In a 2022 study on consumer trust, TrustedSite found that credit card theft remains top concern for online customers, followed by business legitimacy.
In fact, the Baymard Institute found that 18% of customers You might add a product to the cart only to abandon it due to a lack of trust in the website.
If you have a WooCommerce store, how do you build that trust?
PCI-DSS compliance. Complying with Payment Card Industry Data Security Standards (PCI-DSS) makes your customers feel secure and allows you to do business without worry. Not to mention, it’s a requirement if you store, transfer, or process payment card information.
Read on to learn why PCI-DSS compliance is important, what it requires, and how to make your WooCommerce store PCI compliant.
Importance of PCI-DSS compliance
PCI-DSS compliance offers benefits for both customers and business owners. Customers can shop freely without worrying about credit card theft. Conversely, business owners enjoy fewer cybersecurity attacks due to increased security.
In addition to the benefits, you typically need to be PCI-DSS compliant to enjoy payment method support. For example, Mastercard states that “all merchants that store, process, or transmit cardholder data must be PCI compliant.”
Let’s dive into the PCI-DSS requirements.
Consisting of Visa, Mastercard, JCB, American Express and Discover, the Payment Card Industry Standards Security Council (PCI SSC) outlines the following 12 requirements in its quick reference guide for PCI DSS:
Set up a strong firewall to protect payment card information. Use unique passwords for all systems with access to payment card data. Set up security protocols to protect payment card data during storage. Use secure, encrypted channels to transfer card data across networks. scans to keep your system free of malware and viruses. Opt for secure systems and be sure to plug all security holes. Limit data access to only the people and systems required. Implement authentication measures for data access within involved systems Limit physical access to credit card Track all network activity related to credit card data. Perform regular security audits. Keep your employees up to date on information security best practices through an established policy.
In other words, the PCI Security Standards Council requires you to implement a comprehensive security update to protect cardholder data.
Get PCI Compliant Hosting from Nexcess
Keep your store secure so you can safely process credit card information
How to make your WooCommerce store PCI compliant
Now that we know why PCI compliance is important and what requirements you need to meet, let’s take a look at how to make your WooCommerce PCI-SSC compliant.
Determine required compliance levels
First of all, you need to determine the level of compliance you need, which depends on how many transactions you process each year.
At the time of writing, Visa and Mastercard define merchant compliance levels as (with Level 1 being the most stringent):
Tier 1 — Merchants with more than six million annual transactions. Level 2 — Merchants with annual transactions between one million and six million. Level 3 — Merchants with annual transactions between 20,000 and one million. Level 4 — Merchants with less than 20,000 annual transactions.
However, if you accept JCB or American Express, you may have to deal with more stringent requirements with even fewer transactions. For example, American Express requires Level 1 compliance on 2.5 million transactions per year, while JCB requires the same on 1 million transactions or more.
The merchant level decides whether to submit a Self-Assessment Questionnaire (SAQ) or be assessed by a Qualified Security Assessor (QSA).
Audit current process
WooCommerce PCI compliance depends on your checkout process, as WooCommerce does not store any payment card data itself.
For example, if you direct customers to the payment gateway website, customers don’t enter their sensitive data on your website and don’t even touch it.
That happens when you use the WooCommerce PayPal payments plugin like Nalgene.
When customers click the PayPal button, they are directed to the PayPal server.
While this might save you from strict PCI-DSS regulations, it is not a custom payment option. and since 49% of customers may become repeat shoppers with personalization, you’ll do better with a personalized checkout experience.
For example, if you use Stripe, you can customize the front-end however you see fit, like wet and wild beauty, and still trust Stripe’s servers when making off-site payments.
In this case, Stripe collects the card number and other data via secret tokens and the data never touches their servers. However, malware can prevent the client from connecting to Stripe’s server and steal payment card details, so you may need to take additional steps to make your WooCommerce store PCI compliant.
While Stripe is a great alternative, they charge 2.9% + 30¢ for each successful transaction. These fees can add up and affect the bottom line of a company that deals with many orders.
That’s why big WooCommerce stores often opt for a custom payment gateway to reduce fees. For example, check out the World Vision donation page.
