When as an eCommerce store owner you discover PCI DSS or “Payment Card Industry Data Security Standard” your first thought might be is WooCommerce PCI compliant? Your second thought might be is my hosting PCI compliant? And the questions don’t stop there. A little research might start you asking are my WooCommerce Payment Gateway Plugins PCI compliant?
PCI DSS is such a huge topic that defines a lot of operational standards for data with eCommerce stores, you can be certain that WooCommerce have their eye on this standard and are doing everything in their power to make sure their part of you business is PCI Compliant.
WooCommerce actually have a great article outlining what’s their responsibility as the software provider – and also the things that they have no control over, that relate more directly to how you do business. The key point here is, WooCommerce is PCI Compliant in it’s approach, but that won’t automatically mean your business is PCI Compliant – you have a part to play in this. If you follow this guide however, you can minimise the part you HAVE to play in making your eCommerce store built with WooCommerce PCI Compliant.
My aim here is also to provide a reference article that you can refer to in future if the question about eCommerce PCI Compliance ever comes up. Being PCI Compliant with your WooCommerce store isn’t actually difficult. So above helping you achieve PCI Compliance in eCommerce, I’m here to provide “peace of mind” so you’ve got one less thing to think about and you can get back to running your thriving eCommerce store.
Online Business & Ecommerce PCI Compliance Guide for WooCommerce Store Owners
What Does PCI Compliance Impact in my eCommerce Business?
I’ll take a quick second to set the scene around PCI Compliance in case you haven’t fully researched PCI Compliance itself and have just stumbled across this requirement.
PCI DSS is basically about keeping data secure.
As an eCommerce store you are interacting with customers and their very sensitive payment card and similar data. It therefore makes sense that to prevent this sensitive data from being stolen or misused, that there’s a standard around which eCommerce merchants (and offline businesses) need to comply for the good of everyone. No-one wants their data hacked or stolen.
From a selfish perspective, you as the eCommerce site owner doesn’t want to find themselves responsible for a data breach and ultimately find yourself liable for fines, law suits and more. Yes, it is that serious!
So PCI Requirements dictate how data should be handled to ensure that everyone stays safe when shopping and you, the store owner stays lawsuit free.
If you want to dig deeper on this, I’d suggest you head over to the PCI Security Standards Website – but for the purpose of this guide, we’ve set the scene and you should now be on board with the idea that PCI Compliance isn’t really an option and it’s not something you want to be risking your livelihood based on.
WooCommerce PCI Compliance – Your Responsibilities vs Woo’s
|PCI Compliance Area||12 Core PCI-DSS Requirements||What Influences Compliance|
|BUILD AND MAINTAIN A SECURE NETWORK||1. Install and maintain a firewall configuration to protect cardholder data|
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|1. Hosting selection (if actually storing card data)|
2. Your responsibility – use strong passwords everywhere
|PROTECT CARDHOLDER DATA||3. Protect stored cardholder data|
4. Encrypt transmission of cardholder data across open, public networks
|3. WooCommerce itself doesn’t store card data – but your payment gateway influences this|
4. Your responsibility – install an SSL and force it
|MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM||5. Use and regularly update anti-virus software|
6. Develop and maintain secure systems and applications
|5. Hosting selection (if actually storing card data)|
6. Hosting selection (if actually storing card data)
|IMPLEMENT STRONG ACCESS CONTROL MEASURES||7. Restrict access to cardholder data by business need-to-know|
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|7. Your responsibility. WooCommerce provides user role login control to limit access to data by role (if actually storing card data)|
8. Hosting selection (if actually storing card data)
9. Hosting selection (if actually storing card data)
|REGULARLY MONITOR AND TEST NETWORKS||10. Track and monitor all access to network resources and cardholder data|
11. Regularly test security systems and processes
|10. Hosting selection (if actually storing card data)|
11. Hosting selection / Your responsibility (if actually storing card data)
|MAINTAIN AN INFORMATION SECURITY POLICY||12. Maintain a policy that addresses information security||12. Your responsibility|
If you’ve read that table top to bottom outlining the PCI DSS 12 core requirements and your responsibilities, you may have realised that the statement “if actually storing card data” comes up A LOT.
This is because as an eCommerce store owner, you do have a choice, but you’d be stupid to choose the wrong option (in my opinion).
