PCI-DSS Compliance and WooCommerce

What is PCI-DSS?

↑ Back to top

PCI-DSS (Payment Card Industry Data Security Standard) is a set of actionable rules defined by the Payment Card Industry Security Standards Council to encourage the broad adoption of consistent data security measures around the world with an aim to reduce credit card fraud.

These rules apply to anyone who stores, processes, or transmits cardholder data. For more information about PCI-DSS, please review the Quick Reference Guide here.

Do I need to be PCI-DSS Compliant?

↑ Back to top

If you store, process, or transmit cardholder data (as defined in the PCI Security Standards Council’s glossary), yes

If, however, you are taking payments off-site by using a gateway that uses its own servers to take payments (Stripe, PayPal Payments, etc.) and you are not collecting, transmitting, or processing cardholder data, PCI-DSS is not applicable to you.

Recommended Payment Gateways

↑ Back to top

Here at WooCommerce.com, we have our own WooPayments offering. We believe this is the best option for eligible merchants to accept PCI compliant payments on their site. Read more in our Is WooPayments PCI compliant? documentation.

PCI-DSS Core Requirements

↑ Back to top

The 12 core PCI-DSS requirements are as follows (last updated: 22 Jul 2021, please make sure to confirm the latest version of the requirements on the PCI website):

GoalsPCI-DSS Requirement
Build and Maintain a Secure Network
  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  1. Protect stored cardholder data
  2. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  1. Use and regularly update anti-virus software
  2. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  1. Restrict access to cardholder data by business need-to-know
  2. Assign a unique ID to each person with computer access
  3. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  1. Track and monitor all access to network resources and cardholder data
  2. Regularly test security systems and processes
Maintain an Information Security Policy
  1. Maintain a policy that addresses information security

Reporting Compliance

↑ Back to top

Typically, PCI compliance reports are enforced by your payment processor – they may require that you fill out questionnaires (Self Assessment Questionnaire – or SAQ) or be scanned by an ASV (approved scanning vendor) of their choosing.

WooCommerce and PCI Compliance

↑ Back to top

Ultimately, PCI compliance is the responsibility of the store owner. Although the core WooCommerce plugin is not PCI-DSS certified, your site can be PCI compliant. The core WooCommerce plugin is written with security in mind, with audits from WP core contributors and Sucuri.

Regarding the PCI-DSS requirements, many are beyond the scope of WordPress and WooCommerce – instead falling into the area of hosting and business policies/best practice for the website owner to abide by. Here are a few details that may be helpful: 

  1. Contact your hosting provider or network administrator about firewalls.
  2. Use strong passwords at all times and ensure the hosting environment is 100% secure. This is your responsibility.
  3. WooCommerce never stores card details. Our in-house payment gateways also never store more than 4 digits of a card number if storing payment tokens for re-use.
  4. WooCommerce has options to enforce SSL on your checkout pages. Ensure your hosting provider implements SSL to work with this.
  5. Contact your hosting provider about virus protection.
  6. Contact your hosting provider about maintaining a secure system to avoid threats.
  7. WooCommerce uses the WordPress login system, which can be used to give administrative access to whom you desire. You should determine appropriate best practices relating to security such as strong passwords and usernames.
  8. You may want to work with the host/network admin to ensure all admin access to systems containing credit card details is logged and trackable. It may be beneficial if user activity is traceable so users can be held accountable for their actions. Access should be limited to only those who need it.
  9. Contact your hosting provider about how to restrict access to physical stored and transmitted data.
  10. Contact your network admin or hosting provider about monitoring access.
  11. You may want to use an ASV (approved scanning vendor) to regularly scan your site for issues.
  12. Creating, maintaining and distributing a policy on addressing the PCI-DSS requirements, as well as a risk assessment is the responsibility of the merchant/store owner.

If you’re interested in complying with PCI-DSS, you may want to:

  • Choose a trusted, secure hosting provider – preferably one which claims and actively promotes PCI compliance. Cheap, shared hosts are unlikely to cover this.
  • Use security best practices when setting passwords and limit access to your server.
  • Never store credit card details anywhere.
  • With the aid of your hosting provider, implement SSL to keep your checkout secure.
  • Keep installed plugins to a minimum; remember, compliance covers all installed software so that includes plugins and WordPress itself.
  • Keep plugins up to date to ensure the latest security fixes are present.
  • Working with your payment processor, use an ASV (approved scanning vendor) to scan your site and find issues – fixing any identified issues until passing the scan.

Or alternatively, choose a gateway which handles this for you off-site.

Questions and Support

↑ Back to top

Do you still have questions and need assistance? 

  • Get in touch with a Happiness Engineer via our Help Desk. We provide support for extensions developed by and/or sold on WooCommerce.com, and Jetpack/WordPress.com customers.
  • If you are not a customer, we recommend finding help on the WooCommerce Support Forum or hiring a WooExpert agency. They are trusted agencies with a proven track record of building highly customized, scalable online stores. Learn more about WooExpert agencies.