PayProof · Compliance guide
Taking cards means PCI DSS obligations. The safe path: never touch raw card data, use a compliant processor, serve everything over HTTPS, never store card numbers, and complete your SAQ.
This rule applies if you accept credit or debit card payments. Accept card payments? Check that card data never touches your server and your checkout is locked down. Not sure? The free checker tells you in about a minute — no signup.
In practice, PayProof's checker looks at whether you can answer "yes" to each of these. Each one is a place sellers commonly get caught:
⚠️ Exposure: card-network fines $5K–$100K/month (contractual). Status: In force.
Statutory maximums are worst-case ceilings, not a prediction — but they're why this is worth ten minutes now.
If you accept card payments, yes — every merchant must meet PCI DSS. Using a hosted/tokenized processor (Stripe, PayPal, Shopify) keeps you in the lightest scope (SAQ A).
Let a compliant processor handle card data via a hosted or tokenized checkout so raw card numbers never hit your server, serve everything over HTTPS, and never store card numbers or CVV.
A Self-Assessment Questionnaire — an annual attestation of your controls. The version (A / A-EP / D) depends on how your checkout integrates.
RuleGoose checks this against the PCI DSS v4.0 standard. Read it yourself: PCI Security Standards Council →
or get one RuleGoose Score across every rule that applies to you.
Informational only, not legal advice, and not affiliated with the PCI SSC. Last reviewed 2026-06-28.