How to Make Your WooCommerce Store PCI Compliant the Easy(ish) Way

PCI Compliance for small online stores isn’t required (yet), but it’s still a good idea. Being PCI Compliant protects you and your customers from hacking, fraud, and liability, and is easier to achieve that you might think. Here’s what it takes to make your online store running on WooCommerce PCI DSS complaint.

PCI DSS stands for the Payment Card Industry Data Security Standard. It’s managed by the Payment Card Industry Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. with the goal of increasing security and reducing fraud for credit card transactions.

If you accept payment via credit card, the Payment Card Industry Security standards Council wants you to be PCI DSS Compliant (or PCI Complaint, for short).

For them, PCI DSS means less credit card fraud, which means increased consumer confidence in credit cards, which means more people using credit cards, which means more profit.

For you, PCI DSS means less credit card fraud, increased consumer confidence in your store leading to more sales, and drastically reduced liability if you do have to deal with a fraudulent or disputed charge.

It’s easy! First, go here to determine which merchant level you fall under. Next, read this PDF to figure out what payment system you use, then read this PDF to see which Self-Assessment Questionnaire (SAQ) is intended for use with your payment system, and then download and fill out the appropriate SAQ(s)!

Just kidding.

Let’s break this down to make it a little less overwhelming.

SSL (https) is not always required for PCI Compliance, but you should still have an SSL certificate for your site. Here’s why:

• Customers enter their mailing and billing addresses on your site when they order and it’s a good idea to protect that info.
• If you let users create accounts to save wishlists or save their shipping info, you should use SSL to keep their usernames and passwords encrypted. In fact, Google Chrome is going to start flagging websites that accept user logins without using SSL as being potentially unsafe starting in January 2017.
• Google wants the web to be as safe and secure as possible, and you’ll get a small but concrete SEO boost by making your entire site available exclusively over SSL.

Getting an SSL certificate is easier than ever. You can get one for free from Let’s Encrypt, or purchase one through your web host. You’ll need to do a little configuration in your .htaccess file to force all traffic to go over SSL, and if that sentence made no sense to you you can do that with the Really Simple SSL plugin. And don’t forget to turn on “Force secure checkout” in your WooCommerce Checkout Settings!

The PCI members define merchant levels by how many credit card transactions you process per year. The thresholds for these limits vary between the card companies, but I’m going to assume that if you’re reading this article you are processing fewer than 20,000 transactions per year, which means that you are in the lowest tier for all of the credit card companies.

This means that PCI Compliance for you is optional (for now), and all you need to do in order achieve PCI Compliance is to submit a filled out Self-Assessment Questionnaire.

A PCI SAQ (Self-Assessment Questionnaire) is a list of yes/no questions about how your business handles Cardholder Data. Of course, Cardholder Data has a very specific description, per the PCI:

“At a minimum, cardholder data consists of the full PAN*. Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code.”

*“PAN” is the “primary account number”, also referred to as the “account number.” It’s the unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account.

To be rated as PCI Compliant your business needs to submit a SAQ filled out with all questions answered either “Yes”, “N/A”, or “Yes with CCW” (woo hoo, another acronym!).

A CCW is a “Compensating Controls Worksheet” that you can attach to the end of your SAQ explaining an alternative method of achieving a certain part compliance criteria. Don’t try to fill one of these out without an expert, but fortunately if you’re using a standard WooCommerce setup you won’t need to.

If you’re running an eCommerce Online Store using WooCommerce that accepts Credit Card Payments online, you will need to use either SAQ A or SAQ A-EP.

You should use SAQ A if:

Your customers enter their Cardholder Data on a Third-Party Payment Page that is hosted your payment gateway’s site, and is not part of your website. This can appear to the customer either as a popup, an iframe (a webpage from another site embedded in your webpage) or as a new page where they enter their data and then get sent back to your site for final order confirmation.

Since your customers’ Cardholder Data never touches your site, your business is responsible for very little when it comes to meeting PCI Compliance standards. Most of the hard work is done by your payment processor.

Common WooCommerce payment gateways that fall into this category are PayPal Standard, PayPal Express Integration, Chase Paymentech, and Authorize.net DPM.

Your customers enter their Cardholder Data in a form embedded in your Checkout page. This Payment Page is hosted on your site, the same as the rest of your store, and customers and don’t get sent to a page on another website to enter their Cardholder Data.

Most of the time this type of payment method is “tokenized”. That means that before the customer even hits “Submit”, the Cardholder Data they’ve entered into your site has been encrypted, so that it’s secure from the moment it leaves your customer’s keyboard to the point where it arrives at your payment gateway.

WooCommerce’s Stripe and PayPal by Braintree gateways operate this way, and it does provide a smoother, more professional user experience for your customers. The reason why it requires a different SAQ is that there is the chance that if your web server gets hacked, someone could install malware that could in theory grab Cardholder Data right before it gets encrypted.

There are also non-tokenized gateways like Authorize.net AIM, where the Cardholder Data is sent from your customer’s computer to your web server, and then encrypted and sent to Authorize.net. If you use this type of gateway you still need to use SAQ A-EP, but you ABSOLUTELY MUST use SSL encryption on at least your store’s payment pages, otherwise you’re transmitting unencrypted Cardholder Data from your customers’ computers to your web server, which is a Very Bad Thing.

For all of those reasons SAQ A-EP is much longer than SAQ A and gets into things like server firewalls, regular malware scans, and system administration procedures, all of which are typically managed by your web host.

If You’re Using SAQ A-EP, Get Help from Your Host

I think that an on-site tokenized Payment Page is the best way to go as it makes your business look substantial and professional. But it does mean more work in terms of filling out your SAQ. Fortunately if your host is PCI Compliant they will usually either send you an SAQ with their portions pre-filled, or will work with you to fill yours out.

If your current hosting plan is not PCI Compliant and your host doesn’t offer any PCI Compliant hosting plans, your options are to a) forget about going for PCI Compliance; b) move to another host, or c) switch to using a payment gateway that uses an off-site Third Party Payment Page.

When you’ve filled out your SAQ, proofread it, triple-checked it backwards and forwards, and dotted your “i”s and crossed your “t”s, it’s time to send it off to the PCI. Maybe.

If you filled out SAQ A, you only need to keep your SAQ on file and ready to send to an “Enforcing Organization” (such as an acquiring bank [the bank that actually process your credit card transactions] or your merchant service provider) on request. You should also review it at least once a year to make sure you’re still doing what you said you were.

If you filled out SAQ A-EP, one of the requirements is to scan your site for malware using a PCI-Approved Scanning Vendor (ASV) once a quarter, and submit a successful scan result to the appropriate Enforcing Organization. Sometimes your web host does this, and sometimes you need to hire an ASV to do it on your behalf. The PCI has a handy searchable directory of their ASVs here.

Ok, maybe not totally easy, but not as hard as you probably thought it would be. The three ingredients are an SSL Certificate, a PCI-compliant web host OR a payment gateway that uses a Third-Party Payment Page, and a filled-out SAQ.

Even though your WooCommerce online store might not be required to be PCI Complaint now, it wouldn’t be surprising at all if the PCI Security Standards Council changed their mind about that in the future given the proliferation of small business processing credit cards. And even if they don’t, going through the process of filling out an SAQ will result in a more secure store which is good for you, and good for your customers.

For all of the PCI Compliance information you can handle, visit the PCI’s official site at https://www.pcisecuritystandards.org. You’ll find PDFs of the SAQs, worksheets, and checklists to help you get to the finish line.