PCI-DSS compliance and WooCommerce

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of actionable rules established by the Payment Card Industry Security Standards Council (PCI SSC). Its primary goal is to promote the widespread adoption of consistent data security measures worldwide to reduce credit card fraud.

These rules apply to anyone who stores, processes, or transmits cardholder data. For more information about PCI-DSS, review the Quick Reference Guide.

If you store, process, or transmit cardholder data as defined in the PCI SSC glossary, then PCI-DSS applies to you.

If you are taking payments off-site using a gateway that processes payments on its own servers (such as Stripe or PayPal Payments), and you are not collecting, transmitting, or processing cardholder data, then PCI-DSS does not apply to you.

WooPayments is the best option for merchants in eligible regions to accept PCI-compliant payments on their sites. Learn more about PCI compliance in WooPayments.

The 12 core PCI-DSS requirements are as follows:

Last updated: 22 July 2021. Please confirm the latest requirements on the PCI SCC website.

PCI compliance reports are usually enforced by your payment processor, who may require you to complete a self-assessment questionnaire (SAQ) or undergo scans by an approved scanning vendor (ASV) of their choice.

PCI compliance is ultimately the responsibility of the store owner. While the core WooCommerce plugin is not PCI-DSS certified, your site can still achieve PCI compliance.

Many PCI-DSS requirements go beyond WordPress and WooCommerce. They relate more to the hosting services and business policies or best practices that the website owner must implement.

Here are some details that may be helpful:

1. Contact your hosting provider or network administrator about firewalls.
2. Use strong passwords at all times and ensure the hosting environment is 100% secure. This is your responsibility.
3. WooCommerce never stores card details. Our in-house payment gateways also never store more than four (4) digits of a card number if storing payment tokens for re-use.
4. WooCommerce has options to enforce a secure socket layer (SSL) connection on your checkout pages. Ensure your hosting provider implements SSL to work with this.
5. Contact your hosting provider about virus protection.
6. Contact your hosting provider about maintaining a secure system to avoid threats.
7. WooCommerce uses WordPress’s login system, which can be used to grant administrative access to users. You should follow security best practices when granting access, including strong passwords and usernames.
8. You may want to work with the host/network admin to ensure all administrator access to systems containing credit card details is logged and trackable. Making user activity traceable can help hold users accountable. Access should be restricted to only those who require it.
9. Contact your hosting provider about how to restrict access to physically stored and transmitted data.
10. Contact your network admin or hosting provider about access monitoring.
11. You may want to use an approved scanning vendor (ASV) to regularly scan your site for issues.
12. Creating, maintaining, and distributing a policy on addressing the PCI-DSS requirements (as well as a risk assessment) is the responsibility of the merchant/store owner.

If you are interested in complying with PCI-DSS, you should:

• Choose a trusted, secure hosting provider that claims and actively promotes PCI compliance. Cheap, shared hosts are unlikely to cover this.
• Use security best practices when setting passwords and limiting access to your server.
• Never store credit card details anywhere.
• Implement an SSL certificate to secure your store’s checkout.
• Keep the number of extensions/plugins installed on your site to a minimum. Compliance covers all installed software, including extensions/plugins and WordPress itself.
• Keep WordPress, WooCommerce, and extensions/plugins up to date to ensure the latest security fixes are present.
• Working with your payment processor, use an ASV to scan your site and find issues.

Alternatively, choose a gateway that handles this off-site.

Do you still have questions and need assistance? 

• Get in touch with a Happiness Engineer via our Help Desk. We provide support for extensions developed by and/or sold on WooCommerce.com, and Jetpack/WordPress.com customers.
• If you are not a customer, we recommend finding help in the WooCommerce support forum or hiring a Woo Agency Partner. These are trusted agencies with a proven track record of building highly customized, scalable online stores. Learn more about Woo Agency Partners.