Implement PCI DSS, SOC 2 & GDPR
in Flutter — The Complete Guide
Do you need a license? What packages to use? How do you prove compliance? Which third-party tools audit you? All answered — with real code.
- Do You Need a License? (PCI DSS, SOC 2, GDPR)
- Full Flutter Implementation — Code & Packages
- Flutter Web — Special Considerations
- Platform Support Matrix (iOS, Android, Web, Desktop)
- How to Prove You Are Compliant — Audit Evidence
- Third-Party Tools & Services That Certify Compliance
- Flutter Package Licenses Reference
- Your Compliance Roadmap — Step by Step
// Section 01 — Licensing
Do You Need a License or Certification?
This is the #1 question developers ask. The short answer: compliance is not a software license — it’s a process. But some standards do require paid audits or assessments.
There is no “Flutter compliance license” you buy. Compliance means proving your app follows the rules. The cost comes from audits, tools, and infrastructure — not from Flutter itself. Flutter is free and open-source under the BSD 3-Clause license.
| Standard | Is There a License? | What You Actually Need | Who Does the Assessment | Estimated Cost |
|---|---|---|---|---|
| PCI DSS | No software license — but you must complete an annual assessment | SAQ (Self-Assessment Questionnaire) for small merchants OR full ROC audit for large merchants | Qualified Security Assessor (QSA) — certified by PCI SSC. For SAQ-A (hosted payments): self-assessment. | SAQ-A: Free to ~$500/yr. QSA audit: $15,000–$70,000/yr |
| SOC 2 | No license — you commission a voluntary audit | SOC 2 Type I (point-in-time) or Type II (6–12 months of evidence) | Licensed CPA firm (e.g., Deloitte, KPMG, Prescient Security, Johanson Group) | Type I: $10,000–$30,000. Type II: $30,000–$100,000. Readiness tools: $500–$2,000/mo |
| GDPR | No license — it is a law. Compliance is mandatory if applicable. | Internal documentation, privacy policy, consent mechanisms, DPO if required | Internal DPO or external privacy consultant. Enforced by national Data Protection Authorities (DPAs). | DPO salary/consultant: $2,000–$10,000/mo. Legal review: $5,000–$20,000. Tools: $200–$2,000/mo |
SAQ Levels for PCI DSS — Which Applies to Your Flutter App?
If your Flutter app takes card payments, you need to know your SAQ level:
| SAQ Type | When to Use | Flutter Scenario | Effort |
|---|---|---|---|
| SAQ A | Card data fully outsourced (e.g., Stripe hosted checkout) | Flutter app uses Stripe Payment Sheet or PaymentIntents — you never touch card data | ~22 questions. Easiest. |
| SAQ A-EP | E-commerce, payment page partially hosted by you | Flutter Web app with embedded iframe or JS redirect to payment page | ~191 questions. Moderate. |
| SAQ D (Merchants) | You store, process, or transmit card data yourself | Flutter app with custom card form that sends to your own server | ~329 questions. Very complex. Avoid this. |
Always use a PCI-certified SDK (Stripe, Razorpay, Braintree). Your Flutter app falls under SAQ A — the simplest level. You never see raw card numbers. The SDK vendor is PCI Level 1 certified and their certificate covers your usage.
// Section 02 — Flutter Implementation
Complete Flutter Implementation Guide
Every package you need, every code pattern, for all three standards. Copy-paste ready.
💳 PCI DSS — Flutter Mobile Implementation
Add Payment SDK to pubspec.yaml
Never build your own card input from scratch. Use a PCI Level 1 certified provider.
Stripe Payment Sheet — The PCI DSS Safe Pattern
The Payment Sheet is rendered by Stripe’s own UI. Your app code never touches card numbers.
Enable Certificate Pinning (prevent man-in-the-middle attacks)
PCI DSS Requirement 4 mandates encryption in transit. Certificate pinning ensures your app only trusts YOUR server’s certificate.
Detect Rooted/Jailbroken Devices (PCI DSS Req 6.3)
PCI DSS requires protecting against malware and compromised devices. Warn users or block payment on rooted devices.
🛡️ SOC 2 — Flutter Implementation
Secure Storage for All Sensitive Data
SOC 2 requires confidentiality. Never use SharedPreferences for tokens, user IDs, or any sensitive value.
Biometric MFA — SOC 2 Access Controls
SOC 2 Security criterion requires authentication controls. Implement biometric lock on sensitive screens.
Audit Logging — Every Action Traceable
SOC 2 requires you to log who did what, when. Send structured logs to your backend for every sensitive action.
🇪🇺 GDPR — Flutter Implementation
Consent Manager — Collect & Store User Consent
GDPR Article 7 requires proof of consent. Record the timestamp, version of privacy policy agreed to, and what was consented to.
“Delete My Data” — Right to Erasure (Article 17)
Every GDPR-compliant app must let users delete all their data. This is non-negotiable.
