This document is intended to provide a general overview of WooCommerce security, as well as answer questions you may have.
It touches on the General Data Protection Regulation (GDPR) protecting EU citizens’ data, as well as PCI-DSS compliance (Payment Card Industry Data Security Standard), which sets consistent security measures with the aim of reducing credit card fraud.
By default, WooCommerce retains:
- What products a customer ordered and when
- Name, e-mail address, and phone number provided by the customer
- Billing (and optionally: shipping) address entered by the customer
- A note about payment method used by the customer
This information, like the rest of your WordPress installation’s data, is stored in your website host’s database.
Yes. You can request it from the site/store owner.
If you are the site/store owner, there is a Personal Data Exporter in WordPress, and WooCommerce adds to this file. More info at:
Accounts and Privacy.
Your WooCommerce site allows customers to pay for orders via one of the
payment gateways you’ve set up and enabled on your site.
- A manual payment gateway, such as BACS, collects customer information, then provides them with your details so they can transfer payment.
- An automatic payment gateway is an application that securely requests information from customers and relays it to a third-party payment processing service, e.g., A credit card processor or PayPal.
Some payment gateways come
bundled with WooCommerce, and we also offer
many premium gateway plugins. A payment gateway allows a third-party payment service to:
- Verify the customer’s billing information
- Verify if funds are available
- Transfer funds from the customer to you
- Send confirmation of payment back to your WooCommerce site
There are also payment gateways such as
C.O.D. and
Cheque that allow you to take payment offline, then manually mark the order “paid.” These have far fewer security concerns than automated, instantaneous payment methods.
No. By design, your customer’s credit card number and security code are never stored on your website. The payment gateway gives this sensitive information directly to the payment processor. We design our payment gateway plugins to ensure credit card data never enters or passes through your website’s database. This means you need not meet the burdensome and expensive security standards required for storing customers’ credit card numbers.
With some
integrated payment gateway plugins you can give your customers the option to “store” credit cards or eChecks on your site via a secure method called tokenization. Tokenized payment methods can be used for
recurring payments,
pre-orders or for convenience in future purchases by the logged-in customer. eCheck tokens store the last four digits of the eCheck numbers, while credit card tokens include the last four digits of a card, the card brand/type, and its expiration date, mostly so the customer can identify which token is for which card.
Extremely. With tokenization, customers’ actual credit card information is stored on the servers of the payment processor.
The only data saved on your site is in the form of a string of characters called a token. These tokens are designed to be useless outside the precise context they’re created for. Imagine if, when you exchanged your money for chips at a casino or ride tickets at a fair, those chips or tickets not only couldn’t be spent on anything outside the casino or fair but couldn’t be spent by anyone but you.
Tokens are super-specific — specific to the customer, specific to your website, specific to the payment gateway’s payment processor, and specific to your merchant account with that processor. If any of those factors aren’t precise, the token won’t work as a placeholder for a customer’s payment information. Many gateways that allow tokenization also require the customer to enter their Card Security Code for each new purchase.
Payment gateways that allow tokenization will require your site to meet higher security standards set by the payment processors, and those standards are described in the documentation for each payment gateway.
We don’t sell or distribute non-secure payment gateways. Choosing which payment gateways you want on your site has more to do with how secure you want to make your site itself (since our plugins won’t work if your site doesn’t meet their security standards) and non-security considerations like customer checkout experience.
There are a lot of different ways to categorize or sort WooCommerce payment gateways, but from a security point of view the two major types of payment gateways are those hosted offsite and those integrated into your site.
If you’re looking for more general information on choosing a payment gateway, take a look at
Which Payment Option is Right for Me?
In terms of user experience, an
offsite payment gateway means the customer is sent from your checkout page to the payment processor’s site (e.g., PayPal.com), along with an encoded version of the customer’s basic order information. Depending on the gateway, this information could be just the total cost of the order and an order number; with more secure hosted gateways it can include an itemized breakdown of the order’s products, shipping, and tax.
Once the payment is complete, the payment processor then sends the customer back to your site along with confirmation that the payment was made. This payment flow means minimal security concerns for you and your WooCommerce site, since the whole payment portion takes place on the payment processor’s site and servers. The only downside is that
some customers may find being sent off-site off-putting.
Integrated payment gateways offer a slicker, more seamless method of checkout. Through various means including encryption and secure form fields hosted elsewhere but appearing on your site, the customer is able to check out without ever having to leave your site.
