WooCommerce and PCI Compliance: A Complete Guide
Business owners are responsible for a lot of their customers’ personal and financial information every time they process a credit card payment. Because of the danger of fraudulent activity and identity theft, the five major processing companies launched the Payment Card Industry Data Security Standard (PCI DSS).
So, what is PCI compliance? PCI compliance is a set of security standards to which businesses that accept credit cards must adhere. The security standards include protocols ranging from network and systems security to controlling and monitoring access to data.
As one of the top eCommerce platforms, WooCommerce PCI compliance is of great importance to millions of people who sell goods and services online. If you own a WooCommerce business, this guide is your one-stop source for WooCommerce PCI compliance information.
How Does PCI Compliance Impact eCommerce Businesses?
Is PCI compliance required when using WooCommerce and other eCommerce platforms? If you process credit card payments and store or transmit credit card information, you need to be PCI compliant.
Some WooCommerce users who use third-party payment gateways (such as Stripe or PayPal) do not need to be PCI compliant because customers’ browsers connect to the third party and the business conducting the sale never handles credit card information.
However, it is still best practice for eCommerce businesses to gain WooCommerce PCI compliance to protect other customer data. Even eCommerce sites that don’t handle customers’ financial information still have other client data (such as names, addresses, and phone numbers) that should be protected.
Is WooCommerce PCI Compliant?
Although WooCommerce software is not PCI compliant on its own, WooCommerce can help your eCommerce business become PCI compliant. From the moment you choose WooCommerce, some features are already in place for PCI compliant web hosting, including:
- SSL Security: WooCommerce can be set to enforce an SSL requirement at checkout. An SSL certificate means that all customer data is already encrypted before it is transmitted.
- Keeping Stored Credit Card Data Safe: Native WooCommerce payment gateways are designed not to save credit card data. If cards are saved for future payments, only the last four numbers are stored.
- Limited Access: The WordPress login used by WooCommerce allows users to assign individual roles and privacy levels to different users. This allows for payment information to be kept on a need-to-know basis.
What is PCI DSS?
PCI DSS established the PCI Security Standards Council, which provides a framework, tools, and other resources to help companies keep credit card information secure. Failure to comply with PCI guidelines can cause businesses financial hardship and damage their reputation.
Businesses familiar with HIPAA and HIPAA compliant web hosting might see some similarities between HIPAA compliance and PCI DSS guidelines.
PCI DSS guidelines are broken up into six groups:
- Maintaining secure networks.
- Protecting cardholder data.
- Maintaining a security program.
- Implementing access control.
- Monitoring networks regularly.
- Implementing an information security policy.
Is SSL Enough to Make My Site PCI Compliant?
Although SSL is useful in assisting to meet the PCI DSS guidelines, it does not by itself lead to PCI compliant web hosting. When it comes to PCI compliance, WooCommerce sites with an SSL certificate have a head start in following the guidelines.
In addition to helping achieve WooCommerce PCI compliance, an SSL certificate lets customers know that their information is safe on your site. SSL is short for Secure Sockets Layer, and an SSL certificate shows visitors to your site that the connection between the server and computer is secure.
PCI DSS Compliance Requirements for WooCommerce Sites
As stated above, PCI DSS compliance is divided into three groups which contain a total of 12 guidelines. For businesses looking to reach PCI compliance, WooCommerce can be configured to address each of the following 12 guidelines.
Below is a look at each guideline and how WooCommerce sites can meet them:
- Maintain a Firewall to Protect Data: WooCommerce users can choose managed WooCommerce hosting that features PCI compliant services.
- Change Manufacturer Supplied Passwords: Use strong, unique passwords for all client and administrator accounts.
- Protect Stored Credit Card Information: WooCommerce default settings do not store cardholder data.
- Encrypt Transmitted Cardholder Information: Get an SSL certificate for all web pages.
- Use Updated Antivirus Software to Protect Against Viruses and Malware: A good web hosting provider will handle this for you.
- Use Secure Systems and Applications: Again, the hosting provider will protect the server. Businesses must make sure their own software is up to date as well.
- Keep Card Holder Data as Need-to-Know: Limit access to only those who need to handle the data and update permission as needed.
- Authenticate Access to Sensitive Data: Give individual passwords to everyone accessing data and monitor when it is accessed and by whom.
- Restrict Physical Access to Data: The hosting provider is responsible for keeping sensitive data locked and under restricted access.
- Monitor Access to Physical Data: The hosting provider should log who enters areas that store cardholder information.
- Test Security Systems Regularly: Use a scanning vendor to check for weaknesses in system security.
- Implement a Risk Assessment and Information Security Policy: Develop a company-wide policy to address PCI DSS requirements.
Steps to Protect Your WooCommerce Site
WooCommerce PCI compliance is necessary for any company that uses the platform and handles credit card data. In addition to taking the above steps to achieve compliance, eCommerce sites can further protect their businesses by:
Ensuring the Hosting Provider Assists in PCI Compliance
Check to make sure your hosting provider promotes its PCI compliance capabilities. Some less expensive providers do not offer such services.
Reviewing Extensions and Plug-ins
Limit the number of plug-ins your site uses and be sure all are compliant. Every plug-in, and even your CMS, must be PCI compliant.
Performing Compliance Audits
Perform an audit using the PCI Self-Assessment Questionnaire (SAQ) to ensure you remain in compliance and address any issues.
Get an SSL certificate and use an approved scanning vendor to analyze your site and find potential risks.
Consequences for PCI Non-Compliance
There are four levels of PCI compliance, and the way your business is evaluated and your PCI non-compliance fee depends on which level your business is in.
- Level 1: Businesses that process more than six million transactions per year.
- Level 2: Businesses that process between one and six million transactions per year.
- Level 3: Businesses that process 20,000 to one million transactions per year.
- Level 4: Businesses that process less than 20,000 transactions per year.
Level 1 companies must have an external audit that evaluates payment controls, checks technical documentation, and supports compliance efforts. Levels 2 through 4 need to use the SAQ to self-evaluate.
Banks that do business with companies out of compliance can be hit with fines of between $5,000 and $100,000 per month for lack of compliance. Banks typically pass those fines onto the offending business and could end the partnership with repeat violations.
WooCommerce PCI compliance is essential for businesses that use the platform and handle credit card transactions.
Liquid Web is your source for managed hosting solutions that help keep your business PCI compliant.
Need PCI Compliance? Learn More About PCI Compliant Hosting With Liquid Web
David Gibb is the Financial Controller at Liquid Web. He has over 20 years of experience working in Finance. He is a CPA in Canada, CGMA in the United Kingdom, and a CPA in Australia.
Keep up to date with the latest Hosting news.