Disable Screenshots on Sensitive Screens
Applies to all three standards. Prevents accidental data exposure via device screenshots, screen recording, or app switcher.
// Section 03 — Flutter Web
Flutter Web — Special Compliance Considerations
Flutter Web runs in a browser. This changes what’s possible. Some mobile security features don’t exist on web — and some web-specific risks don’t exist on mobile.
On Flutter Web, SecureStorage falls back to localStorage — which is NOT encrypted. Never store sensitive tokens, card data, or personal data in Flutter Web’s local storage. Use HTTP-only cookies or server-side sessions instead.
| Security Feature | Flutter Mobile | Flutter Web | Workaround for Web |
|---|---|---|---|
| Encrypted local storage | ✅ flutter_secure_storage | ❌ Falls back to localStorage | Use HTTP-only cookies; store data server-side only |
| Certificate pinning | ✅ Full support | ❌ Browsers manage certs | Enable HSTS + CAA DNS records on your domain |
| Screenshot blocking | ✅ Android: FLAG_SECURE | ❌ Not possible in browser | Use CSS blur on sensitive fields; short session timeouts |
| Biometric auth | ✅ local_auth | ⚠️ WebAuthn only | Use Web Authentication API (WebAuthn/FIDO2) |
| Root detection | ✅ flutter_jailbreak_detection | ❌ Not applicable | Use bot detection / WAF (Cloudflare) |
| HTTPS enforcement | ✅ Via network_security_config | ✅ Browser enforces HTTPS | Enable HSTS header on your server |
| Cookie Consent (GDPR) | Custom dialog | ✅ js package / CMP | Integrate Cookiebot, OneTrust, or CookieYes |
Flutter Web: Secure HTTP-Only Cookie Session Pattern
Flutter Web: GDPR Cookie Consent Banner
// Section 04 — Platform Matrix
Platform Support Matrix
Not all Flutter platforms support all security features equally. Know what works where before you commit to an architecture.
| Package / Feature | Android | iOS | Flutter Web | macOS | Windows | Linux |
|---|---|---|---|---|---|---|
| flutter_secure_storage | ✅ AES-256 | ✅ Keychain | ⚠️ localStorage | ✅ Keychain | ✅ DPAPI | ✅ libsecret |
| flutter_stripe | ✅ | ✅ | ✅ (Stripe.js) | ❌ | ❌ | ❌ |
| local_auth (biometric) | ✅ Fingerprint/Face | ✅ Face ID/Touch ID | ⚠️ WebAuthn only | ✅ Touch ID | ✅ Windows Hello | ❌ |
| flutter_jailbreak_detection | ✅ Root detection | ✅ Jailbreak | ❌ N/A | ❌ | ❌ | ❌ |
| flutter_windowmanager (screenshot block) | ✅ FLAG_SECURE | ❌ Not possible | ❌ Not possible | ❌ | ❌ | ❌ |
| Certificate Pinning | ✅ network_security_config | ✅ ATS / manual | ❌ Browser controls | ⚠️ Manual | ⚠️ Manual | ⚠️ Manual |
// Section 05 — Proving Compliance
How to Prove You Are Compliant
Building a secure app is step one. Proving it to auditors, clients, regulators, and the public is step two. Here’s the evidence you need for each standard.
Penetration Test Report
Annual pen test by a certified ethical hacker (CREST/OSCP certified). Required for PCI DSS Req 11, SOC 2, and GDPR Article 32. This is your strongest evidence.
Vulnerability Scan Results
Quarterly ASV (Approved Scanning Vendor) scans for PCI DSS. Tools: Tenable Nessus, Qualys, Rapid7. Must show zero high/critical findings.
SOC 2 Report (Type II)
The gold standard for SaaS companies. A CPA firm audits your controls over 6–12 months. Share this report with enterprise clients under NDA.
GDPR Record of Processing
Article 30: A written record of all data you collect, why, how long, and who has access. Required for any org with 250+ employees or high-risk data.
Consent Logs & Timestamps
For GDPR: server-side records of every user’s consent: date, time, policy version, what they agreed to. Stored for the life of the account + 3 years.
Audit Trails & Access Logs
SOC 2 and PCI DSS Req 10: logs of who accessed what data, when, from where. Retained for 12 months minimum. Tools: AWS CloudTrail, Datadog, Splunk.
PCI SAQ or ROC Certificate
Your annual PCI DSS self-assessment or full QSA audit report. Shows card networks you are compliant. Your payment processor may also provide an Attestation of Compliance (AOC).
Security Policies (Written)
SOC 2 and PCI DSS both require written, signed policies: Information Security Policy, Incident Response Plan, Acceptable Use, Change Management, Vendor Management.
Employee Training Records
PCI DSS Req 12.6 and SOC 2 both require annual security awareness training. Keep certificates/records for every employee. Tools: KnowBe4, Proofpoint Security Awareness.
