What is PCI DSS?
If you accept payment via credit card, the Payment Card Industry Security standards Council wants you to be PCI DSS Compliant (or PCI Complaint, for short).
For them, PCI DSS means less credit card fraud, which means increased consumer confidence in credit cards, which means more people using credit cards, which means more profit.
For you, PCI DSS means less credit card fraud, increased consumer confidence in your store leading to more sales, and drastically reduced liability if you do have to deal with a fraudulent or disputed charge.
How Do I Make My WooCommerce Online Store PCI DSS Compliant?
Let’s break this down to make it a little less overwhelming.
Step 0: Get an SSL Certificate for Your Website
- Customers enter their mailing and billing addresses on your site when they order and it’s a good idea to protect that info.
- If you let users create accounts to save wishlists or save their shipping info, you should use SSL to keep their usernames and passwords encrypted. In fact, Google Chrome is going to start flagging websites that accept user logins without using SSL as being potentially unsafe starting in January 2017.
- Google wants the web to be as safe and secure as possible, and you’ll get a small but concrete SEO boost by making your entire site available exclusively over SSL.
Getting an SSL certificate is easier than ever. You can get one for free from Let’s Encrypt, or purchase one through your web host. You’ll need to do a little configuration in your .htaccess file to force all traffic to go over SSL, and if that sentence made no sense to you you can do that with the Really Simple SSL plugin. And don’t forget to turn on “Force secure checkout” in your WooCommerce Checkout Settings!
Step 1: What’s your Merchant Level?
This means that PCI Compliance for you is optional (for now), and all you need to do in order achieve PCI Compliance is to submit a filled out Self-Assessment Questionnaire.
Step 2: What the Heck is a SAQ?
“At a minimum, cardholder data consists of the full PAN*. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.”
*“PAN” is the “primary account number”, also referred to as the “account number.” It’s the unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.
To be rated as PCI Compliant your business needs to submit a SAQ filled out with all questions answered either “Yes”, “N/A”, or “Yes with CCW” (woo hoo, another acronym!).
A CCW is a “Compensating Controls Worksheet” that you can attach to the end of your SAQ explaining an alternative method of achieving a certain part compliance criteria. Don’t try to fill one of these out without an expert, but fortunately if you’re using a standard WooCommerce setup you won’t need to.
Step 3: Which SAQ Should You Use?
You should use SAQ A if:
Your customers enter their Cardholder Data on a Third-Party Payment Page that is hosted your payment gateway’s site, and is not part of your website. This can appear to the customer either as a popup, an iframe (a webpage from another site embedded in your webpage) or as a new page where they enter their data and then get sent back to your site for final order confirmation.
Since your customers’ Cardholder Data never touches your site, your business is responsible for very little when it comes to meeting PCI Compliance standards. Most of the hard work is done by your payment processor.
Common WooCommerce payment gateways that fall into this category are PayPal Standard, PayPal Express Integration, Chase Paymentech, and Authorize.net DPM.
You should use SAQ A-EP if:
Most of the time this type of payment method is “tokenized”. That means that before the customer even hits “Submit”, the Cardholder Data they’ve entered into your site has been encrypted, so that it’s secure from the moment it leaves your customer’s keyboard to the point where it arrives at your payment gateway.
WooCommerce’s Stripe and PayPal by Braintree gateways operate this way, and it does provide a smoother, more professional user experience for your customers. The reason why it requires a different SAQ is that there is the chance that if your web server gets hacked, someone could install malware that could in theory grab Cardholder Data right before it gets encrypted.
There are also non-tokenized gateways like Authorize.net AIM, where the Cardholder Data is sent from your customer’s computer to your web server, and then encrypted and sent to Authorize.net. If you use this type of gateway you still need to use SAQ A-EP, but you ABSOLUTELY MUST use SSL encryption on at least your store’s payment pages, otherwise you’re transmitting unencrypted Cardholder Data from your customers’ computers to your web server, which is a Very Bad Thing.
For all of those reasons SAQ A-EP is much longer than SAQ A and gets into things like server firewalls, regular malware scans, and system administration procedures, all of which are typically managed by your web host.
If You’re Using SAQ A-EP, Get Help from Your Host
I think that an on-site tokenized Payment Page is the best way to go as it makes your business look substantial and professional. But it does mean more work in terms of filling out your SAQ. Fortunately if your host is PCI Compliant they will usually either send you an SAQ with their portions pre-filled, or will work with you to fill yours out.
If your current hosting plan is not PCI Compliant and your host doesn’t offer any PCI Compliant hosting plans, your options are to a) forget about going for PCI Compliance; b) move to another host, or c) switch to using a payment gateway that uses an off-site Third Party Payment Page.
Step 4: Submitting Your SAQ
If you filled out SAQ A, you only need to keep your SAQ on file and ready to send to an “Enforcing Organization” (such as an acquiring bank [the bank that actually process your credit card transactions] or your merchant service provider) on request. You should also review it at least once a year to make sure you’re still doing what you said you were.
If you filled out SAQ A-EP, one of the requirements is to scan your site for malware using a PCI-Approved Scanning Vendor (ASV) once a quarter, and submit a successful scan result to the appropriate Enforcing Organization. Sometimes your web host does this, and sometimes you need to hire an ASV to do it on your behalf. The PCI has a handy searchable directory of their ASVs here.
PCI Compliance for WooCommerce = Totally Easy
Even though your WooCommerce online store might not be required to be PCI Complaint now, it wouldn’t be surprising at all if the PCI Security Standards Council changed their mind about that in the future given the proliferation of small business processing credit cards. And even if they don’t, going through the process of filling out an SAQ will result in a more secure store which is good for you, and good for your customers.
For all of the PCI Compliance information you can handle, visit the PCI’s official site at https://www.pcisecuritystandards.org. You’ll find PDFs of the SAQs, worksheets, and checklists to help you get to the finish line.