Whether you’re building, maintaining, or operating an eCommerce website, you need to be aware of your security responsibilities. Luckily, there are standards and regulations that can help you keep online stores, such as those built with WooCommerce, safe and secure. The most notable among these is the Payment Card Industry Data Security Standard (PCI-DSS).
Do all WooCommerce sites need to be PCI Compliant?
No, not all sites that use WooCommerce are required to be PCI-DSS compliant. These regulations apply to businesses that accept online payments with debit and credit cards.PCI-DSS does not apply if you’re using WooCommerce to display an online catalog, accept quote requests, or to allow shoppers to place orders that don’t involve online payments.
What is the purpose of PCI Compliance?
PCI-DSS is here to help make sure that when your WooCommerce shoppers pay with a payment card such as a Visa, Mastercard, American Express, or Discover card, the information being submitted doesn’t wind up in the hands of criminals. Read more about What is regulatory compliance & how does it affect WordPress security.
Who is responsible for being PCI Compliant?
These PCI standards apply to any and all organizations that accept, transmit, and/or store cardholder data. This includes merchants, processors, acquirers, issuers, and service providers. In essence, any organizations that touch cardholder data or sensitive authentication data must adhere to these rules.
WooCommerce merchants are, of course, reliant on vendors to meet these regulations. That includes everything from PCI compliant hosting, to secure payment gateways and processors. Such vendors make it possible for even small businesses and startups to meet these security requirements.
What makes a WooCommerce website PCI Compliant?
As with most security, remaining PCI compliant requires merchants to take a variety of steps on an ongoing basis. The latest version of the PCI-DSS Requirements and Security Assessment Procedures document is 139 pages long. Luckily, much of that will apply to vendors like payment processors, and not to the website owners themselves.
Ultimately, these steps below will help ensure that when you fill out a PCI Self Assessment Questionnaire (SAQ) and have your website scanned to determine if it meets PCI requirements, you’ll have a much easier time passing. They will also help to keep your website safe from most attacks.
Important items to keep in mind
- Keep your WordPress software up-to-date.
- Update WooCommerce and any other WordPress Plugins and/ or Extensions.
- Your web hosting environment must be running up-to-date software, including the latest security patches.
- Configure and maintain a firewall, or select a host that will do this for you. WooCommerce web hosts often work with Web Application Firewall (WAF) providers such as Cloudflare and Sucuri to offer firewalling solutions that are monitored 24/7.
- Securely transmit data over HTTPS by leveraging SSL certificates.
- Run malware scanners, or select a host that does so on an ongoing basis. Be sure someone is seeing security reports every day – if not in real-time.
- Observe least-privileged-access principles, only sharing access with those that absolutely need it. This can include basic steps, such as making your WordPress admin only accessible to whitelisted IP addresses.
- Use unique user IDs and strong passwords. Store them safely, and update passwords at least every 90 days.
- Make sure that each admin has their own login credentials – don’t share credentials.
- Keep all systems that interact with your website secure. This includes running up-to-date antivirus software on computers that you use to access your WordPress admin.
- Host other applications separately. That includes hosting other websites separately and using separate e-mail hosting. Additionally, any old copies of your website as well as development or staging copies of your site should not be in your production (live) hosting environment.
- Deploy intrusion detection systems (IDS) to catch security breaches early, minimizing the fallout.
- Continue to review your security, accounting for changes made to your website, personnel, and vendors.
- Wherever possible, use multi-factor authentication. Consider adding a WordPress two-factor authentication (2FA) extension to make it harder for hackers to access the backend of your WooCommerce store.
- Properly store logs and backups. This is extremely important in case they’re needed as part of a breach investigation.
How do I get my PCI Compliance Certification?
There are specific vendors that provide this service. It’s often a good idea to check in with your payment processor and web hosting provider to see if they offer, include, or recommend any such services. However, there is a long list of approved scanning vendors available from the PCI Security Standards Council. Remember, that this is not a one-time procedure, so you can hope to work with this vendor for many years to come.
Does passing a PCI Scan guarantee my WooCommerce site is safe and secure?
PCI Compliance assessments address observable security policies and weaknesses and focus on the minimum security efforts required by merchants. It’s crucial to upkeep your security after your site has initially been certified PCI compliant. For instance, you’re still required to install new security patches within 30 days of their release.
Additionally, it’s highly advisable to take a proactive approach to security. There are always zero-day events – instances in which a new security vulnerability is exploited. In such instances, patches don’t exist yet. Your best bet is to be leveraging basic security tools, such as an intrusion detection system (IDS). This acts as an alarm, giving you the opportunity to address an instance of hacking quickly, minimizing what could otherwise be a much worse incident. In general, we can say that there are many reasons Why your WordPress e-commerce solution has to be secure.
Is using a PA-DSS provider make a site PCI Compliant?
Payment processors that adhere to the Payment Application Data Security Standard (PA-DSS) don’t automatically make your site PCI compliant. Neither do web hosts. Even if you use a payment processor that takes shoppers off-site to complete their transactions, you still have liabilities. For instance, if you aren’t patching your software, and your WordPress site is hacked, thieves could swap your checkout for their own form in order to siphon off credit card data. While some payment gateways can lower your risks of a breach, they can’t absolve you of all of your security responsibilities.
What are the risks of not keeping your WooCommerce site PCI Compliant?
If your WooCommerce site accepts payment cards and isn’t PCI compliant, there are lots of risks. You could be forced to pay fees or fines or find payment processors refusing to service your account – cutting off your ability to accept online payments. That’s why PCI DSS Compliance for WordPress e-commerce & business sites is extremely important.
It gets worse if you have a data breach while not adhering to the PCI-DSS regulations. There are all sorts of fines and costs, including potential legal action. That’s beyond your damaged reputation, and the costs of investigating and mitigating a breach, which may also cause downtime and a loss of revenue for your WooCommerce store.
After a breach, you may find it much harder and/or more costly to accept payment cards, if you can find a vendor that’s willing to service you. It really depends on the particulars, but if you’re found to be high-risk because you have not been adhering to basic security standards, it can have serious consequences on your business.
Are there vendors that specialize in assisting WooCommerce merchants with PCI Compliance?
Yes! For instance, rather than have shoppers submit payment card information that you retain, there are a wide variety of payment gateways that can transmit credit card information securely. These include solution providers like Amazon Pay, Authorize.net, Braintree, CCBill, Cybersource, EBizCharge, Global Payments, Heartland, PayPal, Square, Stripe, and more!
There are also more unique payment gateways that offer unique options to shoppers, such as Affirm, Bread, Katapult, Klarna, Sezzle, and ViaBill which offer buy-now-pay-later options to consumers, and Bolt, which replaces the WooCommerce checkout with a highly optimized checkout experience. There are even B2B payment solutions like PayStand and Apruve.
Similarly, there are web hosts that specialize in keeping your eCommerce hosting environment secure. While many platforms mention PCI Compliance, you’ll want to keep an eye out for malware scanning, web application firewalling, intrusion detection, 24/7 monitoring, and other factors that you may need a trusted vendor to manage for you.
It’s relatively easy to build a WooCommerce store, but without the right ongoing security practices, that store won’t be secured against hackers. If the store accepts payment cards, the website owners are responsible for being PCI compliant, and they need to select vendors that are compliant as well. Luckily, there are lots of great vendors to choose from to help make adhering to the PCI-DSS regulations fairly painless.