In this case, the online store processes the payment card data and stores it for future use, which is subject to strict PCI compliance requirements.
If your WooCommerce store does the same, it must maintain the security standards required by PCI SSC. Failure to do so may subject you to fines or suspension of payment method support.
configure security measures
Depending on your current processes, you may need to:
Add an SSL certificate
A secure socket layer (SSL) encrypts the transfer of data between a browser and your web server. If you require customers to enter their payment card details in the native form on your website, you must ensure that the payment card details remain encrypted during transfer to be PCI-DSS compliant.
In fact, we recommend add an ssl certificate to every website, whether you run an eCommerce store or not, as most browsers mark any website without an SSL certificate as not secure.
By adding an SSL certificate, you build trust among your customers. If you are hosting your website with another host and are not ready to switch, you can purchase a ssl certificate from Nexcess. Otherwise you get a free SSL with all Nexcess Hosting Plans.
Choose PCI compliant hosting
Since most PCI-DSS requirements deal with data security, PCI compliance is highly dependent on the hosting provider. In other words, you should look for a PCI compliant web host.
While looking for a PCI compliant host, make sure that the web host offers:
Strong Firewall – A robust firewall will keep malicious actors out of card payment data to ensure it remains secure. Make sure the host has access network security controls in place that only allow relevant traffic to come into contact with sensitive data. Malware scans – Your hosting plan should include automated malware scans to protect cardholder data. You should also have protection against bad bots, suspicious activity, and brute force attacks. Secure network – Make sure you can trust the hosting provider to take care of security procedures, from regular software updates to custom code reviews. Limited Physical Access – Hosting providers must follow a strict security policy whereby employees can only access sensitive areas if necessary. On top of that, you should have visitor logging, site-wide surveillance, and restricted access to network controls.
With Nexcess, you enjoy PCI Compliant Hosting on all hosting plans. We meet all the requirements on the accommodation side so that you can do business without stress.
Implement a website security policy
According to Verizon, 82% of data breaches involved the human element. To ensure that your WooCommerce store does not suffer from data breaches caused by human error, you should implement a website security policy that protects you from the most common security flaws.
To get started, implement two-factor authorization (2FA). That way, even if a hacker obtains a username and password through a phishing attack, they won’t have second factor authentication to access your data.
On top of that, restrict access to sensitive data as needed by implementing an access control system. Not all employees should have access to all data.
On top of that, you can also configure your WordPress website to send users a password change reminder every 90 days to protect their security.
Submit Compliance Documents
Once you have implemented the security protocols, you can report your compliance to the appropriate payment processing authority: your bank or payment gateway.
Typically, you report compliance by:
Submitting a Self-Assessment Questionnaire* – Tier 2-4 merchants report their compliance by completing self-assessment questionnaires (SAQ). If you’re directing customers to the payment processor’s website, you’ll use SAQ A. If you’re using a service like Stripe to tokenize payment card data, you’ll use SAQ A-EP.
If you process and store payment card data on its web servers, you will use SAQ D Merchant. Getting Quarterly Network Scans from Approved Scan Vendors – You should get quarterly scans from an Approved Scan Vendor (ASV) to check for external vulnerabilities. ASVs typically scan for faults, report them to you, help you fix them, and rescan before reporting compliance results. Submitting an Attestation of Compliance – After you meet all the requirements, you typically submit an Attestation of Compliance (AOC) to declare that you are compliant with PCI-DSS requirements.
* Tier 1 merchants require an external assessment via a Qualified Security Assessor (QSA).
In addition to that, you will also need to attach a copy of the Hosting Provider SAQ-D.
Final Thoughts: A Business Owner’s Guide to Making WooCommerce PCI Compliant
PCI-DSS lists several requirements that you must meet to support different payment methods for your customers. However, with a PCI-compliant host, you can check most of the checkboxes and take care of limited responsibilities.
Verify Business Hosting Nexcess to enjoy 100% PCI compliance. And it doesn’t end with compliance. You also get 100% network uptime, daily backups, and more.
Explore our plans to get started today.