WooCommerce is an incredible eCommerce platform for WordPress because it’s open-source – offering flexibility for it to fit any website’s needs. But how secure is it? Does it meet the standards for PCI compliance? We have everything you need to know on this topic.
Is WooCommerce PCI Compliant?
WooCommerce is not completely PCI-DSS compliant out of the box but it can be configured to be compliant with the help of the right plugin or a knowledgeable developer. Ultimately, it’s up to each website manager using WooCommerce to ensure their site is configured to be PCI compliant.
Do you want to make sure that your customer data is safe and protected?
Below we’ll walk you through how to make your Woocommerce store PCI Compliant and meet security standards.
What is PCI Compliance?
PCI is short for PCI-DSS. This abbreviation is for Payment Card Industry Data Security Standard. Just as the name implies, these are security standards set to protect customers credit card information when paying online. These rules were defined by the Payment Card Industry Security Standards Council and help protect cardholder data as well as merchant accounts. If you are PCI compliant, then you are considered an “approved scanning vendor.”
If you will be using, storing or processing credit card data on your site, you should be aware of these PCI compliance standards and how they work with WooCommerce.
The Following are the 12 core PCI-DSS requirements:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
Do I Have to Be PCI Compliant?
If your website is transmitting credit card payments; then yes, you need to be PCI-DSS compliant.
However, this is becoming less common as most online stores now use third-party payment gateways which handle the sensitive cardholder data for you (like PayPal and Stripe). In this case, your customer’s browser connects directly with the payment processor’s servers. Your site never has to handle the cardholder data, so you don’t need to take steps to comply.
That being said, even if you use a payment processor like Stripe, WooCommerce does still store sensitive customer details like their address, phone number, and email address. To keep these customer details safe, it’s best to follow the steps outlined below to achieve compliance and general information security.
How Secure is WooCommerce?
While some of the 12 core PCI requirements are beyond the scope of the WooCommerce software, there are some requirements that have already been addressed by WooCommerce developers. Just keep in mind these alone are not enough to meet all the PCI-DSS requirements.
The following PCI compliance requirements are addressed by WooCommerce:
Requirement #3: Protecting Stored Card Information
While WooCommerce may not protect stored credit card information, it’s designed not to store that information in the first place! If a payment method is saved for future use, only four digits of the card number are stored. Keep in mind, some third-party plugins that integrate with WooCommerce might store cardholder data. We are only speaking for the native WooCommerce applications.
Requirement #4: Security with SSL
If you accept online payments on your site, then a valid SSL certificate is required. This ensures that any information your customers enter into your website is encrypted before it’s transmitted. This reduces credit card fraud and makes your website more secure. Plus, you get an SEO boost for having an SSL certificate.
You can set WooCommerce to enforce the SSL requirement on its checkout pages. This is another way that WooCommerce helps with PCI compliance standards. However, you will need to check with your web hosting provider to see if they can provide the SSL certificate.
Requirement #7: The WordPress Login System
The WordPress login system is a handy feature to assist with PCI-DSS compliance by allowing different levels of access for users. Instead of giving your whole team access to all your customer details, you can set different user roles, so your blog post author can edit and create posts but can’t view your WooCommerce customer details. This “need-to-know only” setup, when used properly, ensures you stay in compliance.
What Else Does WooCommerce Need to be PCI Compliant?
Now that you know and understand how WooCommerce helps your WordPress site comply with the PCI standards, it’s time to create a checklist of the additional steps that may be necessary to keep your customer’s sensitive data safe and secure.
Requirement #1: Establish and Maintain a Firewall
Without a website application firewall (or WAF), a malicious bot could infect your WordPress site and steal your customers’ sensitive data. Having a firewall not only helps ensure the safety of your customers’ personal information, but also keeps your whole site secure from digital attacks. In order to achieve successful WooCommerce PCI-compliance, the firewall should not only be established, but also maintained on a routine basis.
There are several website firewall providers, but some are more effective than others. We recommend our Professional UpKeep Service Plan to all our clients, which includes a corporate-grade website firewall at a very affordable cost.
Requirement #2: Secure Passwords
Make sure that you are using passwords that are not easily guessed, and please do not use the default passwords. Strong passwords have a mixture of capital letters, lowercase letters, numbers, and symbols. It is generally recommended that most passwords are longer than eight characters because the longer a password is, the harder it is to guess through brute-force attacks. WordPress does help with PCI compliance by having a password strength indicator built in. This will allow you to see if your password is strong enough. That said, it doesn’t require a strong password unless you set it to do so.
Going NEXT-LEVEL: Enable Two-Factor Authentication
Going beyond strong passwords is two-factor authentication (2FA). Have you ever used your smartphone to receive a code for identity verification? That’s two-factor authentication. While it can certainly seem like a pain sometimes, two-factor authentication helps protect you and your customers. It also helps you become more PCI compliant. WooCommerce doesn’t include 2FA out-of-the-box, but here is a plugin for WooCommerce which adds two-factor authentication. This was not created by WooCommerce, but it was created to be used within WordPress. There are several other plugins available for two-factor authentication, such as RapID Secure Login and UNLOQ.
Requirement #5: Get Virus Protection
WooCommerce doesn’t have built-in virus protection, so this requirement is the responsibility of the website owner. Having virus protection for WooCommerce and WordPress is just as important as having virus protection on your computer. There are some free tools for anti-virus and malware protection, but for all our clients who are serious about website security, we recommend our WordPress Security Services.
Requirement #6: Keep Your Website Up-to-Date
Any and all third-party plugins and themes that you have installed on your WordPress site must be kept up-to-date. Hackers are always finding vulnerabilities in site software that can be used to gain admin access to your site and, thus, your customers’ information. Software updates include security patches that are vital to keeping your customers’ information safe and secure.
Requirement #8: Track Every User Who has Computer Access
PCI compliance requirements state that everyone with computer access must have a unique ID. Since this is not an option available with WooCommerce, you should work with your website, network administrator or hosting provider to make sure that all users are logged and their actions can be tracked. Additionally, restrict access to only those who must use it. This ensures that the correct person is held accountable for their actions should something go wrong.
Is Maintaining PCI Compliance for WooCommerce Too Much for You?
Here at Hog the Web, we have a dedicated team who will ensure that your website is safe, you maintain a secure network, and you reach PCI compliance. We have different plan options depending on your budget. Our services include SSL implementation, an anti-hacker firewall (WAF) and daily scans for malware and vulnerabilities, as well as proactive software updates and testing. Want to learn more? Contact us today!