Think about the moment a customer types in their card number on your checkout page. That’s a moment of trust. And moments like that can make or break whether someone actually buys from you.
That’s why we’re so excited to share this news: ThriveCart has earned PCI DSS v4.0.1 Level 1 Service Provider certification. In plain English, that’s the highest level of payment security certification a company can get.
This wasn’t just us filling out a form and checking a box. An outside company called A-LIGN – a well-respected, independent security firm – spent five months digging through every corner of our systems. They finished in May 2026. And the result? We passed every single test. No exceptions, no asterisks.
Let’s break down what that actually means for you and your business.
Key insights, at a glance:
- PCI DSS Level 1 is as good as it gets for payment security. It takes a full outside audit to earn it – not just a form you fill out yourself.
- Your customers’ card numbers never touch ThriveCart’s servers. Stripe handles all of that on their own secure system.
- Since ThriveCart is Level 1 certified, that certification covers the checkout part of your business too. One less thing for you to worry about.
- It’s also a great, trust-building thing to be able to tell your own customers.
So what exactly is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. Basically, it’s a set of security rules that Visa, Mastercard, American Express, and Discover created together, as the PCI Security Standards Council. Any company that touches card payments has to follow these rules.
The rules cover things like:
- Keeping networks and systems locked down with firewalls
- Encrypting card data so it can’t be read if someone intercepts it
- Watching out for malware and patching security holes
- Making sure only the right people can access sensitive systems (and requiring extra logins to prove it)
- Constantly monitoring for suspicious activity and testing for weak spots
- Writing down security policies and reviewing them every year
Basically, it’s the rulebook that keeps companies honest about protecting your customers’ payment info.
Why Level 1 is a bigger deal than it sounds
There are four levels of PCI DSS compliance, and determining which one applies to a company depends on how many card payments it processes each year:
Level | How many transactions a year | How it’s checked |
Level 1 | Over 6 million | Full audit by an outside expert |
Level 2 | 1 million to 6 million | Self-check plus quarterly scans |
Level 3 | 20,000 to 1 million | Self-check plus quarterly scans |
Level 4 | Under 20,000 | Self-check recommended |
Level 1 is the top tier. It’s the only one that requires a full, independent audit – not a form you fill out about yourself. It’s the same bar that banks and major payment processors have to clear.
A-LIGN, one of the most trusted names in security auditing, ran ThriveCart through this process from December 2025 to May 2026. Five months of testing, document reviews, and digging through our infrastructure. We came out fully compliant on all 12 requirements.
How your customers’ card info actually stays safe
Here’s the part that matters most: ThriveCart never actually sees your customers’ card numbers.
When someone types their card info into your checkout page, that information goes straight from their browser to Stripe. It never passes through ThriveCart at all.
Here’s how that works:
- The payment form itself is built and controlled by Stripe, which has its own separate PCI DSS certification
- Card numbers, security codes, all of it – go directly into Stripe’s system, not ours
- All ThriveCart gets back is a harmless token and some basic order details. Nothing anyone could use to steal card details
This isn’t an accident. It’s designed this way on purpose, and it’s a big reason we were able to pass every part of the audit with zero issues.
Everything runs on secure, cloud-based systems. ThriveCart doesn’t run on physical servers you’d find in some back room somewhere – everything lives in the cloud. That means:
- Everything gets watched around the clock automatically
- Any unexpected changes to checkout pages get caught right away
- Testing systems and live systems are kept completely separate
An outside company checked our work – we didn’t just check it ourselves
Instead of grading our own homework, we brought in A-LIGN to verify everything independently. Every requirement was checked by someone outside the company. No shortcuts, workarounds, or unresolved issues.
And the security work never really stops.
Behind the scenes, here’s what’s running at all times:
- Every checkout page and connection is encrypted
- Anyone accessing internal systems needs to verify their identity more than one way
- Regular scans for vulnerabilities, plus a full penetration test once a year
- Round-the-clock monitoring and logging of everything happening on the platform
- Automatic alerts if anything on a payment page changes without authorization – checked at least once a week
- A tested plan for what to do if something ever does go wrong, reviewed yearly
- Keeping an eye on partners like Stripe and AWS to make sure they’re staying compliant too
What this actually means for you
Less paperwork and worry on your end
Since ThriveCart is Level 1 certified, that certification covers the checkout side of your business. If all your payments run through ThriveCart and you’re not handling card data anywhere else, you don’t need to go get your own Level 1 certification for that part. Which means one less headache to deal with.
Your customers are more likely to actually hit “buy”
A lot of people abandon their cart simply because they’re nervous about handing over their card info. Being able to tell your customers that your checkout meets the highest security standard out there gives them one more reason to trust you – and finish the purchase.
You’re better protected from fines and headaches
If a business isn’t PCI compliant and something goes wrong, the card networks can hit them with fines that range from a few thousand dollars into the hundreds of thousands – and that’s on top of the damage to your reputation. Running your payments through a Level 1 certified platform helps keep you out of that mess.
Every checkout page you build is already covered
Whether you’re using ThriveCart’s classic checkout or building pages with ThrivePages, everything runs on infrastructure that’s already been independently verified to meet the highest security bar in the industry. You can focus on making your pages convert – the security side is already handled.
Security isn’t an add-on. It’s the foundation.
Getting to PCI DSS v4.0.1 Level 1 took months of testing, tightening up our systems, documenting everything, and having someone else check our work. It reflects something we care about deeply: giving you and your customers a platform you can genuinely trust, every single time someone makes a purchase.
This isn’t a marketing checkbox for us. It’s the ground everything else is built on.
Got questions about how ThriveCart keeps things secure? Our support team is always happy to help.
FAQ
Q: What is PCI DSS, and why should I care?
A: PCI DSS (Payment Card Industry Data Security Standard) is a set of security rules that any company handling card payments has to follow. It matters to you because it directly affects how safe your customers’ card info is when they buy from you.
Q: What level did ThriveCart actually achieve?
A: ThriveCart earned Level 1 Service Provider certification under PCI DSS v4.0.1 – the highest level there is. That required a full, independent audit by a certified outside expert, not a self-check. We came out fully compliant, with zero issues found.
Q: Does my customers’ card info ever touch ThriveCart’s servers?
A: No. ThriveCart uses Stripe’s secure payment technology, so your customers type their card details directly into a form controlled by Stripe. That information goes straight from their browser to Stripe – it never touches ThriveCart at all.
Q: Do I need to get my own PCI DSS certification?
A: If all your payments go through ThriveCart and you don’t handle card data anywhere else, ThriveCart’s Level 1 certification already covers the checkout part of your business. If you do process cards through other systems outside of ThriveCart, though, you may want to talk to a security professional about your specific setup.
Q: Who actually did the audit?
A: A-LIGN Compliance and Security, Inc. handled it – an independent, accredited security firm based in Tampa, Florida, and one of the most well-regarded names in the industry.
Q: How often does ThriveCart have to redo this?
A: PCI DSS compliance gets re-checked every year. But the security work itself – the monitoring, testing, and everything else – never actually stops. It runs continuously, all year, every year.
With ThriveCart, you can sell just about anything online – digital products, courses, subscriptions, coaching, and even physical products. All with the highest level of online payment security available. Get ThriveCart today – and start selling, with trust.