Yes, WooPayments is PCI DSS compliant as a Level 1 service provider.
That said, using WooPayments doesn’t automatically make your entire site PCI compliant. While WooPayments handles payment processing in a PCI DSS–validated environment, your site still plays a role in presenting the checkout experience and must meet certain PCI requirements — especially around security and vulnerability management.
For broader context, see our PCI-DSS Compliance and WooCommerce guide.
What makes WooPayments PCI Compliant?
↑ Back to topWooPayments uses hosted payment fields to collect card details. These fields are served securely from our payment partner’s PCI DSS–validated environment. Because sensitive payment information is never handled by your site or stored on your server, WooPayments helps reduce your PCI compliance scope significantly.
What data is stored on my site?
↑ Back to topWooCommerce stores non-payment details such as the customer’s name, address, and country in your site’s WordPress database. This is separate from the payment form, which loads from our secure environment.
What about saved cards and subscriptions?
↑ Back to topIf a customer chooses to save their payment method or purchase a subscription product, your site will use a secure payment token to reference that card in future transactions. These tokens are stored by our payment partner and requested through your site’s connection to WordPress.com. Card details like the number and CVC are never stored on your site.
Requesting PCI documentation
↑ Back to topIf you’re completing your own PCI DSS validation and need supporting documentation, such as a copy of our Attestation of Compliance (AOC), please contact our support team and we’d be happy to help.
Further reading
↑ Back to topWooPayments is built in partnership with Stripe. For additional details, you can also review our general PCI guidance and Stripe’s PCI documentation.