The Payment Card Industry Data Security Standards (PCI-DSS or PCI for short) designates security standards to protect cardholders’ credit card data. That means, entities that store, process or transmit credit card information are expected to be compliant to the standards in the Payment Card Industry Data Security Standards.
Staying compliant with PCI
The Payment Card Industry Security Standards Council sets forth security standards to protect credit card data called the Payment Card Industry Data Security Standards (PCI-DSS or PCI for short). That means, entities that transmit, process or store credit card information are expected to abide by PCI.
You can use hosting to setup your online presence and product catalog. You can then work with a third-party provider to process payments on your behalf to keep credit cards off your server (e.g., PayPal Checkout, Square Online Checkout and Stripe Checkout). Make sure you’re aware of any additional requirements to keep your business PCI compliant.
If you prefer to accept payments directly on your site, we offer PCI-certified products like our Managed WordPress Ecommerce Hosting, Online Store, and Online Appointments. PCI compliance is a joint effort. So, when you use one of our PCI-certified solutions, we design our processes and systems to protect your customer’s credit card information and need you to protect your account.
Online Store and Online Appointments
Payments through Online Store and Online Appointments are integrated with third parties that process credit card information in their secured environments. These products use a small amount of code on your website to enable your customers to enter credit card information directly on the site. This enables you to achieve PCI compliance by taking a few steps to protect your account:
- User Management
- Always assign users a unique ID and use strong passwords.
- Don’t use group, shared or generic IDs or passwords.
- Remove users when they should no longer have access.
- Paper (non-digital) Records
- If you collect credit card information on paper, make sure to control access to the information and destroy it when it’s no longer needed.
- Service Provider Compliance
- If you use services to manage paper records or manage your account, make sure the service provider has acknowledged their responsibility for safely handling credit card data and you’re confident they’re fulfilling their obligations.
- Incident Response Plan
- Make sure you have a list of who you need to reach out to and how you will handle customer communication in the event of a data breach.
- Submit PCI Self-Assessment Questionnaire A (PCI SAQ-A) with your processor (Stripe, Square or PayPal).
Note: If you accept payments over the phone, you may be subject to additional requirements to secure your phone systems and computers used by your call center agents.
Managed WordPress with WooCommerce
Payments through Managed WordPress can be implemented via the WooCommerce plugin, which integrates with third parties to process credit cards in their secured environments. This uses a small amount of code on your website to enable your customers to enter credit card information directly on the site. Since you control the plug-ins installed in your account, there are a few additional steps to achieve PCI compliance:
- Payment Implementation
- Only install the WooCommerce plug-in for payments. While other payment plug-ins may be available, we only certify the WooCommerce plug-in.
- Don’t add any functionality or code that will handle credit card information. We cannot certify any custom payment process added to a server.
- Keep your plug-ins updated (process updates within 30 days).
- User Management
- Always assign users a unique ID and use strong passwords.
- Don’t use group, shared or generic IDs or passwords.
- Remove users when they should no longer have access.
- Paper (non-digital) Records
- If you collect credit card information on paper, make sure to control access to the information and destroy it when it’s no longer needed.
- Service Provider Compliance
- If you use services to manage paper records or manage your account, make sure the service provider has acknowledged their responsibility for safely handling credit card data and you’re confident they’re fulfilling their obligations.
- Incident Response Plan
- Make sure you have a list of who you need to reach out to and how you will handle customer communication in the event of a data breach.
- Submit PCI Self-Assessment Questionnaire A (PCI SAQ-A) with your processor (WooCommerce Payments, Stripe, PayPal, Square, Klarna or PayFast).