PCI Compliance: WordPress and WooCommerce Small Business Headaches

I’m by no stretch of the imagination an expert on PCI Compliance, so none of this can be taken as advice, but I have been dealing with an issue for a client so I wanted to write about this to help signpost others looking into this for the first time.

Our client is a typical small business with a very typical eCommerce store setup. It’s a WordPress site using WooCommerce for eCommerce. Nothing fancy here.

They use both PayPal Standard and PayPal Pro on their site to accept payments.

PayPal Standard is a gateway that takes the customer over to PayPal’s website to complete payment. This is built into WooCommerce.

PayPal Pro, on the other hand, let’s the customer enter debit and credit card details on their website. This is a plugin for WooCommerce.

It’s the PayPal Pro element, where customers can enter their debit and credit card details on our client’s website, that is requiring the entire website to meet PCI Compliance.

This is where a whole can of worms is opened up in the world of PCI Compliance regulations.

Below I’ll discuss PCI-DSS Compliance in the context of a small business, using a WordPress WooCommerce site, using PayPal for payments.

What is PCI /PCI-DSS Compliance?

PCI-DSS (Payment Card Industry Data Security Standard) Compliance is a set of regulations created by the Payment Card Industry Security Standard Council which the aim of reducing credit card fraud by producing consistent data security measures online.

Do the PCI-DSS Compliance rules apply to me?

They apply to anyone that is storing, processing, or transmitting credit card or debit card data, therefore any website that wants to take credit or debit card payments directly must be aware of PCI-DSS.

If you have PayPal Pro or another payment gateway where your customers enter any cardholder details on your website then, more likely than not, you will need to be PCI-DSS Compliant.

What are the PCI rules I need to follow?

Reading through the rules, it seems there are 12 requirements for PCI Compliance, a simplified summary is:

1 – Firewalls

Making sure there is a firewall installed and maintained to protect credit card and debit card data.

Invest in a premium website host. Make sure it has a firewall. Make sure it’s hosting is PCI-DSS Compliant. A good starting place is to google ‘PCI Compliant hosting’.

2 – Passwords & Other Security

Enforcing strong password at all times, not using default system generated passwords, and removing any unnecessary default accounts and passwords.

Use a password manager like LastPass to set complex passwords for your own login. Then enforce all logins to have strong passwords. Go ahead and delete any unnecessary accounts on your website.

3 – Protect Stored Card Data

Ensure that all card data is encrypted and protected at all times. Make sure certain elements are never stored.

Best place is to never store any card data at all. WooCommerce’s in-house payment gateways never store more than 4 digits of a card if storing payment tokens for re-use.

4 – Encrypt 

Encrypt using SSL TLS and keep up with current protocols.

Make sure your website secures your website using an SSL Certificate. Make sure that your SSL meets current PCI requirements. For example, TLS 1.0 should be disabled as it will fail PCI-DSS Compliance.

5 – Virus Protection 

Make sure your website is protected against malware and is using antivirus systems.

This is something that premium web host will help with. Make sure hosting is PCI Compliant and comes with malware protection and antivirus.

6 – Secure System 

Ensure your website, plugins and software is up-to-date. Make sure software and system has latest patched.

In terms of your WordPress website, make sure your WordPress core is updated, you are the latest version of WooCommerce, and any plugins are kept to a minimum and updated. Also make sure any code on your website is patched against vulnerabilities. In terms of your hosting software, a decent managed web host will do this for you.

7 – Cardholder Data Restricted Access

Make sure that access to any stored cardholder data is restricted.

WordPress allows you to set access levels. Best to allow only limited administrative access, and restrict access to all other accounts.

8 – System Access

Ensure all admin access to systems containing credit card details is logged and trackable. Users need to be traceable and accountable for their actions. Access should be limited to only those who need it.

Talk to your web host and restrict access. Limit administrative access throughout your system.

9 – Restrict Physical Access

Access to physical stored and transmitted data should be restricted by the hosting provider.

A premium dedicated environment in a secured server location would be preferential. Ensure that the host has high-level site security.

10 –Track and monitor access to network resources and cardholder data

11 – Regularly test security systems and processes

Use an ASV (approved scanning vendor) to regular scan your site for issues. Trustwave is a good choice.

12 –Maintain a policy that addresses information security for all personnel

What things do I need to actually do then?

That’s all well and good, so here are some of the things that you actually need to do –

1. Choose a premium dedicated web host that’s PCI Compliant
2. Enforce strong usernames and password, and limit access to your server
3. Never store cardholder details
4. Use an SSL with latest standards
5. Use a minimal number of plugins and keep your entire site updated
6. Work with your payment merchant and use an ASV to scan your site, then fix any issues that arise

PCI-DSS Compliance is a good thing?

Yes, anything that can help reduce credit card fraud is a good thing. It will also help to keep your site safe, help to protect you against any possible future fraud issues, and helps protect your customers.

It’s just very complicated issue that takes a little while to get your head around.

If you’re still confused on what you need to do or whether your need to be PCI Compliant then I recommend speaking to a Compliance expert.

Alternatively, you can try to avoid needing PCI Compliance in the first place.

How can I avoid needing to be PCI Compliant?

The only way you can avoid the need for PCI-DSS Compliance is to remove any instance where credit card of debit card data is stored, processed, or transmitted on your website (server).

• PayPal Standard (Website Payments Standard) would allow you to negate any PCI Compliance requirements.
• PayPal Pro (Website Payments Pro) would require PCI Compliance.
• PayPal Pro Hosted (Website Payments Pro Hosted) is a grey area that I’m not 100% sure on.
• Stripe again is a grey area that I’m not 100% sure on.
• There are lots more payment gateways and merchant accounts available that those above.

For more information on PCI Compliance visit –

https://www.pcisecuritystandards.org/
https://www.paypal.com/uk/webapps/mpp/pci.
https://docs.woocommerce.com/document/pci-dss-compliance-and-woocommerce/