While many of these integrated payment gateways are still easy to set up and get working, they require your site to shoulder a slightly heavier security burden than offsite payment gateways do, and there may be a few more hoops to jump through when it comes to registering your merchant account. Requirements vary and are explained in each payment gateway’s documentation, and integrated payment gateways all demand at least some rudimentary PCI compliance, i.e.,
valid HTTPS/SSL.
Many of us at WooCommerce believe that
all websites retaining user information should have an SSL certificate and be HTTPS.
If you’re using an offsite hosted payment gateway, you may not need an SSL certificate to run WooCommerce, but many payment gateway plugins require it and we strongly, strongly recommend it for all WooCommerce sites. More info at:
Introduction to HTTPS/SSL and
HTTPS/SSL FAQ. Note that the first doc includes info on free SSL certificates.
It certainly can be! If you’re using an integrated payment gateway, it has to be. More at:
PCI-DSS Compliance and WooCommerce.
It can be! Europe’s
General Data Protection Regulation (GDPR) takes effect on 25 May 2018. If you sell any products to customers based in the EU, or have EU visitors to your site, you need to make sure your site complies with GDPR. We have
a range of resources available to help you get started.
Because WooCommerce is built on WordPress, a given WooCommerce site is overall exactly as secure as the WordPress installation itself. This is good news since WordPress is used by hundreds of millions of websites and there’s a lot of information out there about WordPress security best practices. Any security matter that pertains to WordPress, including
choosing a secure website host and hosting package, will also pertain to WooCommerce. We recommend taking at least
initial steps to secure your WooCommerce site; you can really lock your site down with
these additional “hardening” tips.
The web evolves quickly and unpredictably. One key to security is keeping your site’s version of WordPress and all WordPress plugins, WooCommerce or otherwise, up to date. This might seem like a nuisance, but it’s crucial to stay one step ahead in the endless web-security arms race.
Finally, it only takes one sneaky or badly designed plugin or code snippet to put your entire site and all your site’s data at risk. We at WooCommerce.com have a direct material interest in you buying WooCommerce-related plugins from us, but there is also a very real security consideration.
WooCommerce stands behind our products, as well as those of carefully selected partner developers whose extensions we sell at WooCommerce.com; we stake our reputation on their security. There are sites that claim to sell the same plugins more cheaply, but unless you buy ours too and then personally cross-check every line of code, you can’t know for sure they’re the same. The decision is yours to make, but it’s hard to put a price on peace of mind.
Many jurisdictions have strict laws regarding the storage of information such as credit card numbers, social security numbers, and driver’s license information. The website security verification requirements for you to legally store this kind of information vary, but in the U.S., for instance, there may be multiple, overlapping specifications at the municipal, county/parish, state, and federal levels, all of which you’d need to satisfy.
You’d need to check with a lawyer– and be sure that they advise you as to the legal secure storage requirements for not only your business address and your website host’s location but for every possible place your customers might be.
If this sounds daunting, ask yourself: Do you
really need customers to submit their social security numbers or government ID information/photos on your website? Keeping sensitive data in online databases is how identity theft happens– and with every additional different database that information is in, the risk increases. If you are determined to store this kind of information on your WooCommerce site, be 100 percent certain that you know and have considered your legal and ethical liability.
A card testing attack is a type of fraud where criminals attempt to validate stolen credit card information by making small, rapid transactions through an online store.
Typically, these fraudulent attempts involve making multiple low-value purchases to avoid detection by cardholders or banks. If successful, the attacker learns that the card is valid, allowing them to use it for larger fraudulent purchases. This kind of attack can lead to increased transaction fees, fraudulent chargebacks, and potentially damage the reputation of a store.
If you are using
WooPayments, we have specific guidance
here.
If you are using another payment gateway:
- Refund all transactions that you believe to be fraudulent.
- Consider adding anti-fraud software to your site such as WooCommerce Anti-Fraud.
- Consider adding reCaptcha software to your checkout reCaptcha for WooCommerce.
- Determine if there are specific products that may be more susceptible to these kinds of tests, for example “donation” or “name your price” products
- Consider preventing guest checkout on your site.
- Work with your payment provider to increase the security on their account, for example, updating or reviewing the anti-fraud measures they have in place.
Please note that if you refund the transactions your believe to be fraudulent, your payment provider still may not refund the transactions fees for those transactions. If you would like these fees to be refunded, please reach out to your payment provider.
If you have more questions, you can always
get in touch!