Option 1 – you can go down the route of storing card data and needing to run secure servers, have regular scans by ‘Approved Scanning Vendors’, have policies and paperwork and hassle (cost).
Option 2 – you can focus on being an eCommerce business and set yourself up so your PCI Compliance requirements are as simple as filling in a short questionnaire whilst keeping everyone’s data safe and your costs to an absolute minimum.
If you’re still thinking about option 1, you’ll need to come up with a compelling case to convince me that option 2 isn’t the right choice for your eCommerce business.
So is WooCommerce PCI Compliant?
As far as WooCommerce can support YOUR eCommerce business in being PCI Compliant, yes WooCommerce are holding up their end of the bargain and providing you with a PCI Compliant core plugin.
WooCommerce also make it really easy to stay PCI Compliant if you don’t do anything stupid.
Is Shopify PCI Compliant?
Much like WooCommerce, as far as Shopify can assist your business in meeting the PCI Compliance requirements, yes Shopify is PCI Compliant. But it’s not Shopify that need to be PCI Compliant, it’s YOU and YOUR business – and as with WooCommerce you need to hold up your end of the bargain – and that’s just a paperwork exercise.
Does PCI Compliance Apply To Me or Not?
PCI DSS Compliance DOES apply to you.
How onerous that compliance requirement is depends largely on what technology you use IN COMBINATION with WooCommerce – along with things we’ll refer to as “basics in place”.
What Are The Basics In Place For PCI Compliance If I Don’t Store Card Data?
If you didn’t grab them from the table above, here they are in list form:
- SSL Certificate enforced on site
- Strong passwords used on Server level access (hosting account)
- Strong passwords used on Website (WordPress login)
- Questionnaire A-EP (more on that later)
What Are The Technology Requirements For PCI Compliance With WooCommerce?
If you haven’t gathered yet, your aim is to AVOID storing Card Data.
If you AVOID storing Card Data the requirements for PCI Compliance are significantly simplified.
How do you avoid storing card data with WooCommerce?
This is ALL down to your selection of Payment Gateway or Payment Plugin for your WooCommerce store.
If you use a payment gateway on your checkout that PREVENTS you, your website, or your servers from ever seeing the raw credit card data that customers enter you are essentially handing over the lions share of the responsibility for PCI Compliance to the professionals.
Payment gateway providers like Stripe deal with PCI Compliance for a LIVING. It’s what they do, so let THEM do it and free yourself from the overwhelming majority of the PCI Compliance requirements.
How Can Payment Gateways & Plugins Reduce My PCI Compliance Requirement?
The most conventional and stark example of a payment provider taking over responsibility from you for the storing of card data (and therefore the bulk of PCI Compliance Requirements) would be PayPal.
Everyone has had a checkout experience where they’ve selected to “Pay with PayPal” and then been presented with a pop up or new screen where it says something like “redirecting to PayPal”.
In essence the payment, the card data and everything else sensitive related to the transaction is being captured on the PayPal website and their servers – not yours.
(You’re still obviously capturing important personally identifiable information in the eyes of GDPR, so just remember this is another requirement to be aware of, but that’s for another day)
Do Customers Have To Be Redirected To The Payment Providers Website To Be PCI Compliant With WooCommerce?
In short, no.
Stripe is a great example of a payment gateway provider who use technology to place credit card input fields IN your website’s checkout page.
Even though these Credit Card input fields are on your web page, the fields are essentially hosted by Stripe. This means once again, your servers NEVER get their hands on the sensitive customer card data.
In this particular example, using Stripe, the Credit Card information is turned into an encrypted key by Stripe and passed back to you in an un-useable format.
Stripe have been leading the way with this technology for years – they were founded in 2011, and we’ve been with them since 2012. They’ve been absolutely rock solid, and many of the players like PayPal have been trying to catch up with their embedded payment form offering for years. In my opinion Stripe is the outright leader by a long way for embedded payment form solutions for eCommerce stores in general, but especially WooCommerce stores.
You may hear people talk about “on-site payments” and “off-site payments”
Hell, even the WooCommerce payment gateways extensions list can be filtered by “on-site” and “off-site”
Maybe this is a throwback.
But if you hear things like “on-site payments require that you adhere to strict PCI Compliance Requirements” and “off-site payments mean the PCI Compliance Requirements are significantly relaxed” it can throw unnecessary confusion into the mix.
