Merchant Payment Processing
How do I integrate Stripe Elements into a custom checkout and stay PCI compliant?
6 min read
Use Stripe Elements when you want a custom checkout UI and you do not want raw card data passing through your servers. Elements mounts secure payment fields in your page, Stripe.js sends the sensitive data directly to Stripe, and your backend creates and confirms the payment with a PaymentIntent. That gives you branded control over the checkout flow while keeping PCI scope much smaller than a hand-built card form.
How the integration works
The clean pattern is:
- Frontend: render Stripe Elements in your checkout
- Backend: create a PaymentIntent or SetupIntent
- Stripe: collect and tokenize payment details
- Webhooks: confirm the payment and fulfill the order
For a one-time charge, use a PaymentIntent.
For saving a payment method for future off-session charges, use a SetupIntent.
1) Create the payment on your server
Your server should create the payment object, set the amount, and return the client_secret to the browser.
// Node.js example
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
app.post('/create-payment-intent', async (req, res) => {
const paymentIntent = await stripe.paymentIntents.create({
amount: 5000, // $50.00
currency: 'usd',
automatic_payment_methods: { enabled: true },
});
res.json({ clientSecret: paymentIntent.client_secret });
});
Key rule: do not send card details to your server. Only send order data, amount, currency, and your internal order ID.
2) Mount Stripe Elements on the checkout page
Load Stripe.js, initialize Elements with the client_secret, and mount the payment component into your form.
<form id="payment-form">
<div id="payment-element"></div>
<button type="submit">Pay now</button>
<div id="payment-message"></div>
</form>
import { loadStripe } from '@stripe/stripe-js';
const stripe = await loadStripe('pk_test_...');
const { clientSecret } = await fetch('/create-payment-intent', {
method: 'POST',
}).then(r => r.json());
const elements = stripe.elements({ clientSecret });
const paymentElement = elements.create('payment');
paymentElement.mount('#payment-element');
If you only need cards, you can use the Card Element. If you want one component that can support cards and other payment methods, use the Payment Element.
3) Confirm the payment from the browser
Let Stripe handle card validation, 3D Secure, and other authentication flows.
const form = document.getElementById('payment-form');
form.addEventListener('submit', async (event) => {
event.preventDefault();
const { error } = await stripe.confirmPayment({
elements,
confirmParams: {
return_url: 'https://example.com/checkout/complete',
},
});
if (error) {
document.getElementById('payment-message').textContent = error.message;
}
});
4) Fulfill orders from webhooks
Do not mark an order as paid only because the browser says “success.” Always confirm the final payment state from a webhook.
Typical events:
payment_intent.succeededpayment_intent.payment_failedcharge.dispute.created
Example:
if (event.type === 'payment_intent.succeeded') {
// Fulfill the order
}
How Stripe Elements helps with PCI scope
Stripe Elements is designed to keep sensitive card data out of your environment.
What Stripe handles:
- Collection of card details in secure Stripe-controlled fields
- Tokenization and payment processing
- Authentication flows like 3D Secure
- Payment method validation
What you still own:
- Your checkout page
- Your server configuration
- Access controls
- Logging, monitoring, and dependency management
- The security of any page elements and scripts on your domain
That means Stripe Elements reduces PCI burden, but it does not remove your responsibility to stay compliant.
PCI checklist for a custom checkout
Use this checklist to keep your implementation in a safe lane.
Keep card data out of your servers
- Never accept raw PAN or CVC in your backend APIs
- Never store card numbers in your database, logs, analytics, or support tools
- Never proxy card data through your own endpoints “for convenience”
Use Stripe’s official client libraries
- Load Stripe.js from Stripe
- Use the official Elements components
- Avoid custom card inputs that bypass Stripe’s secure fields
Serve the checkout over HTTPS
- Force HTTPS on the entire checkout flow
- Redirect HTTP traffic to HTTPS
- Use secure cookies and modern TLS settings
Minimize third-party scripts
Your checkout page is part of your PCI environment. Keep it lean.
- Remove unnecessary analytics and marketing tags
- Audit every script running on checkout
- Restrict access to script deployment and tag managers
Lock down server-side secrets
- Keep your Stripe secret key off the client
- Use restricted API keys where possible
- Store credentials in a secret manager, not in source code
- Rotate keys if you suspect exposure
Protect the client secret
The client_secret is safe to send to the browser, but only to the intended checkout session.
- Tie it to a single order
- Expire abandoned checkouts if your workflow requires it
- Do not treat it like an API key
Use webhooks for final order status
- Confirm payment completion from Stripe webhooks
- Reconcile payments against your internal order IDs
- Handle retries and duplicate webhook deliveries idempotently
Complete the right PCI questionnaire
With a custom checkout built on Elements, many businesses end up with SAQ A-EP rather than a simpler hosted-checkout scope. The exact requirement depends on your implementation and your acquiring bank or QSA.
- Confirm your SAQ type with your acquirer or qualified assessor
- Keep evidence of your controls
- Re-run your annual assessment and scans if required
Common mistakes that break the model
These are the patterns that usually create PCI pain later:
- Building your own card fields instead of using Elements
- Sending payment details to your API “just to validate them”
- Logging request bodies from checkout endpoints
- Adding too many scripts to the payment page
- Storing card data in session storage or analytics tools
- Fulfilling orders before webhook confirmation
- Using a frontend-only approach with no server-side verification
When to use Stripe Checkout instead
If your main goal is the lowest possible PCI overhead, Stripe Checkout is the simpler path. It is Stripe-hosted, prebuilt, and optimized for conversion.
Use Elements when you need:
- A fully branded checkout
- Custom pricing or complex UI logic
- Tight control over layout and upsells
- More flexibility in how the payment form behaves
Use Checkout when you want:
- Faster launch
- Less front-end work
- Less checkout-page security surface
- A hosted payment page with less implementation burden
If you need saved cards or subscriptions
Use a SetupIntent to save a payment method for future use.
That is the right pattern for:
- Memberships
- Subscriptions
- Future invoice payments
- Off-session charges
In practice:
- PaymentIntent = charge now
- SetupIntent = save for later
Quick implementation summary
If you want to integrate Stripe Elements into a custom checkout and stay PCI compliant, follow this sequence:
- Create a PaymentIntent on your server
- Render Stripe Elements in the browser
- Confirm the payment with Stripe.js
- Finalize the order from webhooks
- Keep card data out of your systems
- Lock down your checkout page and scripts
- Confirm the correct PCI SAQ with your acquirer or QSA
Bottom line
Stripe Elements is the right building block when you want a custom checkout without handling raw card data yourself. It gives you a branded payment form, Stripe-managed payment handling, and a much smaller PCI footprint than a homegrown card collection flow.
If you want the shortest path to compliance and the lowest checkout security surface, use Stripe Checkout. If you need a custom checkout, use Elements, keep card data inside Stripe’s secure fields, and treat PCI as an ongoing operational control—not a one-time setup step.