WordPress.com, Commerce Plan, and PCI Compliance & Certified Information
-
10 years ago this question was raised in this thread:
https://wordpress.com/forums/topic/is-wordpresscom-and-its-ecommerce-offerings-pci-compliant/?replies=3#post-2370813The end result was WordPress.com updating it’s support doc with PCI DSS compliance info. That update has since been lost.
I’m looking for a published official statement from wordpress.com that the hosting it provides for it’s (eCommerce)/Commerce Plan is PCI certified, and to what degree. I’m also looking for official documentation on PCI regarding the Commerce Plan with info about the level of compliance you support and what parts of your commerce plan plugin and feature list are complaint.
The blog I need help with is: (visible only to logged in users)
-
Hi there @shoptasteny I’ve gone ahead and tagged your thread for staff input. Thanks for your patience while they get back to you.
-
Hi @shoptasteny – I just wanted to let you know I’m checking in with our payments team on this one so I can make sure get you an accurate and correct answer ;)
-
Hi @shoptasteny – thanks for your patience. None of our hosting/services on WordPress.com are validated as PCI compliant themselves.
But if you’re thinking of the compliance of setting up your own store – I can recommend checking out this guidance:
https://woocommerce.com/document/pci-dss-compliance-and-woocommerce/ -
Thank you for your reply, I have already reviewed this guidance and as you can see the Woocommerce document states: You should choose “a secure, PCI-aware hosting provider.” This site lists WordPress.com as one of those recommendations.
While WordPress.com is not validated as PCI compliant at this time,
can you offer any information that backs this claim by Woocommerce? How is WordPress.com secure enough as a host/service to be able to support a PCI compliant WooCommerce store? -
I think there’s some confusion here. PCI compliance is the responsibility of the card processor, not the site-hosting provider.
E-commerce sites don’t typically handle customer card data directly.
Shopify’s payment service is run on Stripe, and WooCommerce itself doesn’t process payments but integrates with various payment gateways, such as Stripe, PayPal, Square, and WooPayments (powered by Stripe).
Compliance with PCI would only apply to a self-hosted site with a custom-made (i.e., you code it) checkout process, in which you directly handle customer card data.
For example, you might have a form on your site in which customers can place orders, and you fill it at a later date. The customer adds their billing information and card number. Later, you manually charge their card, using a payment terminal, and ship the item to your customer.
In the above scenario, you yourself are acting as a handler of card data, and so the PCI compliance rules apply to you.
You’ll sometimes find that level of control available through WordPress.org self-hosted sites.
With WordPress.com-hosted sites, customer transactions are handled by a 3rd party.
If you use any of the available plugins or payment blocks for e-commerce, customer transactions are handled by an independent PCI-compliant 3rd party and not the site-hosting provider (WordPress.com).
Help documents reference Stripe as the payment processor for the Payments Block; however, you could direct customers to PayPal or a similar processor instead.
On my own site, for a portion of digital product sales, I use Payhip as my processor. I haven’t had any interaction with my customer’s card data. The responsibility to protect customer card data falls on the 3rd party, in my case, Payhip.
-
You are correct. We are using Squarespace’s payment gateway as our PCI-compliant 3rd party. As far as I’ve learned these gateways are iframes so at most a woocommerce store would need to fill SAQ-A and not SAQ A-EP due to what you explained.
However, in my research, the hosting provider for which any WooCommerce site is running needs to be secure. If for a very crude and simplified example, the server was missing crucial security updates, a site checkout page could become compromised.
I have no doubt that WordPress.com maintains a secure hosting platform. But if I needed to refer to how secure it is in a PCI compliant context I am not sure what documentation I can refer to.
-
-
Since they deleted the previous documentation and don’t appear to have replaced it, you may need to create your own document.
WordPress provides several security controls to prevent issues from occurring and handle odd situations.
https://wordpress.com/support/security/
You can use any of the bullet points from the above link in your document. You may also want to contact WooCommerce support and ask for a copy of their Attestation of Compliance.
- The topic ‘WordPress.com, Commerce Plan, and PCI Compliance & Certified Information’ is closed to new replies.
WordPress.com Forums 