Marketplace PCI compliance is one of the most complex scenarios in the standard because responsibility does not fall on a single entity but is distributed between the platform owner and the vendors operating on the platform. Anyone building a marketplace must answer a fundamental question before even developing the payment model: does the platform touch customers' card data, or does it pass it directly to vendors? The answer determines who falls within the PCI perimeter and with what level of responsibility.
The PCI chain of responsibility in multi-vendor marketplaces
In the marketplace model, the payment flow can follow two main schemes. In the first, the customer pays the platform, which then settles funds to vendors: in this case the platform owner is the primary merchant, handles card data, and is responsible for PCI obligations for the entire transaction. In the second, payment happens directly between customer and vendor (with the platform as a facilitator), and each vendor is responsible for their own compliance.
In practice, most modern marketplaces operate with a hybrid model that makes the chain of responsibility ambiguous. If the platform collects card data and passes it to vendors for processing, it is a PCI service provider relative to the vendors. If the platform simply routes the payment through an integrated PSP without seeing card data, its scope depends on the specific technical configuration. A payments lawyer and a QSA together are often needed to correctly map who is responsible for what.
Is the platform owner responsible for vendors?
The platform owner is not automatically responsible for the PCI compliance of vendors operating on their platform, but does have specific obligations if they provide payment tools to vendors or if card data passes through their infrastructure before reaching vendors. PCI DSS requires service providers to document responsibility for each requirement in their SAQ or RoC, specifying which controls fall to the provider and which to the client (vendor).
In practice, marketplaces that want to protect their contractual and reputational position often require vendors to provide their own compliance attestation (AOC or completed SAQ) as an onboarding condition. This does not transfer responsibility, but creates a documentable framework to demonstrate the platform owner's diligence. The marketplace's acquirer may request specific evidence of how vendors are selected and monitored for compliance.
How PCI Proxy EU centralises marketplace compliance
The most efficient solution for a marketplace is to centralise card data collection and storage in a shared vault, rather than distributing responsibility across every vendor. With PCI Proxy EU, the platform collects card data just once through the certified payment page and tokenises it. Vendors receive tokens they can use to authorise payments without ever touching the PAN. The vault is shared but tokens are segmented by vendor: each vendor sees only their own customers.
This approach radically simplifies compliance: the platform owner manages a single certified CDE, vendors do not enter the PCI perimeter for the data storage component, and onboarding of new vendors does not require verifying their individual compliance for this component. The PCI perimeter remains stable regardless of the growth in the number of vendors on the platform, eliminating the risk of an attack surface that grows proportionally with the business.
Frequently asked questions
Do I need to ask my vendors for PCI DSS certification?
It depends on the payment model. If vendors handle card data independently (e.g. with their own POS or separate PSP accounts), each is responsible for themselves and the marketplace has an interest in documenting the attestation request. If instead the platform centralises payments and vendors only see tokens, the vendors are not in scope for data storage and it is not necessary to require a specific certification from them for this aspect.
A marketplace using Stripe Connect still has PCI obligations?
Yes. Stripe Connect reduces the PCI perimeter if the platform uses Stripe Elements or Stripe.js to collect card data directly on Stripe's frontend, without data passing through the marketplace's backend. If instead the platform's backend touches card data (even just to forward it), the perimeter expands. Stripe's AOC covers its own infrastructure, not automatically the marketplace's code that integrates it.
How does shared responsibility work in a SaaS model with payments?
A SaaS that processes payments on behalf of clients is classified as a service provider. It must formally document, for each PCI requirement, whether responsibility lies with the provider, the client, or is shared. This document is called a Responsibility Matrix and must be attached to the provider's AOC. The SaaS's clients use this matrix to complete their own SAQ and understand which requirements fall on them.
One central vault for the entire marketplace: one CDE, all vendors covered. Discover PCI Proxy EU.