Reputation: 7579
Do need to worry about PCI compliance if I use Stripe or Authorize.net with WooCommerce? And what do I have to do?
I'd like to set up a Wordpress site and use WooCommerce. In terms of payment processors, I'd like to use either Authorize.net CIM or Stripe. At the top of each of those pages, it says that an SSL certificate is required, so based on that fact and the PCI-DSS Compliance article on the WooCommerce site, I assumed that PCI Compliance would be necessary. Is that correct?
If I do need to worry about PCI Compliance, what does that mean I need to do? I'm familar with the 12 requirements, I just don't understand the practical implications for me.
Specifically, I understand that many of the PCI requirements are covered by the hosting provider. Others PCI requirements are covered by the coding. Both of those things I don't have to really worry about, once it's set up. One thing I know I'll need to do, though, is enable SSL on the site. Is there anything else I am responsible to do, though? For example, annually get my site scanned for PCI Compliance? Manage my store in a particular way?
Any info is more than welcome! Things are a bit vague for me regarding this and PCI Compliance.
Upvotes: 1
Views: 5789
Answers (1)
Reputation: 1717
This is Stripe's response on unofficial site
Cristina Cordova, works at Stripe Answered Aug 22, 2013 *
I work at Stripe. As others have mentioned, anyone accepting credit card payments must be PCI compliant. With many other service providers in the online payments space, becoming PCI compliant is a very complicated process requiring businesses to fill out lots of paperwork and work with several expensive third parties. With Stripe, it's easy:
1.Serve your payment page over SSL, i.e., the page's web address should begin with "https", not "http".
2.Use Stripe.js as the only means by which you accept payment information and transmit it directly to Stripe's servers.
By taking these steps, you completely avoid handling sensitive card data, and keep your systems out of PCI scope. Using SSL ensures that your pages are secure. Stripe.js makes it easy to collect credit card (and other similarly sensitive) details without having the information touch your server. Those details are sent directly to Stripe, which is a PCI Level 1 Service Provider. Assuming you've taken the steps above, Stripe can provide you with a completed Self Assessment Questionnaire, which details the means by which you're handling credit card data.
Stripe's official guidance on PCI compliance: https://stripe.com/docs/security
Upvotes: 4
Related Questions
- Is this set-up PCI DSS compliant?
- I am using sagePay system, do my website needs to be pci compliance
- PCI Compliance. Pass credit card information to a 3rd party API
- payment gateway integration avoiding PCI Compliance
- Is PCI SAQ A sufficient for an eCommerce website with a custom payment page?
- Accept direct credit card payments with PayPal, without incurring PCI compliance issues?
- Does the authorize.net (AIM) API require PCI compliance or any additional certification?
- Running a shopping cart application
- Payment gateway that doesn't require site to be PCI compliant
- E-commerce compliance when card details are processed by a third party