepting payments from EU/EEA customers, PSD2 Strong Customer Authentication is mandatory. [src3]
PSD2/SCA Compliance Checklist:
[ ] 3D Secure 2 (3DS2) enabled for EU transactions
[ ] SCA exemptions configured: low-value (< EUR 30), recurring, low-risk TRA
[ ] Payment failure handling for SCA challenges
[ ] PSD3 preparation (expected 2026-2027): monitor ECB/EBA announcementsVerify: Test with 3DS-required test card. Confirm challenge appears and completes. · If failed: Check Stripe Radar rules or Adyen risk engine configuration.
Duration: 1 week (assessment) to 6-12 months (licensing) · Tool: Legal counsel, FinCEN portal
Determine whether your business model requires money transmitter licensing and/or FinCEN MSB registration. Critical for marketplace, platform, and fintech models. [src5]
Models that typically NEED MTL:
- Payment facilitator holding funds in escrow
- Wallet/stored-value provider
- Money transfer/remittance service
Models that typically DO NOT need MTL:
- Ecommerce selling own products (merchant)
- SaaS subscription billing (merchant)
- Marketplace using Stripe Connect (Stripe holds MTL)
State MTL requirements:
- Application fee: $500-$5,000 per state
- Surety bond: $25,000-$500,000 (varies)
- Net worth minimum: $100,000-$500,000
- Processing time: 6-12 monthsVerify: Legal counsel has confirmed MTL requirements. If required, FinCEN MSB registration filed. · If failed: Use Stripe Connect to potentially inherit Stripe's MTL coverage.
Duration: 1-2 weeks · Tool: Stripe Identity or manual compliance program
If your startup qualifies as an MSB, implement a KYC/AML program satisfying BSA requirements. [src4]
KYC/AML Program Components:
1. Customer Identification Program (CIP): ID verification, Stripe Identity ($1.50/check)
2. Customer Due Diligence (CDD): risk-rating, beneficial owner verification, sanctions screening
3. Transaction Monitoring: $10K+ CTR filing, structuring detection, unusual patterns
4. Reporting: CTRs and SARs via FinCEN BSA E-Filing
5. Record Retention: 5+ years for all customer and transaction records
6. Training: annual AML training for all employeesVerify: Written AML policy approved by compliance officer. CIP procedures tested. Sanctions screening integrated. · If failed: Consider compliance-as-a-service (Unit21, Alloy, Sardine: $500-$2,000/month).
{
"output_type": "payment_compliance_plan",
"format": "JSON",
"columns": [
{"name": "compliance_area", "type": "string", "description": "PCI DSS, PSD2/SCA, MTL, KYC/AML"},
{"name": "status", "type": "string", "description": "not_started, in_progress, compliant, not_applicable"},
{"name": "level_or_type", "type": "string", "description": "PCI Level 1-4, SAQ A/D, MSB status"},
{"name": "provider", "type": "string", "description": "Payment provider or compliance tool selected"},
{"name": "estimated_cost", "type": "string", "description": "Annual compliance cost estimate"},
{"name": "next_action", "type": "string", "description": "Immediate next step for this area"}
],
"expected_row_count": "4-6",
"sort_order": "risk priority descending",
"deduplication_key": "compliance_area"
}| Quality Metric | Minimum Acceptable | Good | Excellent |
|---|---|---|---|
| PCI SAQ completion | All items answered | Passed + ASV scan clean | Passed + pen test + annual review scheduled |
| SCA implementation | 3DS enabled for EU | 3DS + exemption optimization | 3DS + exemptions + conversion monitoring |
| Licensing assessment | Legal counsel opinion obtained | All required registrations filed | All licenses granted + renewal calendar set |
| KYC/AML program | Written policy exists | Policy + automated screening | Full program + monitoring + annual audit |
| Documentation | Basic compliance records | Policies + evidence binder | Full audit trail + incident response tested |
If below minimum: Do not launch payment processing in production until minimum thresholds are met for PCI DSS and applicable licensing.
| Error | Likely Cause | Recovery Action |
|---|---|---|
| Stripe account verification rejected | Business info mismatch with state records | Ensure legal entity name, EIN, and address match state registration exactly. Re-submit with supporting documents. |
| ASV scan fails with high-severity findings | Unpatched systems or exposed services | Patch vulnerabilities, remove unnecessary services, re-scan (unlimited re-scans per quarter). |
| 3DS challenge loop — transaction never completes | Misconfigured return URL or webhook | Check webhook for payment_intent.requires_action event. Ensure client handles stripe.confirmPayment() return. |
| EU transactions declining at high rate | SCA not properly implemented | Verify 3DS2 is active (not 3DS1). Enable Stripe Radar optimized exemptions. |
| MTL application denied by state | Insufficient surety bond or incomplete application | Address specific deficiency. Engage fintech licensing attorney. Consider MTMA states first. |
| FinCEN registration delayed | Incomplete beneficial ownership info | Verify all 25%+ beneficial owners listed with correct SSN/TIN. Re-file via BSA E-Filing. |
| Component | Startup (< 20K txn/yr) | Growth (20K-1M txn/yr) | Scale (1M+ txn/yr) |
|---|---|---|---|
| Payment processing | 2.9% + $0.30/txn | 2.9% + $0.30 (volume discounts) | Custom pricing (2.2-2.5%) |
| PCI compliance | $0-$500/yr (SAQ A) | $500-$2,000/yr | $15,000-$50,000/yr (QSA audit) |
| Compliance platform | $0 (manual) | $200-$500/month | $500-$1,500/month |
| ASV quarterly scans | $100-$200/quarter | $200-$500/quarter | Included with QSA |
| Money transmitter licensing | $0 (if exempt) | $10K-$50K (if needed) | $50K-$200K (full 50-state) |
| KYC/AML program | $0 (Stripe handles) | $500-$2,000/month | $2,000-$10,000/month |
| Legal counsel | $2,000-$5,000 (initial) | $5,000-$15,000/yr | $15,000-$50,000/yr |
| Total Year 1 | $2,000-$6,000 | $15,000-$75,000 | $100,000-$350,000 |
Storing or processing cardholder data directly escalates you from SAQ A (29 requirements) to SAQ D (260+ requirements) — transforming PCI compliance from a two-week project into a six-month effort costing $50,000+. [src2]
Use Stripe Checkout (redirect), Stripe Elements (iframe), Adyen Drop-in, or Braintree Hosted Fields. Your server never sees card numbers, keeping you at SAQ A.
Operating as a money transmitter without a license is a federal offense with penalties up to $250,000 and 5 years imprisonment. [src5]
Have fintech counsel assess your money transmission exposure before launching marketplace payments. Use Stripe Connect to potentially shelter under Stripe's licenses.
Transactions without proper SCA will be soft-declined by EU issuing banks, causing 10-30% payment failure rates. [src3]
Activate 3D Secure 2 for all EU-originating transactions. Configure exemptions to minimize checkout friction while maintaining compliance.
PCI DSS requires ongoing compliance — quarterly ASV scans, annual SAQ re-assessment, continuous monitoring. Letting compliance lapse risks fines and breach liability. [src1]
Set quarterly reminders for ASV scans, annual reminders for SAQ re-assessment and staff training, and integrate compliance monitoring into your development workflow.
Use this recipe when a startup is setting up payment processing for the first time or expanding to new geographic markets. It produces a compliant payment infrastructure with clear regulatory standing. Required before accepting any real payment transactions — launching without PCI compliance or proper licensing exposes the startup to fines, fraud liability, and potential criminal penalties.