PCI-Compliant Payment Collection
Collecting payment at appointment booking requires PCI-DSS compliance. Schedly's integration with Stripe — a PCI-DSS Level 1 certified payment processor — ensures you never handle raw cardholder data while still accepting payment at booking.
Regulation: Payment Card Industry Data Security Standard (PCI-DSS v4.0)
The Payment Card Industry Data Security Standard (PCI-DSS v4.0) requirements that apply to scheduling
Never handle raw card data
PCI-DSS scope is dramatically reduced when merchants never touch raw cardholder data. Schedly's Stripe integration ensures card data is handled entirely by Stripe — keeping you out of PCI scope.
Merchant of record clarity
When you collect payment through Schedly's Stripe integration, you are the merchant of record. Your Stripe account is the acquiring relationship — not Schedly's.
Tokenized payment processing
Stripe tokenizes card data on the client's browser before transmission, ensuring raw card numbers never pass through Schedly's systems.
SAQ A eligibility
Because card data is handled entirely by Stripe's hosted payment fields, most Schedly customers are eligible for the simplest PCI self-assessment questionnaire — SAQ A.
Compliance built into every plan
These features ship on every Schedly account — not locked behind expensive enterprise tiers.
Stripe-powered payment collection
Schedly uses Stripe's hosted payment elements for all card data entry. Stripe is PCI-DSS Level 1 certified — the highest certification level available.
No raw card data ever touches Schedly
Card numbers, CVVs, and expiration dates are entered directly into Stripe's secure fields. Schedly only receives a payment token — never raw card data.
Tokenized repeat payments
For recurring appointments and deposits, Stripe stores tokenized card data. Subsequent charges use the token — not the actual card number.
Stripe-generated receipts
All payment receipts are generated by Stripe, providing documentation that meets PCI receipt requirements automatically.
Built security-first, from the infrastructure up
Every layer of the Schedly stack is designed for regulated industries.
AES-256 Encryption
All booking data, intake forms, and client PHI is encrypted at rest and in transit using AES-256.
SOC 2 Type II Certified
Annual third-party audits verify our infrastructure controls. Certificate available on request.
Audit Logs & Access Controls
Every data access is logged. Role-based permissions ensure only authorized staff see protected records.
Isolated Data Infrastructure
Client data is siloed per account. Multi-tenant architecture is designed so data never co-mingles.
Automated Data Retention
Configure data retention windows that match your compliance policy. Deletions are permanent and auditable.
BAA Available on Pro+
Business Associate Agreements are available on Professional and Enterprise plans with one-click execution.
Your Compliance Setup Checklist
Check off each step as you complete your compliant scheduling setup.
Business Associate Agreement ready to sign
For practices and businesses that require a signed BAA, Schedly offers a standard BAA on Professional and Enterprise plans — executable directly in your dashboard with no legal back-and-forth.
- Executed in your Schedly dashboard in minutes
- No attorney required — pre-approved standard language
- Covers all PHI processed by Schedly on your behalf
- Renewed automatically with your subscription
PCI-DSS and Payment Security in Appointment Booking: What You're Responsible For
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements for any organization that accepts, processes, stores, or transmits cardholder data. For service businesses collecting payment at booking, understanding PCI scope — specifically which elements of the payment flow you're responsible for — is essential for both compliance and liability management. The most important insight: businesses that use Stripe's hosted payment fields to collect card data (the standard Schedly implementation) are eligible for SAQ A — the simplest PCI self-assessment questionnaire — because they never touch raw card data. Stripe handles all cardholder data, and your PCI scope is dramatically reduced.
SAQ A Eligibility: How Stripe's Architecture Reduces Your Compliance Burden
PCI-DSS has multiple Self-Assessment Questionnaire (SAQ) types, ranging from SAQ A (the simplest, 14 requirements) to SAQ D (the most complex, 329 requirements). The correct SAQ type depends on how you process card data. Businesses that outsource all cardholder data processing to a PCI-DSS Level 1 certified provider (like Stripe) and never directly handle, store, or process card numbers are typically SAQ A eligible. This is Schedly's integration architecture: card data enters Stripe's hosted fields directly from the client's browser, is tokenized before transmission, and never passes through Schedly's systems. Your Stripe merchant account inherits Stripe's PCI Level 1 certification for the processing it handles.
Practical PCI Compliance Steps for Service Businesses Using Schedly + Stripe
For businesses using Schedly's Stripe payment integration, PCI compliance involves three practical steps. First, complete Stripe's merchant onboarding, which includes acknowledgment of PCI compliance responsibilities and documentation of your payment processing setup. Second, complete an SAQ A (14 questions covering the embedded payment form implementation) annually — Stripe provides guidance on this process in their documentation. Third, maintain your compliance documentation — the completed SAQ A, any security scan results required for your volume tier, and your Attestation of Compliance (AOC). Stripe provides the documentation of their own PCI Level 1 certification. Your payment compliance posture then rests on: Stripe's infrastructure certification + your SAQ A + appropriate access controls on your Schedly admin account.
Compliance Questions Answered
Stop Losing Bookings to
Scheduling Friction.
Schedly puts your calendar to work around the clock. Every lead, every client, and every meeting lands exactly where it should, automatically.