WordPress Shopping Cart PCI Compliance

There’s a set of requirements called the Payment Card Industry Data Security Standard (or “PCI DSS”) and it was developed by the PCISSC – (the Payment Card Industry Security Standards Council)

These requirements are designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions.

The standard includes 12 requirements for maintaining a secure operation:

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

For WordPress your E-commerce options are limited, and for a PCI Compliant shopping cart, they’re limited even further.

There is no way in a million years you should consider developing a new site using ANY shopping cart that is not willing to be compliant or in my (non legal) opinion, you’re setting yourself up for a lawsuit.

This list of WP shopping carts and their PCI compliance info will grow over time…

  1. Shopp – They are compliant, and they are willing to say so, partly why they are one of our current chosen platforms.
  2. Eshopp – We love this free plugin. By shifting all cardholder data entry onto Authorize.net, there are no compliance issues. Sweet!
  3. Cart 66 – They say they’re compliant right on their home page.
  4. PHP PurchaseThey say they’re compliant right on their home page.
  5. Cart 32 – They do claim compliance.
  6. Vevo CartThey DO claim to be compliant
  7. WooThemes – They offer various add-ons 

These carts are either Non Compliant or simply not addressed on their sites:

  1. WP Ecommerce – Although we HAVE tested and passed compliance once and found no issues,  they now seem to fail any test, so we’ve given up.  They offer no statement about compliance, either that we could ever find, even using Google to search their site
  2. WP Auctions –  No mention of PCI Compliance – check.
  3. WP eStoreNo mention of PCI but they use something called instant digital product delivery – check
  4. Shopper PressHas more than 20+ payment gateways, but not PCI compliant?  check
  5. Market ThemeNo mention of PCI Compliance – check.
  6. Word Press Shopping Cart Plug-inNo mention of PCI compliance – check.

In the comments below, please leave any links to compliance info for anyone you come across, and I’ll update this list. Likewise, if you have information about anyone that’s NOT compliant, that would be helpful too.

WP Ecommerce – What You Should Know

If you need to learn a lot about PCI compliance, this is pretty damn good…

[imaioVideo v=1]

Scott Hendison

Scott is the CEO of Search Commander, Inc. the parent company of GetWPress. Scott is a founding board member of Search Engine Marketers of Portland (SEMpdx), and he writes here at GetWP and at his main site. Add Scott to a Google Plus Circle or follow him on Twitter to see what else he's up to.

34 thoughts on “WordPress Shopping Cart PCI Compliance

  1. Am I missing something here Scott? Out of the 12 requirements the only one I see that might actually apply to the cart would be “Requirement 4: Encrypt transmission of cardholder data across open, public networks.” All of the others either have to do with the hosting environment, or business practices. Even requirement 4 is only sort of about the cart since it’s possible to set up any page as https and other than that it’s about ssl.

    Love to get your thoughts on this.

  2. Nope, in my judgement, you are correct – 9 out of 10 times it’s probably going to be the webhost that causes a compliance test failure.

    However, its my opinion that the shopping cart software company, needs to have clearly stated compliance information – Is it compliant or not, and if not, why not? Otherwise, you might be barking at the moon trying to pass an unpassable test!

  3. Any updates about which WP shopping carts are now PCI compliant? I’d like to set up an ecommerce site on WP soon and only want to consider carts that have PCI compliance in place.

    (GREAT blog, Scott! Very glad to find it!)

  4. An increasing number of merchants and business owners view PCI compliance fees as little more than a new revenue stream for merchant processors. PCI Free provides PCI complaint processing solutions without the PCI compliance fee.

  5. After some further checking VEVO says they don’t have a WP plugin nor have an easy way of integrating right within WordPress.

  6. OK, even though this might be a fake blogspam comment, it’s relevant, and I feel this way myself! 😉

    I’ll check out your site…

  7. I’m embarrassed at the number of comments that I’d left pending/unanswered, this being one of them, I’m sorry. This list might be worth revisiting some of them to see if they’ve become compliant, but I was sort of hoping people would post here with their findings, or users of some of these products would comment.

  8. What is a small shop to do? How do we really know if our shop is compliant? If we’re using a payment gateway like Paypal, have SSL, and a reliable host service like Hostgator, what else can we do to protect ourselves and the customers?

    Also, I can’t post a comment on your site using Safari; it keeps telling me my math is wrong. I’m now posting on Firefox.

    I’ve been considering Cart66 for my shop because of it’s integration ability with iDevaffiliate; in my research of carts, I found that PHPurchase is now Cart66 (just passing along as fyi): http://www.phpurchase.com/phpurchase-is-now-cart66

  9. @ally if you’re using PayPal Standard and you’re not taking any of credit card information on your site you’re compliant. If you’re using PayPal Pro or you’re taking any credit card information through your site you need to find a compliant host. Hostgator servers are not PCI DSS compliant. You can get a vps or dedicated server from them and configure it to be PCI DSS compliant, this takes a few days to work through. You’ll then need to have the server audited by a verified vendor. The other option is to find a PCI DSS compliant host. Canvas Dreams is one such host. We’ve also configured and had our server audited at Dew Point Productions, but we only host our own clients.

  10. Thanks David –

    For most of our own sites we’ve just stopped processing the cards ourself and instead use the processors provided platform. That way it’s not “on us”
    to be compliant as the website, or as the web host, because PDXTC is not PCI compliant anyway! It’s good to hear that Canvas Dreams is, and we’ve recommended them for a while now too…

  11. Thanks Scott, David! To clarify, if I use Paypal Standard, it will not matter which host or cart I use in order to be PCI compliant?

