If businesses pass card information directly to Stripe's API, which SAQ is required for PCI compliance?

When businesses pass card information directly to Stripe's API, they must comply with strict requirements for Payment Card Industry Data Security Standards (PCI DSS). In this case, the correct Self-Assessment Questionnaire (SAQ) is SAQ D.

SAQ D is specifically designed for merchants who handle cardholder data and have a higher level of risk due to the way they interact with that data. This includes businesses that process credit card transactions directly through their systems, such as through a payment gateway or API, where they may have access to sensitive cardholder information. Therefore, SAQ D requires comprehensive security measures, including maintaining a secure network, implementing strong access control measures, and regularly monitoring and testing networks.

In contrast, other SAQs like SAQ A, B, or C typically cater to businesses that have a lower exposure to cardholder data or who use third-party services that handle the payment processing on their behalf, resulting in less stringent compliance requirements. SAQ A, for example, is for e-commerce merchants who do not store, process, or transmit cardholder data but instead redirect customers to a third-party payment processor. This illustrates the need for merchants processing card data directly to adhere to the more rigorous guidelines outlined in SAQ D.