Once you start taking card payments online and yearly after that you'll need to go through some PCI validation checks.
Passenger uses Stripe for card payments, which makes validation take minutes instead of days. You can check your PCI validation requirements from the Stripe Dashboard.
From the dashboard, Stripe may present you with a quick questionnaire. For Passenger apps and websites, you can use the following questions:
- Are you using TLS to serve all webpages using Stripe? Yes
- Do you keep your servers secure by installing security updates within 1 month of release? Yes
If you use the same Stripe account for things other than Passenger then you will need guidance from the teams responsible for those systems.