WooCommerce and PCI Compliance – Everything You Need to Know - WSIL-TV 3 Southern Illinois

WooCommerce and PCI Compliance – Everything You Need to Know


What makes WooCommerce so great is that it is completely open-source, but how safe is it? Does it meet the standards for PCI Compliance?

Is WooCommerce PCI Compliant “Out of the Box”?

WooCommerce is not completely PCI-DSS Compliant “out of the box.” It receives audits from WordPress users and contributors. Some users and volunteers also create plugins to help achieve PCI compliance. In addition, WooCommerce receives audits from Sucuri. However, that doesn’t make it safe for online transactions. Ultimately, it’s up to each website manager who’s using Woocommerce to ensure their site is set up and configured correctly to be PCI compliant.

Do you want to make sure that your customer data is safe and protected? Below we’ll walk you through how to increase your WooCommerce PCI Compliance and meet security standards.

What is PCI Compliance Anyways?

PCI is short for PCI-DSS. This abbreviation is for Payment Card Industry Data Security Standard. Just as the name implies, these are security standards set to protect customer information when paying with a credit or debit card. These rules were defined by the Payment Card Industry Security Standards Council and help protect customer information as well as merchant accounts. If you are PCI Compliant, then you are considered an “approved scanning vendor.”

If you will be using, storing or processing credit card data on your site, you should be aware of these PCI Compliance standards and how they work with WooCommerce.

The Following are the 12 core PCI-DSS Requirements:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

Do I Need to Be PCI Compliant?

If your website is transmitting credit card data; then yes, you need to be PCI-DSS compliant.

This is, however, becoming less common as MOST WooCommerce stores now use third-party payment gateways which handle the sensitive card details for you, (like PayPal and Stripe). In this case, since your customers browser connects directly with the payment providers servers, your site never has to handle the card data and so you don’t need to take steps to comply.

Source: https://woocommerce.com/products/stripe/

That being said, even if you use a payment processor like Stripe, WooCommerce DOES still store sensitive customer details like their address, phone number, and email address. To keep these customer details safe, it’s still best to follow the steps outlined below for PCI compliance and general WordPress security.

What Security Measures Does WooCommerce Already Have in Place?

While some of the 12 core PCI requirements are beyond the scope of the WooCommerce software, there are some requirements that have already been addressed by WooCommerce developers. Just keep in mind, these alone are not enough to meet all the requirements.

Requirement #3: Protecting Stored Card Information

While WooCommerce may not protect stored card information, it’s designed to not store them in the first place! If a payment method is saved for future use, only four digits of the card number are stored. (Keep in mind, some third-party plugin that integrates with WooCommerce might indeed store the card details. We are only speaking for the WooCommerce in-house applications)

Requirement #4: Security with SSL

If you accept customer payment details on your site, then a valid SSL is required. An SSL Certificate ensure that any information your customers enter into your website is encrypted before it’s transmitted. This reduces credit card fraud and makes your website more secure. Plus, you get a SEO boost for having SSL. You can set WooCommerce to enforce the SSL requirement on it’s checkout pages. This is another way that WooCommerce helps with PCI Compliance. However, you will need to check with your web hosting provider to see if they can provide the SSL certificate.

Requirement #7: The WordPress Login System

This handy little feature helps WooCommerce assist with PCI Compliance by allowing use of the WP Login System to give administrator rights or privileges to whomever you want. Instead of giving your whole team access to all your customer details, you can set different user roles, so your blog post author can edit and create posts, but can’t view your WooCommerce customer details. This “Need-to-Know Only” set up, when used properly, ensures you stay in compliance.

What Else Does WooCommerce Need to be PCI Compliant?

Now that you know and understand how WooCommerce helps your WordPress site comply with the PCI standards, it’s time to create a checklist of the OTHER steps that may be necessary to keep your customers sensitive data safe and secure.

Requirement #1: Establish and Maintain a Firewall

Without a website application firewall (or WAF) a malicious bot could infect your site and steal your customers sensitive data. Having a Firewall not only helps ensure the safety of your customers personal information, but also keep your whole site secure from digital attack. In order to achieve successful PCI Compliance for Woocommerce, the Firewall should not only be established, but also maintained on a routine basis.

There are several Website firewall providers, but some are more effective than others. We recommend our Professional UpKeep Service Plan to all our clients, which includes a corporate-grade Website Firewall at a very affordable cost.

Requirement #2: Secure Passwords

Make sure that you are using passwords that are not easily guessed, and PLEASE do not use the default passwords. Strong passwords have a mixture of capital letters, lowercase letters, numbers and symbols. It is generally recommended that most passwords are longer than eight characters because the longer a password is, the harder it is to guess through brute force attacks. WordPress does help with PCI Compliance by having a password strength indicator built in. This will allow you to see if your password is strong enough. (though it doesn’t require a strong password unless you set it to do so)

Going NEXT-LEVEL: Enable Two-Factor Authentication

Going beyond strong passwords is Two-Factor Authentication (2FA). Have you ever used your smartphone to receive a code for identity verification? While it can certainly seem like a pain sometimes, two-factor authentication helps protect you and your customers. This also helps you become more PCI compliant. WooCommerce doesn’t include 2FA out-of-the-box, but here is a plugin for WooCommerce which adds 2-Factor Authentication. This was not created by WooCommerce, but it was created to be used within WordPress. There are several other plugins available for two-factor authentication, such as RapID Secure Loginand UNLOQ.

Requirement #5: Get Virus Protection

WooCommerce doesn’t have virus protection built-in so this requirement is the responsibility of the website owner. Having virus protection for WooCommerce and WordPress is just as important as having virus protection on your computer. There are some free tools for anti-virus and malware protection, but for all our clients who are serious about website security we recommend our WordPress Security Services.

Requirement #6: Keep Your Updates Up-to-Date

Any and all plug-ins and themes that you may have installed on your WordPress site must be kept up to date. Hackers are always finding vulnerabilities in your site software that can be used to gain access to your site, and thus your customers information. These software updates include security patches for the vulnerabilities that are vital in keeping your customers information safe and secure.

Requirement #8: Track Every User Who has Computer Access

PCI Compliance states that everyone with computer access must have a unique ID. Since this is not an option available with WooCommerce, you should work with your website or network administrator or hosting provider to make sure that all users are logged and their actions can be tracked. Additionally, limit access to only those who must use it. This ensures that the correct person is held accountable for their actions should something go wrong.

Is Maintaining PCI Compliance for WooCommerce Too Much for You?

Here at Hog the Web, we have a dedicated team who will ensure that your website is safe, secure and PCI Compliant. We have different plan optionsdepending on your budget. Our services include SSL implementation, an anti-hacker firewall (WAF) and daily scans for malware and vulnerabilities, as well as pro-active software updates and testing. Want to learn more? Contact us today!

Powered by Frankly
All content © Copyright 2000 - 2019 WSIL. All Rights Reserved. For more information on this site, please read our Privacy Policy, and Terms of Service, and Ad Choices.