PCI DSS v4.0
Overview
The Payment Card Industry Data Security Standard (PCI DSS) version 4.0 is the current baseline set of requirements maintained by the PCI Security Standards Council for any organization that stores, processes, or transmits cardholder data, or that can affect the security of the cardholder data environment (CDE). Backbuild customers who accept card payments on top of the platform inherit scoping obligations that this page is intended to clarify.
Current status
Controls aligned — Backbuild is not a CDE
Backbuild does not store, process, or transmit cardholder data. Payment card operations are fully offloaded to Stripe under Stripe's PCI DSS Level 1 Service Provider attestation. As a result, Backbuild's own infrastructure is out of scope for PCI DSS, and customer PCI audits generally need only cover the integration boundary between the customer's application and Stripe.
Scoping Backbuild out of your CDE
To keep cardholder data out of Backbuild infrastructure and minimize your PCI scope, use one of the following Stripe-provided collection methods:
- Stripe Checkout: customers are redirected to Stripe-hosted pages. Cardholder data is collected entirely by Stripe.
- Stripe Elements and Payment Element: card fields render inside Stripe-controlled iframes; only tokens are exchanged with your application.
- Stripe Terminal or mobile SDKs: for in-person or mobile card acceptance scenarios, handled under Stripe's validated scope.
In all supported integration patterns, only opaque payment method tokens, identifiers, and metadata pass through Backbuild. Primary account numbers, expiration dates, and CVV values never traverse Backbuild workers, storage, or databases.
Controls that support customer PCI compliance
While Backbuild itself is not a CDE, the platform implements controls that support customers' own PCI DSS obligations:
- Strong authentication: SSO with enforced multi-factor authentication, aligned to Requirement 8.
- Access control: role-based access control, least privilege defaults, and tamper-evident audit logs supporting Requirements 7 and 10.
- Vulnerability management: dependency scanning, static analysis, and container image scanning in CI, supporting Requirement 6.
- Secure configuration and change management: peer-reviewed, auditable deployments supporting Requirements 2 and 6.
- Vendor management: documented sub-processor inventory and due diligence, supporting Requirement 12.8.
- Cryptography: TLS 1.2 or higher for data in transit and encryption of sensitive data at rest, supporting Requirements 3 and 4.
Shared responsibility matrix
| Requirement area | Backbuild | Customer | Stripe |
|---|---|---|---|
| Req 1–2: Network and system configuration | Shared | Shared | ✓ CDE |
| Req 3: Protect stored cardholder data | N/A (no PAN) | N/A (no PAN) | ✓ |
| Req 4: Encrypt transmission of cardholder data | N/A (no PAN) | Shared | ✓ |
| Req 5–6: Vulnerability and secure development | Platform controls | Application controls | ✓ |
| Req 7–8: Access control and authentication | Platform SSO, MFA, RBAC | User management | ✓ |
| Req 9: Physical security | Inherited from Cloudflare | Customer facilities | ✓ |
| Req 10: Logging and monitoring | Platform audit logs | Application logs | ✓ |
| Req 11: Security testing | Platform testing | Application testing | ✓ |
| Req 12: Security policy and program | Backbuild program | Customer program | ✓ |
Contact
For PCI DSS scoping guidance, SAQ assistance, or shared responsibility documentation: security@backbuild.ai