[textman]

OP here. think what happens is stripe embeds the payment element in a cross-domain Iframe which means it is impossible for me(my server code) to access that data. And that seems to be the whole issue with PCI compliance, namely, my website is not in fact collecting CC data. From there I infer that stripe got certified PCI Service Provider Level 1 which allows them to handle just about all of the PCI processing and the vendor(me) just has to click an approval button annually to be PCI compliant. Does all this seem correct?

[dbalatero]

I used to work on Stripe Checkout and your interpretation sounds like what my understanding of the situation was at the time I was there, yes. Basically Stripe provides everything, isolates the code as you said, and for 99% of merchants you just hit a button and get on with your day. I think for the other 1%, from reading the docs you linked, it sounds like for particularly large businesses it might cause a couple days of work, but orders of magnitude less than rolling it yourself?