PCI DSS is a set of security standards that protect credit card data. If you accept card payments on your WordPress.com site, these standards apply to you, and this guide covers the steps to help meet them.
PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards designed by the Payment Card Industry Security Standards Council (PCI SSC) to protect credit card data during and after transactions. If your site accepts credit card payments, these standards apply to you.
For more information about PCI DSS, review the PCI DSS Quick Reference Guide.
The payments infrastructure on WordPress.com—the system we use to process subscription fees and plan purchases—meets PCI DSS requirements.
However, hosting your site on WordPress.com does not automatically make your site PCI compliant.
PCI DSS compliance is assessed per merchant, not per hosting environment. If you accept payments on your site, you are the merchant of record, and your compliance depends on how you implement and manage payments.
If you accept credit card payments on your WordPress.com site, take these steps to help meet PCI DSS requirements:
- Use a PCI-compliant payment gateway that handles card data off-site, so card numbers never pass through your site.
- Never store credit card data like card numbers, CVV codes, or expiration dates on your site.
- Keep your plugins and themes updated to patch security vulnerabilities.
- Use strong passwords and enable two-step authentication.
- Limit administrator access and assign user roles based on what each person needs.
A PCI-compliant gateway processes card data off-site, so card numbers never pass through your site. The payment blocks built into WordPress.com—including the Payments block, Pay with PayPal block, and Paid Content block—are PCI compliant, because they use Stripe or PayPal to process payments directly. If you run a WooCommerce store, WooPayments is also PCI compliant.
If you use a different gateway with your WooCommerce store—such as a third-party Stripe, Square, or Authorize.net extension—confirm directly with that provider that it is PCI compliant before you accept payments. WordPress.com does not verify the compliance of third-party gateways, and a non-compliant gateway leaves your customers’ card data at risk.
Most small merchants validate PCI DSS compliance by completing a Self-Assessment Questionnaire (SAQ). An SAQ is a set of security requirements you complete and keep on file to document your compliance, and your payment processor or bank may ask you for it.
The questionnaire that applies to you depends on how you accept payments. To find the right one and complete it, see the PCI SSC Self-Assessment Questionnaire page.