PayProof · WooCommerce

PCI DSS payment security for WooCommerce sellers: do the rules apply to you?

Taking cards means PCI DSS obligations. The safe path: never touch raw card data, use a compliant processor, serve everything over HTTPS, never store card numbers, and complete your SAQ.

In force Platform & payments WooCommerce

How PCI DSS payment security works on WooCommerce

WooCommerce is self-hosted, so almost nothing is handled for you — you own the stack, the data, and therefore the compliance. That's more control and more responsibility than a hosted marketplace.

📦 On WooCommerce: WooCommerce is self-hosted, so almost nothing is handled for you — you own the stack, the data, and therefore the compliance. That's more control and more responsibility than a hosted marketplace. What WooCommerce handles: On WooCommerce your PCI scope depends on the gateway: a hosted/iframe gateway (e.g. Stripe Checkout) keeps scope low, but capturing card data on your own server widens it sharply.

Does this apply to you?

This rule applies to WooCommerce sellers who accept credit or debit card payments. Accept card payments? Check that card data never touches your server and your checkout is locked down. Not sure? The free checker tells you in about a minute — no signup.

The WooCommerce checklist

Whatever the platform handles, you still need to be able to answer "yes" to each of these — these are the points WooCommerce sellers most often get caught on:

How is card data handled?
Is the entire site served over HTTPS?
Do you avoid storing full card numbers / CVV?
Have you completed your annual SAQ (self-assessment)?
Is your checkout software & plugins kept updated?
Is admin access protected with strong auth / MFA?

What's at stake

⚠️ Exposure: card-network fines $5K–$100K/month (contractual) · Status: In force. On WooCommerce, that's on top of any account suspension for breaking platform policy.

Compare the penalty for every rule →

Common questions

Do I have to handle pCI DSS payment security myself on WooCommerce, or does WooCommerce cover it?

On WooCommerce your PCI scope depends on the gateway: a hosted/iframe gateway (e.g. Stripe Checkout) keeps scope low, but capturing card data on your own server widens it sharply.

Do I have to be PCI compliant?

If you accept card payments, yes — every merchant must meet PCI DSS. Using a hosted/tokenized processor (Stripe, PayPal, Shopify) keeps you in the lightest scope (SAQ A).

What's the safest setup for a small seller?

Let a compliant processor handle card data via a hosted or tokenized checkout so raw card numbers never hit your server, serve everything over HTTPS, and never store card numbers or CVV.

What is an SAQ?

A Self-Assessment Questionnaire — an annual attestation of your controls. The version (A / A-EP / D) depends on how your checkout integrates.

The source

RuleGoose checks this against the PCI DSS v4.0 standard. Read it yourself: PCI Security Standards Council →

Check your WooCommerce store against PCI DSS payment security — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the PayProof checker →

or get one RuleGoose Score across every rule your WooCommerce store has to meet.

The full WooCommerce picture

PCI DSS payment security is one of several rules a WooCommerce store has to meet. See the full WooCommerce compliance checklist →, or read the platform-neutral PCI DSS payment security guide.

Same rule, other platforms

PCI DSS payment security on Shopify →

Informational only, not legal advice, and not affiliated with the PCI SSC or WooCommerce. Last reviewed 2026-06-30.