How to videos

Rundocs › More

Credit card compliance (PCI DSS)

Last updated 2026-05-15

If you accept credit cards — and you do if you run Rundoo — you fall under PCI DSS (Payment Card Industry Data Security Standard). Rundoo handles most of the compliance work for you by routing card data through Stripe; this page covers what that means and the parts that are still your responsibility.

What PCI DSS is

PCI DSS is the security standard every business that handles credit card data has to follow. It's set by the card networks (Visa, Mastercard, Amex, Discover) rather than the government, but the penalties for non-compliance — fines, lost card-acceptance, breach-notification costs — are real.

It applies to every entity that touches cardholder data: retail merchants like you, payment processors like Stripe, software vendors like Rundoo, the banks that issue cards, and any third-party with access. Size doesn't exempt you — a one-location paint store is held to the same baseline as a national chain.

What Rundoo + Stripe handle for you

The big lift is keeping cardholder data out of your systems. Rundoo accomplishes this by never storing actual card numbers. When a customer pays:

  1. The card data goes from the Stripe reader (or the manual-entry form) directly to Stripe, encrypted in transit.

  2. Stripe returns a token — a random string that represents the card without containing it.

  3. Rundoo stores the token, not the card. The token is useless to anyone who gets a copy of our database.

This is called tokenization, and it's what compliance frameworks call the gold standard. Practically, that means:

  • Rundoo's POS database has zero credit-card numbers in it.

  • Your staff can't see card numbers in Rundoo — there's nowhere to look.

  • A breach of Rundoo wouldn't leak card data because card data isn't there.

Stripe itself is PCI DSS Level 1 certified — the highest level — and Rundoo's integration is built against Stripe's certified flows.

What's still your responsibility

PCI DSS isn't only about the data — it's about the environment around it. A few things stay on your side:

Hands-off card handling

PCI DSS v4.0 (enforcement began March 31, 2025) emphasizes that merchants should not touch a customer's card. The customer should insert, tap, or swipe themselves on the Stripe reader. Reasons:

  • Reduces accusations of staff skimming (employees photographing cards or memorizing numbers).

  • Cuts liability if a card is later disputed.

  • Faster checkout (no card handoff back and forth).

⚠️

No pens and paper near the register for card numbers. Writing card numbers down for later entry — even on a sticky note that gets shredded after — violates the hands-off principle. If a customer wants to pay over the phone, route them through the Customer app or send a payment link from Bill payments.

Don't store card data anywhere outside Rundoo

Keeping card numbers in a Google Sheet, a Word doc, a paper file, or a homegrown CRM is a major PCI violation. Penalties range from $5,000 to $100,000/month until the data is removed. You're never allowed to store:

  • The CVV (3 or 4-digit security code). Not anywhere. Not encrypted. Not ever.

  • The full magnetic stripe data or chip data.

  • PIN or PIN block.

For saved-on-file recurring billing, use Rundoo's saved-card flow (Stripe tokenization) instead of writing numbers down.

Strong passwords + MFA

v4.0 increased the baseline:

  • Minimum password length: 12 characters (up from 7) for systems that touch the cardholder environment. Rundoo's sign-in already exceeds this with one-time codes and Login keys.

  • Multi-factor authentication required everywhere — not just remote admin access. Rundoo's text-message, email, and Login keys sign-in flows all satisfy this.

Annual phishing-and-security training

v4.0 requires that anyone with access to the cardholder environment take annual training that includes phishing and social engineering. For a Rundoo merchant, that's any staff member who can sign into the POS. Practically: review with your team how to spot phishing emails (especially anything claiming to be from Stripe or Rundoo asking for credentials), and document that you've covered it.

Signatures — you don't need them anymore

The major card networks phased out signature requirements in 2018. Modern terminals don't ask for them because:

  • EMV chip technology generates a one-time encrypted code per transaction. Mathematically impossible to forge. A handwritten signature can't add security to that.

  • Real-time fraud monitoring at the bank level catches anomalous spending patterns far better than a cashier eyeballing a signature.

  • Faster checkout — one less step per transaction.

If you want signatures for charge-account sales (different from card-not-present fraud risk — you want a paper trail for who authorized the charge), see Sale forms for how to add an optional signature capture to the receipt flow.

Quick self-check

If you can answer yes to all of these, you're in good shape:

  • [ ] Customers swipe / tap / insert their own cards on the Stripe reader (not staff).

  • [ ] No spreadsheet, Word doc, or paper file holds full card numbers anywhere in the business.

  • [ ] No CVVs stored anywhere, ever.

  • [ ] All Rundoo staff sign in with text, email, or Login keys (no shared password).

  • [ ] Staff have had a phishing-awareness conversation in the last 12 months.

If any of those are no, fix it before it becomes a finding.


  • Stripe — how Stripe handles card processing on Rundoo's side.

  • Card reader setup — customer-facing readers for hands-off card capture.

  • Login keys — hardware-key sign-in for staff (satisfies MFA).

  • Sign-in — the text/email/key sign-in flows that satisfy v4.0's MFA-everywhere requirement.