Blog

WooCommerce PCI Compliance

As we’ve built almost 30 payment gateway integrations for WooCommerce, PCI compliance is a popular topic that we’re asked about frequently. Questions about PCI compliance with WooCommerce typically go along these lines:

I’m concerned about PCI compliance with the {insert name} plugin. We have an SSL certificate and it sounds like that’s all that’s required. Does your plugin / {my payment processor} provide the rest of the secure environment or PCI compliance?

To understand why a payment gateway integration can’t achieve PCI compliance itself, you need to understand a bit about how they work. In fact, most of PCI compliance is not related to WooCommerce or WooCommerce extensions at all.

Here’s an explanation of how various payment gateways work in a WooCommerce store, as well as how the integrations fit into WooCommerce PCI compliance.

SSL Certificates

First, let’s start with a dialogue that usually happens, so matter what payment gateway integration you choose:

Do I need an SSL certificate?
Yes.

But wait, my gateway looks like it doesn’t need it to be compliant…
Get an SSL certificate anyway.

But I don’t have to use one to process payments!
Doesn’t matter. Get an SSL certificate.

It’s that simple. Not only do SSL certificates protect payment information, but they also protect (a) other personal information, like emails, addresses, etc, but more importantly, (b) they protect login credentials. We use them on almost every site for at least login forms, regardless of whether it’s an eCommerce site or not.

They also have the added benefit of improving customer trust, which is kind of important. Here’s our overview of SSL certificates and where we buy them.

Basically, SSL certificates aren’t related to the PCI compliance question. Even though they’re only typically required for direct gateways, you should have one regardless of which payment processor you choose.

Types of Payment Gateways

To understand how payment gateways work, we’ll need to divide them into four different categories. The WooThemes marketplace includes a payment gateway category, which further categorizes these as direct, form, iframe, and off-site payment gateways, so we’ll use a similar grouping (with a couple of changes in terms of the form and iframed gateways).

The WooThemes marketplace categorization isn’t a bad place to start your research, though you should always double-check these with the plugin author how the gateway works. For example, Chase Paymentech uses a secure, hosted pay page (which is iframed), but is not listed under the iframed gateways. Some gateways don’t have a sub-classification at all, so it’s important that you check this yourself.

If you’re curious to see where our payment gateways fall in these categories, you can check out this spreadsheet, which uses these types.

Let’s start with payment gateways that put the least amount of security burden on your site, then work our way towards others.

Off-site Gateways

Off-site gateways are the easiest to understand. They take the customers complete off of your site to complete the payment process for the order, and thus require no compliance on your part. Your store can be PCI compliant while using one of these gateway integrations, as no sensitive information touches your site or is passed through your servers. The payment processor simply sends your site information on whether the transaction was successful or not.

PayPal Standard, which is bundled into WooCommerce core, is a stereotypical example of an off-site gateway, as customers complete the purchase at PayPal, then must be redirected back to your site after paying, ensuring that PayPal handles payment security for you.

The PayPal Express integration is another good example of an off-site gateway. While the customer “completes” the order on your site, all payment details are entered at PayPal, and the customer returns to your site with a “token” from PayPal that indicates to your site whether or not the customer has the funds or authorization to complete the transaction.

iFramed Gateways

iFramed gateways place a payment form on your site, but this form is actually hosted on another server, and is not served from your own site. The payment form is basically embedded from a secure source, but looks like it’s part of your site.

This means that customers remain on your site and checkout looks like it takes place on your site, but the payment form is hosted elsewhere.

These types of gateways can also help you achieve PCI compliance with WooCommerce, as the payment form isn’t sent through your servers, and is instead posted directly to your payment processor’s server, meaning they handle security in this situation as well.

Chase Paymentech and Authorize.net DPM are examples of an iframed payment method, as the customer selects the payment method and is taken next to a payment page on your site. The form is served from Chase or Authorize.net while appearing to be on your site, and the customer completes payment with this form.

WooCommerce chase payment form

Client-Side Direct Gateways

To be honest, I just made that name up, so FYI it’s not a real thing 😉 .

There are some payment gateway integrations that are technically “direct” gateways, meaning they keep the customer completely on your site during checkout, but they do one very important thing: they use client-side encryption to remove PCI issues. These integrations typically meet the SAQ lower certification as part of a larger compliance program, as payment details technically do not touch your server.

