Overview ↑ Back to top
Yes, WooCommerce Payments itself is PCI compliant but merchants still need to be aware of the core PCI-DSS core requirements. For more general information, please see our PCI-DSS Compliance and WooCommerce documentation.
What makes WooCommerce Payments PCI Compliant? ↑ Back to top
WooCommerce Payments uses a hosted payment field for handling all payment card data, so the cardholder enters all sensitive payment information in a payment field that originates directly from our partner’s PCI DSS validated servers. This means the information is not directly stored on your site.
What is stored on with WooCommerce? ↑ Back to top
WooCommerce stores the data entered in the other checkout fields, such as name, address, country, and so on. This data is separate from the billing field data such as the long card number, and CVC.
What about saved cards / Subscriptions? ↑ Back to top
When a customer purchases on your site and they store their payment method for future use, or when using our own WooCommerce Subscriptions, your site needs to “know” those details to be used again. WooCommerce Payments uses a token and API based approach. In short, this means your site will communicate with our payments system using the WordPress.com connection and then will request the details using a payment token. Customer payment method details such as card number and CVC, are not stored on your site.