A ready-to-adopt internal contract for organizations using Stripe Checkout redirect as their sole e-commerce payment method. Fork it, fill in the blanks, enforce it.
Audience: Engineering teams, developers, QA, and AI-assisted code agents working on payment-adjacent code.
Assumes: Your organization uses Stripe Checkout in redirect mode (customer leaves your domain to enter card details on Stripe's hosted page). You do not collect, transmit, or store cardholder data (CHD). This positions you for SAQ A or SAQ A-EP scope — the lightest PCI DSS burden available for e-commerce.
PCI DSS Version: 4.0.1 (effective March 2025)