#mizark

hello! if you collect raw credit card numbers in your custom form and then use the Stripe API directly to tokenize the cards, you become subject to the full PCI compliance standards. In your case this means you’d have to submit a SAQ D form annually to prove that you are PCI compliant [0]. It’s a 40 page form and typically, not a headache most companies want to be dealing with.

[0] see https://stripe.com/docs/security/guide#validating-pci-compliance under "API Direct" as this is what your integration would be classified as.

I really don't recommend doing an API Direct integration