May 16, 2023
WooCommerce PCI compliance: How to comply with PCI-DSS requirements

In a 2022 study on consumer trust, TrustedSite found that credit card theft remains the primary concern for online customers, followed by business legitimacy.

In fact, Baymard Institute found that 18% of customers might add a product to the cart only to abandon it due to a lack of trust in the website.

If you’ve got a WooCommerce store, how do you develop that trust?

PCI-DSS compliance. Complying with payment card industry data security standards (PCI-DSS) makes your customers feel safe and lets you do business worry-free. Not to mention, it’s a requirement if you store, transfer, or process payment card information.

Read on to learn why PCI-DSS compliance is important, what it requires, and how to make your WooCommerce store PCI-compliant.

Importance of PCI-DSS compliance

PCI-DSS compliance offers benefits for both customers and business owners. Customers may shop freely without concerns about credit card theft. In contrast, business owners enjoy fewer cybersecurity attacks due to heightened security.

Besides the benefits, you typically need to comply with PCI-DSS to enjoy the support from payment methods. For instance, Mastercard states that “all merchants that store, process or transmit cardholder data must be PCI compliant.”

Mastercard expresses its PCI compliance directions.

Let’s dive deeper into the requirements of PCI-DSS.

PCI-DSS requirements

Formed by Visa, Mastercard, JCB, American Express, and Discover, the payment card industry standards security council (PCI SSC) outlines the following 12 requirements in its quick reference guide for PCI DSS:

  • Set up a strong firewall to protect payment card information.
  • Use unique passwords for all systems with access to payment card data.
  • Configure security protocols to protect payment card data during storage.
  • Use secure and encrypted channels to transfer card data across networks.
  • Do regular security scans to keep your system free of malware and viruses.
  • Opt for secure systems and make sure to plug all the security holes.
  • Limit data access to only required people and systems.
  • Implement authentication measures for data access inside the involved systems
  • Limit physical access to credit card data.
  • Track all network activity surrounding credit card data.
  • Run regular security audits.
  • Keep your employees up-to-date on best information security practices by a set policy.

In other words, the PCI security standards council requires you to implement an all-around security upgrade to protect cardholder data.

Get PCI compliant hosting from Nexcess

Keep your store secure so you can process credit card information safely

How to make your WooCommerce store PCI compliant

Now that we know why PCI compliance is important and what requirements you’ve got to fulfill, let’s see how to make your WooCommerce compliant in the eyes of PCI-SSC.

Determine the required compliance levels

Before anything else, you need to determine the compliance level you need, which depends on how many transactions you process every year.

As of writing, Visa and Mastercard define merchant compliance levels as (with Level 1 being the most strict):

  • Level 1 — Merchants with more than six million yearly transactions.
  • Level 2 — Merchants with yearly transactions between one million and six million.
  • Level 3 — Merchants with yearly transactions between 20,000 and one million.
  • Level 4 — Merchants with less than 20,000 yearly transactions.

However, if you accept JCB or American Express, you may have to deal with stricter requirements with even fewer transactions. For instance, American Express requires Level 1 compliance at 2.5 million yearly transactions, while JCB requires the same at one million or more transactions.

The merchant level decides whether you’ll submit a self-assessment questionnaire (SAQ) or be assessed by a qualified security assessor (QSA).

Audit the current process

WooCommerce PCI compliance depends on your payment process since WooCommerce doesn’t store any payment card data by itself.

For instance, if you direct customers to the payment gateway’s website, the customers don’t enter their sensitive data on your website, and you don’t even touch it.

That occurs when you use the WooCommerce PayPal payments plugin like Nalgene.

WooCommerce PCI Compliance — PayPal gateway.

When the customers click the PayPal button, they’re directed to the PayPal server.

While this might save you from strict PCI-DSS regulations, it’s not a personalized payment option. And given that 49% of customers might become repeat buyers with personalization, you’re better off with a personalized checkout experience.

For example, if you use Stripe, you can customize the front end as you see fit, like wet n wild beauty, and still rely on Stripe’s servers by taking off-site payments.

Stripe payment gateway on wet n wild beauty’s checkout.

In this case, Stripe collects the card number and other data via secret tokens, and the data never touches your servers. However, malware can block the customer from connecting to the Stripe server and steal the payment card data, so you may have to take extra steps to make your WooCommerce store PCI-compliant.

While Stripe is a great alternative, it charges 2.9% + 30¢ for every successful transaction. These fees can add up and affect the bottom line for an enterprise business dealing with many orders.

That’s why large WooCommerce stores often opt for a custom payment gateway to cut on fees. For example, check out World Vision’s donation page.

Payment page of World Vision.

In this case, the online store processes the payment card data and stores it for future use, which is subject to strict PCI-compliance requirements.