Essentially Stripe’s embedded payment fields are “styled” into your checkout page using your theme styles so they look like “your” payment form. This is what store owners may refer to as “on-site payments”. Which is correct from the perspective that the user ISN’T redirected off your website to pay.
In the context of the credit card payment however, despite the form being “on-site” the payment is “off-site”.
This distinction will well and truly cause a bunch of confusion and endless re-researching of the same things over and over.
Does My Hosting Need To Be PCI Compliant If I Don’t Store Credit Card Data?
If your hosting servers never see credit card data, and you have the basics in place as shared above, your hosting provider’s servers aren’t coming into contact with any sensitive payment card data.
The PCI DSS requirements outlined above are written from the perspective that the servers they’re referring to are the one’s receiving the credit card data.
Therefore, if not storing credit card data on your hosting servers they don’t NEED to be PCI Compliant. In fact, it could be well and truly overboard and ultimately result in significant excess cost.
Questionnaire PCI DSS – A-EP for eCommerce Businesses
You may have noticed I slipped into the “Basics in place” list above a weird sounding questionnaire.
Yes – if you’ve followed the steps and outsourced your Card Data Handling to a third party payment provider you will have reduced your PCI Compliance Requirements down to some simple on-site actions (passwords and SSLs) and a mere paperwork exercise.
And there you were thinking you needed ‘Bank of America’ levels of data security!
There are several questionnaire’s for PCI Compliance. The one that’s applicable to eCommerce stores is called Questionnaire A-EP. This is who the Security Standards Council say A-EP is applicable to:
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.Security Standards Council – PCI DSS
Applicable only to e-commerce channels.
So if you want to go ahead and fill in the questionnaire, here’s a link to the page where you can see all of the Questionnaire’s available from the Security Standards Council – PCI Questionnaires.
What To Do Next?
If you’re already running a WooCommerce store and you’ve stumbled across PCI Compliance, it’s worth verifying a couple of things;
- You’re using a Payment Gateway that clearly states that they’ll handle the card data handling side of PCI Compliance. Like Stripe for example – here’s some really useful information on Stripe and PCI
- You’re using a Payment plugin to connect the Payment Gateway to WooCommerce that is also PCI Compliant – in line with the aim of you NEVER handling Credit Card data
- Fill in the A-EP Questionnaire, file it and get it onto an annual checklist
Do Shopify Users Need To Be PCI Compliant And Complete a PCI Questionnaire?
YES! But most won’t and will leave themselves open to some residual risk.
Shopify store operators tend to run their business under the false impression that “Shopify handles everything”.
To a point Shopify and WooCommerce can do everything in THEIR power to ensure they contribute towards the PCI Compliance of your eCommerce business. When it comes down to it however, you can’t “outsource compliance” entirely, YOU still have a part to play – and it’s just some paperwork.
Shopify don’t really make this crystal clear in my opinion. It is mentioned in this Shopify article from 2018, but it’s also mentioned in abstract as though it might apply to other stores and maybe not Shopify – if you’re not reading closely.
So is Shopify any more or less PCI Compliant than WooCommerce?
It’s a dead heat. Each platform is as inherently PCI Compliant as the other.
The difference with WooCommerce is that you should ensure you’re not using outdated or poorly configured Payment Gateway Plugins that ultimately prevent you from fully outsourcing the handling of credit card data.
When it comes to Shopify PCI Compliance, you STILL NEED TO DO THE PAPERWORK – as you do to be PCI Compliant with WooCommerce.
We Recommend Stripe Payment Gateway with the Stripe WooCommerce Plugin
Stripe is a fantastic payment gateway provider, not only offering credit card payments but now also handling direct debit and BACS payments (UK), ACH payments (USA).
Stripe uses their embedded input fields to both handle the card handling PCI Compliance Requirements for you whilst keeping your customers ON-SITE to maximise checkout conversion rate.
The Stripe Plugin for WooCommerce is written and support by WooCommerce themselves, meaning compatibility levels between the Stripe Plugin and Core WooCommerce are as high as you’re going to achieve.
Stripe makes PCI Compliance straightforward whilst not demanding huge payment fees as is the case with many payment providers. (However, with all of these onerous PCI Compliance Requirements, you may now understand a little more about why you’re being charged payment fees on your credit card transactions – you now know what you’re paying for.)