Interesting thoughts and comments. I wonder if you used Barclaycard’s own ePDQ system and payment pages if these charges would still apply…? Maybe that’s their point and they want to onboard more clients directly.

With regards Stripe, it’s definitely in scope for PCI DSS. You’d use SAQ-D up until the end of this year, then SAQ-A-EP for PCI DSS v3.0 / Jan 1st 2015 onwards.

Whilst card numbers might not be touching your own web servers, your web server hosts the Stripe Javascript, and thus could affect the security of payment card data on the consumer’s browser, if it were compromised.

Another fee you’d not mentioned above is the fee the banks charge if you do NOT return the SAQ, or complete a SAQ showing you are not PCI DSS Compliant. I think that’s a bit more substantial – £20 a month or something for smaller merchants?