    I’m a little stuck and not really sure how to figure things out. I have a social network for animal rescue; my online reach is great, I get about 5 million post view/month with 44.3 million since I began in April 9 (according to Facebook insights). So, I really want to get this right before I begin promotions. I am developing a small product line for pet owners and I really want to structure the site so that animal rescue groups can sign on as an affiliate to give them an easy way to raise funds for the pets they save from kill shelters.

    Here is a list of what I need:

    • cart easy enough for a non-tech person to set up (I’ve built a couple of WordPress sites)

    • cart compatible with iDevAffiliates

    • cart that allows for easy shipping label printing (no cut/paste involved); I keep seeing complaints online about Paypal’s print option being too buggy to feel it’s safe for ease of shipping. I’ve seen other sites like Stamp.com and the USPS has a shipping assist also.

    • cart with simple inventory low-count alerts (can give this one up if I have to cut something from this list)

    • compatible with iThemes Builder (because I’ve used it and know how to add video, etc.) video is important for my product pages

    I considered Gravity forms because it works with Paypal, but not sure it will work with iDevAffiliate. I will not have more than 5 products at launch. I’ve posted the shipping label question on WordPress Forums, but no reply yet. Just curious if either of you can point me to anything that will allow me to solve these issues and move on to site development. I’m trying to keep my overhead very low, so I can give a larger percentage to the animal rescue groups.

    Any advice?

    Thanks,
    ~alva

  12. Yes, with Paypal standard, you send the user to the Paypal website, getting rid of your responsibility…

    For all the features you mention, I THINK Shopp http://shopplugin.net/ will cover it, but I’m not positive about the ease of iDev integration

    Our WP shopping cart of choice for the longest time WAS to use WP-Ecommerce, but have since tried to get rid of it everywhere.

    Why are we dumping WP Ecommerce? These are all their unanswered issues and probably STILL unsanswered) for our processor – Authorize.net – hardly an obscure service…
    http://getshopped.org/forums/tags.php?tag=authorizenet

  13. Thanks Scott, I’m new to ecommerce, which I guess is pretty obvious. Can you tell me why folks use Authorize.net? Do they use it as a stand alone, or as an option with Paypal?

    I’ve been researching Shopp and Cart66 primarily; I saw one site where many people posted they could not get Shopp to work, and others that said the CS was very poor, even if the CS upgrade was purchased. If I go with Shopp and ran into problems, do you work on projects like that, or only sites you build in their entirety?

  14. It really is amazing how many people put up e-commerce sites and don’t think about security. One part of any online business’s customer service is making sure transactions are secure.

  15. @kevin there are no WordPress e-commerce platforms that have been validated by a Payment Application Qualified Security Assessor (PA-QSA). Thus no one could say with certainty if they are or aren’t.

    In order to determine if they are PCI compliant you’d need to look at the standards, we’ve listed them here http://dewpointproductions.com/pci-dss-compliance-wordpress-ecommerce/small-business-tips/ to figure this out.

    Probably more significant than whether or not WooCommerce is PCI compliant is whether or not your server / host is pci compliant.

  16. You created the software that makes good security fopr who get credited and deposited through internet. That give a great result as for hard work.
    So this software makes a great accomadation for net users,very thanks for that.

  17. @kevin,

    we have just developed a PCI compliant solution for WooCommerce (and Cart66). Mijireh Checkout.

    http://www.mijireh.com

    Your checkout process remains seamless to your customers while Mijireh Checkout securely handles the collecting and transmitting of the credit card data for you.

    There’s an extension for the WooCommerce plugin in the WordPress repository. http://wordpress.org/extend/plugins/woocommerce-mijireh/

    Cart66 (lite and pro) also has Mijireh Checkout baked in.

  18. I’m starting a webshop in the near future.
    I’m thinking of using Woo Commerce. But I’m not sure, which shopping system is the best. Can you help me? Or anyone else?

  19. @Lailas

    I’m a big fan of Cart66 and WooCommerce for the reason stated above… they have Mijireh integration. PCI compliance is a beast, and to have the online portion taken care of by the experts and still maintain your visual brand/consistency is a win-win.

  20. Very useful information. With the business getting online, there essentially needs to be a security in order to wean off any kind of hassles. As stated, Woo commerce and Cart 66 seem to be widely adopted.

  21. Nice explanation about Payment Card Industry Data Security Standard, I like to add some more information about it, networks must be constantly monitored and regularly tested to ensure that all security measures and processes are in place, are functioning properly, and are kept up-do-date.

  22. Its a very niche post, very informative. Please tell me If I am gonna start a new website then What are the requirements for integration of WooCommerce or Cart66 with my website? It will be very helpful for me.
    Thanks in advance.

  23. A very informative blog. With businesses getting online, this comes handy. This information gave an insight to the Payment Card Industry Data Security Standard. It requires incessant monitoring for a smooth functioning.

  24. Its worth reading this article, full of information.
    Can you please tell me one thing, Which payment gateway is best in security terms? I want to implement the best payment gateway for my e-commerce website and I don’t want to compromise with security for cardholders.

  25. Nice informative post. I used to with Paypal for every kind of online transactions.Soon I am going to launch my Facebook page for my designer accessories and does not aware much about payment shopping card.Your post help me lot thank you

  26. Very informative blog. Thanks for the same. I also have plans of starting a webshop. This article have given me the required information. In particular the different payment gateways are helpful to me. Thanks again.

  27. Very useful and narrative post. We are in era when , we intend to business online. Your post is well fitted for time and the readers to understand the Payment Card Industry Data Security Standard (PCI DSS) requirements. Thanks for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *