Is WooCommerce PCI Compliant? – A Guide for Businesses

Is WooCommerce PCI Compliant

If you run an online store using WooCommerce or any e-commerce platform, you must remain PCI compliant. This means that your customers’ credit card information is secured in accordance with the Payment Card Industry Data Security Standard (PCI DSS). Because WooCommerce is open-source, some users are understandably concerned as to whether it’s really PCI compliant out of the box.

WooCommerce is the ultimate shopping cart platform for stores built on WordPress. It’s free to use, fully customisable, easy to manage, and 100% compatible with the WordPress CMS. But when it comes to WooCommerce PCI compliance, there are a few things you need to know.

Is WooCommerce PCI Compliant?

WooCommerce is built with PCI compliance in mind, but it’s not completely PCI DSS-compliant on its own. To ensure total PCI DSS compliance, you need to configure your store in a way that adheres to the guidelines laid out by the PCI Security Standards Council. This may require the assistance of a knowledgeable developer or the implementation of a quality third-party payment gateway for secure payment processing.

The good news is that some of the most important PCI compliance points are already taken care of. For example, WooCommerce doesn’t store credit card information by default. Stored card information must be encrypted for compliance, but WooCommerce simply eliminates this information to prevent any security issues. For customers who choose to save their payment details for future credit card payments, only four digits of the card number are preserved. You can install third-party plug-ins that save the complete card information, but always do your research before activating such a plug-in—ensure that the plug-in itself is PCI-compliant.

In addition, WordPress automatically assigns a unique user ID to each user in your system. This is another PCI compliance requirement, as it makes it easier to track your users’ activity and spot any internal security breaches if they should ever arise.

Why Your WooCommerce Site Must Be PCI Compliant

PCI compliance is a requirement for all websites that transmit credit card data. If a hacker steals credit card data from your customers because your website isn’t PCI-compliant, you can be fined around €500,000 per incident and lose the ability to accept credit cards. You may be placed on the MATCH list, an industry list developed by Mastercard that identifies potential problem merchants. MATCH-listed merchants are rejected by most payment processors.

PCI compliance includes (but is not limited to) the following practices:

  • Your customers’ card data is protected by a secure firewall
  • Secure, custom passwords are used for all sensitive logins
  • Stored cardholder data is protected
  • All cardholder data transmitted across public networks is encrypted
  • Antivirus software is installed and regularly updated
  • All systems and applications are secure
  • Cardholder data is only accessible to need-to-know users
  • Each user has a unique ID
  • Physical access to cardholder data is restricted
  • All network access to cardholder information is tracked and monitored
  • Security systems and processes are tested regularly
  • Your business has an official policy addressing information security

Some of these items (like the official policy item) are beyond the scope of WooCommerce but are easy to implement on your own. Please note that while there were originally 12 standards, the official PCI website now claims 15 standards.

How to Make Your WooCommerce Store PCI-Compliant

The great thing about WooCommerce is that most features can be implemented easily with a plug-in download. While a web developer can help to ensure total compliance, you should be able to manage many if not all of the following adjustments on your own.

Establish a Secure Firewall

A website application firewall (WAF) prevents hackers and malicious bots from gaining access to the back end of your site and stealing your customers’ credit card information. PCI compliance requires that your firewall be both established and maintained. The good news is that there are a number of excellent firewall plug-ins that you can download and install instantly, including Sucuri, Cloudflare, Jetpack, All-in-One WP Security & Firewall, and BulletProof Security. Keep your firewall updated at all times in order to remain compliant.

Install an SSL Certificate if You Don’t Have One

A Secure Socket Layer (SSL) certificate is required for PCI compliance. It’s an encryption standard that allows for a secure connection to your website and helps to minimise credit card fraud. While WooCommerce doesn’t require SSL, the platform does make it incredibly easy for site owners to set up their own certificates when building their stores. It even supports free SSL certificates like those provided by Let’s Encrypt.

Customise the Permissions of Each User on Your Website

As an extension of WordPress’ native login system, WooCommerce supports customised user access. As the administrator, you have the power to assign specific roles to each team member who has access to your WordPress dashboard. You can ensure that customer information is only visible to the users who require it. But again, this will require a bit of configuration on your part. In your WordPress dashboard, click “Users” and select your users individually. From there, select “Role” and choose the appropriate assignment. Only administrators have access to customer data.

Establish Unique, Secure Passwords for Every User

If you use default passwords, you’re automatically in violation of PCI standards. Make sure that every user has a unique, strong password that combines capital and lowercase letters, numbers, and special characters. Passwords should be longer than 8 characters. You can even configure WordPress to require strong passwords.

Invest in Quality Virus Protection

One of the biggest problems with WooCommerce (in terms of PCI compliance) is that it does not have native virus protection. Some of the aforementioned firewall plug-ins—like Sucuri, BulletProof Security, and All in One WP Security & Firewall—combine both antivirus features and firewall features. You can bundle them for maximum security at a lower price.

Run Quarterly Malware Scans

If you partially outsource payment processing to a PCI-compliant third-party website, you will need to fill out the Self Assessment Questionnaire. One of the items on the list is running a quarterly scan for malware using a PCI-Approved Scanning Vendor (ASV). Once the scan is complete and there are no issues, you will report the results to the appropriate enforcement organisation using the PCI Security Standards Council’s Attestation of Compliance form.

Always Keep WordPress and WooCommerce Up to Date

One of the most important things you can do is to ensure that WordPress is up to date at all times. Your software, your themes, and all of your plug-ins and extensions should be updated regularly. Many of these updates are designed to address potential security breaches, and bots and hackers love to capitalise on the vulnerabilities of outdated software. Remember that all systems and applications must be secure according to PCI guidelines. You can’t hope to meet that standard if your applications are frequently outdated.

Establish an Official Security Policy

Finally, you’ll need to officially document your security policies. At the most basic level, your site should have a Privacy Policy and Terms of Use page that address how credit card information is managed. In addition, you’ll need to formally outline your company’s security measures in your employee manuals, policy manuals, and third-party vendor agreements. You’ll also need to conduct a thorough risk assessment each year to identify any potential vulnerabilities.

Use a PCI-Compliant Gateway

One of the best and easiest ways to achieve compliance for your WooCommerce website is to use a third-party global payment gateway that is PCI-compliant on its own. You’ll still need your firewall, antivirus software, SSL certificate, and other basic security measures, but partnering with a payment processor with a secured gateway can help reduce your liability and further promote compliance.

For instance, Unicorn Group’s gateway is Level 1 PCI-compliant and SHA-256 encrypted, and it’s available as part of a complete merchant services plan that comes with enhanced fraud prevention technologies. Most secure payment gateways can be installed and configured right from the WordPress plug-ins menu.

Don’t Take Chances With PCI Compliance

Considering the potential consequences of not being PCI-compliant, it’s understandable that you’d want to do everything in your power to ensure that you’re not overlooking any important requirements. Run through the PCI requirements regularly and treat them as a general checklist. That process in itself is a major part of remaining in compliance.

The most important thing you can do is choose a merchant services provider with PCI compliance built-in. If your credit card processor is fully secure, they will shoulder some of the burden. The biggest thing you then have to worry about is gross negligence—e.g. someone was able to hack your customer data because you installed and never updated a plug-in that saves credit card information.

When signing up for a merchant services provider, ask them if they offer compliance checks. Often, they can conduct a thorough audit of your site and notify you of any glaring compliance issues.

When you make PCI compliance a priority, you can sleep a little better at night. And so can your customers.