This means that the payment information is encrypted in the browser before the payment information is sent through your server. Sensitive payment information is never passed from your site to your server or the payment processor, but instead a “token” or encrypted version is sent throughout the transaction process.

In order to be a client-side direct gateway, the payment processor must provide an SDK to developers to allow them to leverage client-side browser encryption for payment details, and this must be implemented to protect payment details. This means that, while payment takes place on your site and payment information is routed through your servers, this information is sufficiently protected before being sent to avoid PCI compliance responsibilities.

The two major gateways that have this capability are Braintree and Stripe, and both extensions from the official WooThemes marketplace leverage client-side encryption to increase security.

Direct Gateways

Direct gateways keep the customer completely on-site throughout the checkout process, and thus are the major concern in terms of PCI compliance. An example of a direct payment method is Authorize.net AIM, as credit card details are entered on your site’s checkout page.

These gateways are considered direct because customer payment information is routed through your site and servers to the payment processor, so these gateways always require an SSL certificate to be used, but this does not make the plugin or your setup PCI compliant.

To understand why, let’s see what a typical payment transaction looks like:

  • Customer enters payment details on your site and submits them to place the order
  • Payment details are posted from your site to your server — this is where your SSL certificate protects the details from being hacked and one of two places the SSL certificate is involved
  • The transaction info must be sent from your server to the payment processor to check if it’s a valid payment
  • The payment processor returns whether this is valid or not
  • Your server tells your site the response (also protected by the SSL certificate)
  • The WooCommerce checkout is either completed or displays an error based on the response your server gets from the payment processor.

While having an SSL certificate is part of PCI compliance with this kind of payment gateway, compliance requires several other steps. For example, your server environment must also be PCI compliant if it’s passing payment details to the payment processor and getting them back, which the example above shows that your SSL certificate has no bearing on.

Because WordPress and plugins like WooCommerce have no influence over your hosting environment, they can’t be PA DSS certified, and indeed cannot be PCI compliant on their own. The same goes for direct payment gateway extensions for WooCommerce: PCI compliance depends more on your server than it does on your payment gateway plugin.

This kind of payment method provides the most seamless checkout experience for customers, but also places the highest burden on your site for security.

WooCommerce PCI Compliance Summary

With all of this said, most merchant accounts do not require 100% compliance of your server environment (some may charge an additional fee for this though), and almost any merchant account simply requires that you use an SSL certificate to protect the beginning and end of the transaction process. Most merchants we work with are only required to use an SSL certificate to protect most of the transaction process.

If your merchant account absolutely requires PCI compliance (of which there are several levels), you should look into integrations like off-site or iframed gateways, or you’ll need to look at your server environment as well as your site and payment gateway plugin to ensure they’re secure.

Again, here are the types for all SkyVerge payment gateways to help with your research 🙂 .


Cover photo credit: David Goehring, CC BY 2.0 license

5 Comments

  • Alessandro 2 years ago

    Great article, Beka!
    I’m very confused though about managing a checkout session entirely on my own. Which is why I’d like you to answer me to that: do I need an SSL cert for the default woocommerce PayPal gateway?
    By the way, the only thing I find correct is to manage a checkout session on my own only if it is worth is, I mean economically. And obviously it depends on the dimension of an ecommerce.

  • Amber 2 years ago

    Thanks for posting this Beka! It’s exactly the information I was looking for this morning to send to a client.

    This same client is looking at implementing your Elavon gateway. I’m not super familiar with this particular gateway and on the WooCommerce plugin page it says “An SSL certificate is required for PCI compliance”. Could you advise if this gateway fall under “Client Side Direct” or just “Direct”? I’m thinking it’s just “Direct” but just wanted to confirm. 🙂

    Cheers!

    • Beka Rice 2 years ago

      Yep, it’s direct 🙂 “Client-side direct” is pretty rare, our only one is Braintree. The spreadsheet at the bottom of the article has the type for every gateway we’ve built.

      • Amber 2 years ago

        Was that spreadsheet always there… How did I even miss seeing it. Doh! @_@

        Thanks for answering my question! 🙂

Hmm looks like this article is over 2 years old! Its content may be outdated, so comments are now closed.