PCI compliance, in plain English
What PCI compliance means for your WooCommerce store, why it matters, and what you actually need to do about it.
PCI compliance sounds intimidating. In practice, if you use a reputable payment gateway, most of the hard work is already done for you. This guide explains what PCI means in plain terms and what your responsibilities are.
Quick summary
PCI DSS is a security standard for businesses that handle card payments. If you use Stripe, WooCommerce Payments, or PayPal for payments, you are not storing or processing card data yourself — they are. This dramatically reduces your compliance burden. Your main job is to keep your software updated, use HTTPS, and not store card data.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It's a set of security requirements created by the major card networks (Visa, Mastercard, Amex, etc.) for businesses that handle cardholder data.
The goal is simple: protect customers' card information from theft.
Does it apply to you?
If your store accepts card payments — yes, PCI DSS applies to you at some level. But the scope of your obligations depends on how card data flows.
There are different levels of PCI compliance based on transaction volume and how you handle cards. Most small WooCommerce stores qualify for the smallest scope, called SAQ A (Self-Assessment Questionnaire A).
Why modern payment gateways make this easy
When you use Stripe, WooCommerce Payments, or PayPal:
- Your server never sees the card number. The payment form sends card details directly to the gateway's secure servers.
- You never store card data. Stripe and PayPal store it for you, on their PCI-compliant infrastructure.
- The heavy compliance burden falls on them, not you.
This approach is called SAQ A or "iframe-based" checkout. It is the simplest level of PCI compliance.
Your responsibilities
Even in the simplest setup, you still have responsibilities:
| Responsibility | What to do |
|---|---|
| Use HTTPS | Your site must use SSL/HTTPS — especially on checkout pages. Required. |
| Keep software updated | WordPress, WooCommerce, themes, and plugins must be current. Outdated software is the top vulnerability. |
| Strong passwords + 2FA | Secure admin access to WordPress, hosting, and payment accounts. |
| Don't store card data | Never save card numbers in order notes, emails, spreadsheets, or anywhere. |
| Use reputable payment gateways | Stick to well-known, PCI-compliant processors (Stripe, PayPal, Square). |
| Monitor for breaches | A security plugin can alert you to suspicious activity. |
Never collect card numbers yourself
Never create a form asking customers to type their credit card number into a text field you control. Never accept card numbers by email, message, or phone and enter them into WooCommerce. Always direct customers to the official payment form on your checkout page.
Self-assessment questionnaire (SAQ)
Your payment processor may ask you to fill out a self-assessment questionnaire each year to confirm your compliance level. With a gateway like Stripe or PayPal handling card data:
- The applicable questionnaire is usually SAQ A, which is short and straightforward.
- Some processors provide their own compliance portal where you complete this online.
Check your payment gateway's documentation or compliance dashboard for specifics.
What we do to keep you compliant
When we build and maintain your store, we:
- Configure payment gateways to use the most secure (SAQ A) integration method.
- Ensure HTTPS is active and properly configured.
- Keep your core software updated.
- Do not install plugins that would store card data.
If you ever have concerns about compliance, reach out and we'll review your setup.
Common questions
Related guides
Need a hand?