There’s a set of requirements called the Payment Card Industry Data Security Standard (or “PCI DSS”) and it was developed by the PCISSC – (the Payment Card Industry Security Standards Council)

These requirements are designed to provide a standardized set of consistent security measures for merchants to follow that are handling credit card transactions.

The standard includes 12 requirements for maintaining a secure operation:

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
  • Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
  • Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

For WordPress your E-commerce options are limited, and for a PCI Compliant shopping cart, they’re limited even further.

There is no way in a million years you should consider developing a new site using ANY shopping cart that is not willing to be compliant or in my (non legal) opinion, you’re setting yourself up for a lawsuit.

This list of WP shopping carts and their PCI compliance info will grow over time…

  1. Shopp – They are compliant, and they are willing to say so, partly why they are one of our current chosen platforms.
  2. Eshopp – We love this free plugin. By shifting all cardholder data entry onto Authorize.net, there are no compliance issues. Sweet!
  3. Cart 66 – They say they’re compliant right on their home page.
  4. PHP PurchaseThey say they’re compliant right on their home page.
  5. Cart 32 – They do claim compliance.
  6. Vevo CartThey DO claim to be compliant
  7. WooThemes – They offer various add-ons 

These carts are either Non Compliant or simply not addressed on their sites:

  1. WP Ecommerce – Although we HAVE tested and passed compliance once and found no issues,  they now seem to fail any test, so we’ve given up.  They offer no statement about compliance, either that we could ever find, even using Google to search their site
  2. WP Auctions –  No mention of PCI Compliance – check.
  3. WP eStoreNo mention of PCI but they use something called instant digital product delivery – check
  4. Shopper PressHas more than 20+ payment gateways, but not PCI compliant?  check
  5. Market ThemeNo mention of PCI Compliance – check.
  6. Word Press Shopping Cart Plug-inNo mention of PCI compliance – check.

In the comments below, please leave any links to compliance info for anyone you come across, and I’ll update this list. Likewise, if you have information about anyone that’s NOT compliant, that would be helpful too.

WP Ecommerce – What You Should Know

If you need to learn a lot about PCI compliance, this is pretty damn good…

[imaioVideo v=1]