The “Trust Center” — How to Show Compliance Publicly
Leading SaaS companies publish a public Trust Center — a page listing their compliance status, reports available under NDA, and security practices. Build one for ResearchThinker using:
Vanta Trust Center
Auto-generates a public trust page showing your SOC 2 status, PCI DSS level, GDPR compliance, and certifications in real time. Clients can request reports directly.
Drata Trust Center
Similar to Vanta — automated compliance evidence collection + public trust page. SOC 2, ISO 27001, GDPR, PCI DSS, HIPAA dashboards.
Manual Trust Page
For smaller startups: a dedicated /security page on your website listing: certifications held, last pen test date, sub-processors list, and link to privacy policy.
// Section 06 — Third-Party Tools
Third-Party Tools That Help You Achieve & Prove Compliance
You don’t build compliance alone. These tools automate evidence collection, run audits, and keep you continuously compliant.
💳 PCI DSS Tools
🛡️ SOC 2 Tools
🇪🇺 GDPR Tools
🔒 Security Testing Tools (All Three Standards)
// Section 07 — Package Licenses
Flutter Package Licenses Reference
All open-source licenses below are free to use commercially. MIT and BSD are the most permissive — no conditions on use. Apache 2.0 requires attribution.
| Package | Purpose | License | Commercial Use | Standard |
|---|---|---|---|---|
| flutter_stripe | PCI-safe card payments | MIT | ✅ Free | PCI DSS |
| razorpay_flutter | India payment gateway | MIT | ✅ Free | PCI DSS |
| flutter_secure_storage | Encrypted key-value storage | BSD-3-Clause | ✅ Free | SOC 2 GDPR |
| local_auth | Biometric / PIN auth | BSD-3-Clause | ✅ Free | SOC 2 |
| flutter_jailbreak_detection | Root/jailbreak detection | MIT | ✅ Free | PCI DSS |
| flutter_windowmanager | Screenshot blocking (Android) | Apache 2.0 | ✅ Free (attribution) | GDPR PCI DSS |
| crypto | Dart crypto primitives (SHA, HMAC) | BSD-3-Clause | ✅ Free | All standards |
| encrypt | AES, RSA encryption in Dart | BSD-2-Clause | ✅ Free | All standards |
| firebase_crashlytics | Crash reporting (GDPR: configure data retention) | Apache 2.0 | ✅ Free tier | GDPR |
| dio | HTTP client with interceptors | MIT | ✅ Free | All standards |
| ssl_pinning_plugin | SSL/TLS certificate pinning | MIT | ✅ Free | PCI DSS |
| Stripe (commercial) | Payment processing infrastructure | Commercial | Per-transaction fee | PCI DSS |
| Vanta / Drata | SOC 2 compliance automation | Commercial SaaS | Subscription fee | SOC 2 |
Flutter is released under the BSD 3-Clause license by Google. There is no cost to use Flutter commercially. The Dart SDK is also free. The compliance costs come from auditing services, infrastructure security tools, and third-party certifications — not from Flutter.
// Section 08 — Your Roadmap
Compliance Roadmap: Step by Step
Follow this order. Each step builds on the last. You can start today with zero budget.
Day 1–7: Assess Your Current State
List every type of data your app collects. Check if any EU users exist. Check if you take card payments. This determines which standards apply.
Week 2: Switch to PCI-Safe Payment SDK
Replace any custom card handling with flutter_stripe or razorpay_flutter. This single step removes 90% of your PCI DSS scope immediately.
Week 2–3: Add GDPR Consent & Privacy Policy
Build consent dialogs using the code above. Write a plain-English privacy policy (use iubenda if needed). Add “Delete My Account” to settings. These are legal requirements if you have EU users.
Month 1: Harden Infrastructure
Enable HTTPS everywhere. Set security headers on your server. Replace SharedPreferences with flutter_secure_storage. Add MFA for admin accounts. Enable CloudTrail or similar logging on AWS/GCP.
Month 2: Run Security Scans
Run MobSF on your Flutter APK/IPA. Run OWASP ZAP on your APIs. Add Snyk to your GitHub CI. Fix all critical/high findings. Document the results — these are audit evidence.
Month 3: Write Security Policies
Document your Information Security Policy, Incident Response Plan, and Acceptable Use Policy. These are required for both PCI DSS and SOC 2. Keep them in Google Drive or Notion — linked to in Vanta/Drata.
Month 4–6: SOC 2 Readiness (if needed)
Sign up for Vanta or Sprinto. Connect your cloud accounts. Let the tool collect evidence automatically for 6 months. Then engage a CPA auditor for your SOC 2 Type II report.
Ongoing: Annual Reviews & Re-Assessment
PCI DSS: annual SAQ + quarterly scans. SOC 2: annual audit. GDPR: review processing activities when your app changes. Security is not a one-time event — it’s a continuous process.
Use Stripe/Razorpay SDK (PCI DSS sorted). Add flutter_secure_storage + consent dialogs (GDPR sorted). Document your security controls + use Vanta (SOC 2 sorted). The code is free. The audit costs money. Start with what’s free — the habits and architecture — before paying for certification.