Yes, WooPayments itself is PCI compliant.
However, merchants still need to be aware of the core PCI-DSS core requirements when it comes to other aspects of their site. In other words, just because WooPayments is PCI compliant, that does not mean that your entire site is compliant.
For more general information, please see our PCI-DSS Compliance and WooCommerce documentation.
WooPayments uses hosted payment fields for handling all payment data, so the cardholder will enter all their sensitive payment information in a form that originates directly from our partner’s PCI-DSS validated servers. This means the information is not directly stored on your site.
WooCommerce stores any non-payment data (such as name, address, country) in your WordPress database. This data is separate from the payment form data, as noted in the section above.
When a customer completes a purchase on your site and chooses to save their payment method for future use, or when they purchase a subscription product, your site needs to “remember” the customer’s payment details in order to use them again in the future.
WooPayments uses a token and API-based method to do this. In short, this means your site will communicate with our payments system using the WordPress.com connection and request the card details using a payment token. Payment method details such as the card number and CVC code are not stored directly on your site.