What is PCI Compliance and why does it matter?
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of rules designed to help implement a threshold for consistent international data security around online payments with the aim of reducing credit card fraud. The PCI-DSS standards have been developed by the PCI Security Standards Council and apply to anyone who stores, processes or transmits cardholder data.
PCI-DSS has 12 core requirements
| Goals | PCI DSS Requirements |
| Build and Maintain a Secure Network and Systems | 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters |
| Protect Cardholder Data | 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks |
| Maintain a Vulnerability Management Program | 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security for all personnel |
If you have an E-Commerce website, does this apply to you?
The answer is no. WooCommerce Payments takes care of the PCI-DSS Compliance. When using payment systems such as WooCommerce Payments, Stripe or PayPal in your WooCommerce store, WooCommerce stores all of the data entered into the checkout fields (Name, Address etc) except for the actual credit card fields (long card number, CVC, expiry date) Any of the fields dealing with sensitive payment information are stored on the payment procesor's PCI validated servers. For recurrent payments, a token and API approach is used to securely process transactions stored on the processors' servers without ever having to directly see the cardholder details.
The key is whether you store, process or transmit cardholder data and as this is all taken care of by WooCommerce Payments all you need is to be aware of the standard and use a compliant payment processor.
WooCommerce provide a more detailed explanation of the process here
If you would like help integrating WooCommerce Payments into your e-commerce store or to discuss your e-commerce requirements more broadly I can be contacted here
Disclaimer: This information was correct at date of publication and does not constitute legal advice.