PCI Responsibility Matrix (Stripe + MM App)

Data capture & transmission of PAN/CVV → Stripe (SDK/Elements/PaymentSheet) Tokenization (pm_/pi_/cus_) → Stripe Storage of card data → Stripe (we store IDs only) TLS for payment pages/API → Stripe (checkout UIs) + MM (app→API HTTPS) Fraud/charge dispute tooling → Stripe (Radar/Disputes) Key management for Stripe secrets → MM (Functions Secrets, rotation) Access control (Stripe dashboard) → MM (MFA, RBAC, quarterly review) Access control (Cloud, DB, Storage) → MM (IAM least-privilege, logs) Logging & monitoring → MM (audit logs, alerts) + Stripe (event logs) Incident response → MM (Breach playbook) + Stripe (platform status) Vulnerability management (app/infra) → MM (Dependabot, npm audit) SAQ + documentation → MM (SAQ-A kept on file)