Yes, WooCommerce Payments itself is PCI compliant, but merchants still need to be aware of the core PCI-DSS core requirements. For more general information, please see our PCI-DSS Compliance and WooCommerce documentation.
WooCommerce Payments uses a hosted payment field for handling all payment card data, so the cardholder enters all sensitive payment information in a payment field that originates directly from our partner’s PCI-DSS validated servers. This means the information is not directly stored on your site.
WooCommerce stores the data entered in the other checkout fields, such as name, address, country, and so on. This data is separate from the billing field data, such as the card number and CVC code.
When a customer completes a purchase on your site and chooses to save their payment method for future use, or when they purchase a subscription product, your site needs to “remember” the customer’s payment details in order to use them again in the future.
WooCommerce Payments uses a token and API-based method to do this. In short, this means your site will communicate with our payments system using the WordPress.com connection and request the card details using a payment token. Payment method details such as the card number and CVC code are not stored directly on your site.