PCI Compliance
All store owners wishing to process credit card transactions should be familiar with PCI Compliance. Spree Gateway Stripe itnegration and Spree Braintree vzero are PCI-compliant.
Spree uses extreme caution in its handling of credit cards. In production mode, credit card data is transmitted to Spree via SSL. The data is immediately relayed to your chosen payment gateway and then discarded. The credit card data is never stored in the database (not even temporarily) and it exists in memory on the server for only a fraction of a second before it is discarded.
Spree does store the last four digits of the credit card and the expiration month and date. You could easily customize Spree further if you wanted and opt out of storing even that little bit of information.
Spree Gateway Stripe itnegration supports Strong Customer Authentication (SCA) out of the box. Remember to use Stripe Elements gateway with Payment Intents option enabled.
Spree Braintree vzero extension supports 3D Secure 2.0.