If you run an online store using WooCommerce or any ecommerce platform, you must remain PCI compliant. This means that your customers’ credit card information is secured in accordance with the Payment Card Industry Data Security Standard (PCI DSS). Because WooCommerce is open-source, some users are understandably concerned as to whether it’s really PCI compliant out of the box.
WooCommerce is the ultimate shopping cart platform for stores built on WordPress. It’s free to use, fully customisable, easy to manage, and 100% compatible with the WordPress CMS. But when it comes to the platform’s PCI compliance, there are a few things you need to know.
Is WooCommerce PCI Compliant?
WooCommerce is built with PCI compliance in mind, but it’s not completely PCI-compliant on its own. In order to ensure total compliance, you need to configure your store in a way that adheres to industry guidelines. This may require the assistance of a knowledgeable developer or the implementation of a quality third-party payment gateway.
The good news is that some of the most important PCI compliance points are already taken care of. For example, WooCommerce doesn’t store credit card information by default. Stored card information must be encrypted for compliance, but WooCommerce simply eliminates this information to prevent any security issues. For customers that choose to save their payment details, only four digits of the card number are preserved. You can install third-party plug-ins that save the complete card information, but always do your research before activating such a plug-in—ensure that the plug-in itself is PCI-compliant.
In addition, WordPress automatically assigns a unique user ID to each user in your system. This is another PCI compliance requirement, as it makes it easier to track your users’ activity and spot any internal security breaches if they should ever arise.
Why Your Online Store Must Be PCI Compliant
PCI compliance is a requirement for all websites that transmit credit card data. If a hacker steals credit card data from your customers because your website isn’t PCI-compliant, you can be fined nearly £500,000 per incident and lose the ability to accept credit cards. You may be placed on the MATCH list, an industry list developed by Mastercard that identifies potential problem merchants. MATCH-listed merchants are rejected by most payment processors.
There are 12 core requirements for PCI compliance:
- Your customers’ card data is protected by a secure firewall
- Secure, custom passwords are used for all sensitive logins
- Stored cardholder data is protected
- All cardholder data transmitted across public networks is encrypted
- Antivirus software is installed and regularly updated
- All systems and applications are secure
- Cardholder data is only accessible to need-to-know users
- Each user has a unique ID
- Physical access to cardholder data is restricted
- All network access to cardholder information is tracked and monitored
- Security systems and processes are tested regularly
- Your business has an official policy addressing information security
Some of these items (like the official policy item) are beyond the scope of WooCommerce but are easy to implement on your own.
How to Make WooCommerce Fully PCI-Compliant
The great thing about WooCommerce is that most features can be implemented easily with a plug-in download. While a web developer can help to ensure total compliance, you should be able to manage many if not all of the following adjustments on your own.
Establish a Secure Firewall
A website application firewall (WAF) prevents hackers and malicious bots from gaining access to the back end of your site and stealing your customers’ credit card information. PCI compliance requires that your firewall be both established and maintained. The good news is that there are a number of excellent firewall plug-ins that you can download and install instantly, including Sucuri, Cloudflare, Jetpack, All in One WP Security & Firewall, and BulletProof Security. Keep your firewall updated at all times in order to remain compliant.
Install an SSL Certificate if You Don’t Have One
A Secure Socket Layer (SSL) certificate is required for PCI compliance. It’s an encryption standard that allows for a secure connection to your website and helps to minimise credit card fraud. While WooCommerce doesn’t require SSL, the platform does make it incredibly easy for site owners to set up their own certificate when building their store. It even supports free SSL certificates like those provided by Let’s Encrypt.
Customise the Permissions of Each User on Your Website
As an extension of WordPress’s native login system, WooCommerce supports customised user access. As the administrator, you have the power to assign specific roles to each team member who has access to your WordPress dashboard. You can ensure that customer information is only visible to the users who require it. But again, this will require a bit of configuration on your part. In your WordPress dashboard, click “Users” and select your users individually. From there, select “Role” and choose the appropriate assignment. Only administrators have access to customer data.
Establish Unique, Secure Passwords for Every User
If you use default passwords, you’re automatically in violation of PCI standards. Make sure that every user has a unique, strong password that combines capital and lowercase letters, numbers, and special characters. Passwords should be longer than 8 characters. You can even configure WordPress to require strong passwords.
Invest in Quality Virus Protection
One of the biggest problems with WooCommerce (in terms of PCI compliance) is that it does not have native virus protection. Some of the aforementioned firewall plug-ins—like Sucuri, BulletProof Security, and All in One WP Security & Firewall—combine both antivirus features and firewall features. You can bundle them for maximum security at a lower price.
Always Keep WordPress and WooCommerce Up to Date
One of the most important things you can do is to ensure that WordPress is up to date at all times. Your software, your themes, and all of your plug-ins and extensions should be updated regularly. Many of these updates are designed to address potential security breaches, and bots and hackers love to capitalise on the vulnerabilities of outdated software. Remember that all systems and applications must be secure according to PCI guidelines. You can’t hope to meet that standard if your applications are frequently outdated.
Establish an Official Security Policy
Use a PCI-Compliant Gateway
One of the best and easiest ways to achieve compliance for your WooCommerce website is to use a third-party global payment gateway that is PCI-compliant on its own. You’ll still need your firewall, antivirus software, SSL certificate, and other basic security measures, but having a secured gateway can help to reduce your own liability and further promote your own compliance. For instance, QPay Europe’s gateway is Level 1 PCI-compliant and SHA-256 encrypted, and it’s available as part of a complete merchant services plan that comes with enhanced fraud prevention technologies. Most secure payment gateways can be installed and configured right from the WordPress plug-ins menu.
Keep Your WooCommerce Up-to-Date and PCI-Compliant
Considering the potential consequences of not being PCI-compliant, it’s understandable that you’d want to do everything in your power to ensure that you’re not overlooking any important requirements. Run through the 12 requirements regularly and treat them as a general checklist. That process in itself is a major part of remaining in compliance.
The most important thing you can do is choose a merchant services provider with PCI compliance built-in. If your credit card processor is fully secure, they will shoulder some of the burden. The biggest thing you then have to worry about is gross negligence—e.g. someone was able to hack your customer data because you installed and never updated a plug-in that saves credit card information.
When signing up for a merchant services provider, ask them if they offer compliance checks. Often, they can conduct a thorough audit of your site and notify you of any glaring compliance issues.
When you make PCI compliance a priority, you can sleep a little better at night. And so can your customers.