What is PCI-DSS?
PCI-DSS (Payment Card Industry Data Security Standard) is a set of actionable rules defined by the Payment Card Industry Security Standards Council to encourage the broad adoption of consistent data security measures around the world with an aim to reduce credit card fraud.
These rules apply to anyone who is storing, processing or transmitting credit card data, therefore merchants who wish to take Credit Card payments on their sites directly need to be aware of PCI-DSS.
For more information about PCI-DSS see here.
Do I need to be PCI-DSS Compliant?
If you are transmitting credit card data; yes. Your site needs to be PCI-DSS compliant.
If, however, you are taking payments off site by using a gateway that uses its own servers to take payments (PayFast, PayPal Standard, etc.), you are not transmitting card data and do not need to take steps to comply. If you are not comfortable about becoming PCI Compliant, use a gateway which handles PCI for you.
PCI-DSS Core Requirements
The 12 core PCI-DSS requirements are as follows:
|BUILD AND MAINTAIN A SECURE NETWORK|| |
|PROTECT CARDHOLDER DATA|| |
|MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM|| |
|IMPLEMENT STRONG ACCESS CONTROL MEASURES|| |
|REGULARLY MONITOR AND TEST NETWORKS|| |
|MAINTAIN AN INFORMATION SECURITY POLICY|| |
Typically, PCI compliance reports are enforced by your payment processor – they may require that you fill out questionnaires (Self Assessment Questionnaire – or SAQ) or be scanned by an ASV (approved scanning vendor) of their choosing.
WooCommerce and PCI Compliance
Ultimately, PCI and all of the above points are the responsibility of the store owner, however, we can offer advice on compliance. It should be noted that WooCommerce is not PCI-DSS certified – however, this does not prevent your site from becoming PCI compliant. WooCommerce is written with security in mind with audits from WP core contributors and Sucuri.
Regarding the PCI-DSS requirements, many of the points above are beyond the scope of WordPress and WooCommerce – instead falling into the area of hosting and business policies/best practice for the website owner to abide by. Referencing the core PCI-DSS requirements above:
- Out of scope. Firewalls would be the responsibility of the hosting provider or network administrator
- Out of scope. Passwords would need to be set responsibly by yourself – use strong passwords at all times and ensure the hosting environment is 100% secure.
- WooCommerce helps with this requirement by never storing card details. Our in-house payment gateways also never store more than 4 digits of a card number if storing payment tokens for re-use.
- WooCommerce has options to enforce SSL on your checkout pages. You should of course ensure your hosting provider implements SSL to work with this.
- Out of scope. Virus protection would be down to your hosting provider.
- Out of scope. Maintaing a secure system to avoid threats would be down to your hosting provider.
- WooCommerce uses the WordPress login system which can be used to give administrative access to whom you desire. Security best practices such as strong passwords and usernames would be your responsibility.
- Out of scope. Work with the host/network admin to ensure all admin access to systems containing credit card details is logged and trackable. Users need to be traceable and accountable for their actions. Access should be limited to only those who need it.
- Out of scope. Access to physical stored and transmitted data should be restricted by the hosting provider.
- Out of scope. Monitoring access would need to be taken care by the network admin or hosting provier.
- Out of scope. Use an ASV (approved scanning vendor) to regular scan your site for issues.
- Out of scope. Creating, maintaining and distributing a policy on addressing the PCI-DSS requirements, as well as a risk assessment is the responsibility of the merchant/store owner.
Therefore, considering the above points, the following steps should be taken if you aim to achieve compliance:
- Choose a trusted, secure hosting provider – preferably one which claims and actively promotes PCI compliance. Cheap, shared hosts are unlikely to cover this.
- Use security best practices when setting passwords and limit access to your server.
- Never store credit card details anywhere.
- With the aid of your hosting provider, implement SSL to keep your checkout secure.
- Keep installed plugins to a minimum; remember, compliance covers all installed software so that includes plugins and WordPress itself.
- Keep plugins up to date to ensure latest security fixes are present.
- Working with your payment processor, use an ASV (approved scanning vendor) to scan your site and find issues – fixing any identified issues until passing the scan.
Or alternatively, choose a gateway which handles this for you offsite.