PCI-DSS Compliance and WooCommerce

PCI-DSS (Payment Card Industry Data Security Standard) is a set of actionable rules defined by the Payment Card Industry Security Standards Council to encourage the broad adoption of consistent data security measures around the world with an aim to reduce credit card fraud.

These rules apply to anyone who stores, processes, or transmits cardholder data. For more information about PCI-DSS, please review the Quick Reference Guide here.

If you store, process, or transmit cardholder data (as defined in the PCI Security Standards Council’s glossary), yes. 

If, however, you are taking payments off-site by using a gateway that uses its own servers to take payments (Stripe, PayPal Payments, etc.) and you are not collecting, transmitting, or processing cardholder data, PCI-DSS is not applicable to you.

Here at WooCommerce.com, we have our own WooPayments offering. We believe this is the best option for eligible merchants to accept PCI compliant payments on their site. Read more in our Is WooPayments PCI compliant? documentation.

The 12 core PCI-DSS requirements are as follows (last updated: 22 Jul 2021, please make sure to confirm the latest version of the requirements on the PCI website):

Typically, PCI compliance reports are enforced by your payment processor – they may require that you fill out questionnaires (Self Assessment Questionnaire – or SAQ) or be scanned by an ASV (approved scanning vendor) of their choosing.

Ultimately, PCI compliance is the responsibility of the store owner. Although the core WooCommerce plugin is not PCI-DSS certified, your site can be PCI compliant. The core WooCommerce plugin is written with security in mind, with audits from WP core contributors and Sucuri.

Regarding the PCI-DSS requirements, many are beyond the scope of WordPress and WooCommerce – instead falling into the area of hosting and business policies/best practice for the website owner to abide by. Here are a few details that may be helpful: 

1. Contact your hosting provider or network administrator about firewalls.
2. Use strong passwords at all times and ensure the hosting environment is 100% secure. This is your responsibility.
3. WooCommerce never stores card details. Our in-house payment gateways also never store more than 4 digits of a card number if storing payment tokens for re-use.
4. WooCommerce has options to enforce SSL on your checkout pages. Ensure your hosting provider implements SSL to work with this.
5. Contact your hosting provider about virus protection.
6. Contact your hosting provider about maintaining a secure system to avoid threats.
7. WooCommerce uses the WordPress login system, which can be used to give administrative access to whom you desire. You should determine appropriate best practices relating to security such as strong passwords and usernames.
8. You may want to work with the host/network admin to ensure all admin access to systems containing credit card details is logged and trackable. It may be beneficial if user activity is traceable so users can be held accountable for their actions. Access should be limited to only those who need it.
9. Contact your hosting provider about how to restrict access to physical stored and transmitted data.
10. Contact your network admin or hosting provider about monitoring access.
11. You may want to use an ASV (approved scanning vendor) to regularly scan your site for issues.
12. Creating, maintaining and distributing a policy on addressing the PCI-DSS requirements, as well as a risk assessment is the responsibility of the merchant/store owner.

If you’re interested in complying with PCI-DSS, you may want to:

• Choose a trusted, secure hosting provider – preferably one which claims and actively promotes PCI compliance. Cheap, shared hosts are unlikely to cover this.
• Use security best practices when setting passwords and limit access to your server.
• Never store credit card details anywhere.
• With the aid of your hosting provider, implement SSL to keep your checkout secure.
• Keep installed plugins to a minimum; remember, compliance covers all installed software so that includes plugins and WordPress itself.
• Keep plugins up to date to ensure the latest security fixes are present.
• Working with your payment processor, use an ASV (approved scanning vendor) to scan your site and find issues – fixing any identified issues until passing the scan.

Or alternatively, choose a gateway which handles this for you off-site.

Do you still have questions and need assistance? 

• Get in touch with a Happiness Engineer via our Help Desk. We provide support for extensions developed by and/or sold on WooCommerce.com, and Jetpack/WordPress.com customers.
• If you are not a customer, we recommend finding help on the WooCommerce Support Forum or hiring a WooExpert agency. They are trusted agencies with a proven track record of building highly customized, scalable online stores. Learn more about WooExpert agencies.