If your WooCommerce store does the same, you must uphold the security standards the PCI SSC requires. Otherwise, you might be subject to fines or suspension of payment method support.

Configure security measures

Depending on your current processes, you may need to:

Add an SSL certificate

A secure sockets layer (SSL) encrypts the data transfer between a browser and your web server. If you’re asking customers to enter their payment card details on your website’s native form, you must ensure the payment card data stays encrypted during transfer to comply with PCI-DSS.

In fact, we recommend adding an SSL certificate to every website, whether you manage an ecommerce store or not, since most browsers flag any website without an SSL certificate as unsecure.

Mozilla flagging NeverSSL for not using HTTPS.

By adding an SSL certificate, you build trust among your customers. If you’re hosting your website with another host and aren’t ready to switch, you can buy an SSL certificate from Nexcess. Otherwise, you get an SSL for free with all Nexcess hosting plans.

Choose PCI-compliant hosting

As most PCI-DSS requirements deal with data security, PCI compliance largely depends on the hosting provider. In other words, you must look for a PCI-compliant web hosting provider.

While looking for a PCI-compliant host, make sure the web host offers:

  • Strong firewall: A robust firewall will keep malicious agents away from card payment data to ensure it remains safe. Make sure the host has defined access network security controls that only allow relevant traffic to be in contact with sensitive data.
  • Malware scans: Your hosting plan should come with automated malware scans to protect the cardholder’s data. You must also have protection against bad bots, suspicious activities, and brute-force attacks.
  • Secure network: Make sure you can trust the hosting provider to take care of security procedures on its end — from regularly updating software to reviewing custom code.
  • Limited physical access: Hosting providers should follow a strict security policy where employees are only allowed access to sensitive areas if necessary. Besides that, it should have visitor logging, sitewide surveillance, and restricted access to network controls.
Nexcess offers PCI-compliant hosting.

With Nexcess, you enjoy PCI-compliant hosting across all hosting plans. We comply with all the hosting-side requirements so you can do business stress-free.

Implement a website security policy

According to Verizon, 82% of data breaches involved the human element. To ensure your WooCommerce store doesn't suffer data breaches driven by human error, you should implement a website security policy that protects it from the most common security lapses.

To start with, implement two-factor authorization (2FA). That way, even if a hacker gets a username and password through a phishing attack, they won’t have the second authentication factor to access your data.

Besides that, restrict access to sensitive data according to need by implementing an access control system. Every employee shouldn’t have access to every piece of data.

On top of that, you can also configure your WordPress website to send the users a password-changing reminder after every 90 days to foolproof your security.

Submit compliance documents

Once you've implemented the security protocols, you can report your compliance to the relevant payment processing authority — your bank or payment gateway.

Typically, you report compliance by:

  • Submitting a self-assessment questionnaire*: Level 2–4 merchants report their compliance by completing self-assessment questionnaires (SAQs). 
    • If you direct the customers to the payment processor’s website, you’ll use SAQ A.
    • If you use a service like Stripe to token the payment card data, you’ll use SAQ A-EP.
A screenshot of an entry in SAQ A-EP.

  • If you process and store the payment card data on your web servers, you’ll use SAQ D Merchant.
  • Getting quarterly network scans by approved scanning vendors: You must get quarterly scans by an approved scanning vendor (ASV) to check for external vulnerabilities. ASVs typically scan to look for flaws, report them to you, help you fix them, and rescan before reporting compliance results.
  • Submitting an attestation of compliance: After complying with all the requirements, you typically submit an attestation of compliance (AOC) to declare that you comply with PCI-DSS requirements.

* Level 1 merchants require external assessment via a qualified security assessor (QSA).

Besides that, you’ll also need to attach a copy of the hosting provider’s SAQ-D.

Final thoughts: Business owner’s guide to making WooCommerce PCI compliant

PCI-DSS lists several requirements you must comply with to offer support for different payment methods to your customers. However, with a PCI-compliant host, you may check off most of the checkboxes and deal with limited responsibilities.

Check out Nexcess enterprise hosting to enjoy 100% PCI compliance. And it doesn’t end with compliance. You also get 100% network uptime, daily backups, and more.

Browse our plans to get started today.

Maddy Osman
Maddy Osman

Maddy Osman is a WordPress expert, WordCamp US speaker, bestselling author, and the Founder and SEO Content Strategist at The Blogsmith. She has a B.A. in Marketing from the University of Iowa and is a WordCamp Denver organizer while also operating The Blogsmith, an SEO content agency for B2B tech companies that works with clients like HubSpot, Automattic, and Sprout Social. Learn more about The Blogsmith's process and get in touch to talk content strategy:

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.