Contact
Free web scan
Sitelock Blog

Is Your WordPress Site PCI Compliant?

With holiday shopping in full swing, WordPress websites that accept credit cards are busier than ever. Lots of business is great. Not being PCI compliant is bad.

Posted in SiteLock News
December 1, 20153 min read

PCI compliance is required by all the major credit card companies and if your website is not PCI compliant, you risk penalties, lost revenue, the inability to accept credit card payments in the future and worst case, an increased risk of cardholder data exposure.

The PCI Data Security Standard, or PCI DSS for short, is a checklist of baseline security practices to help protect cardholder data and any technology that has access or connects to the computers or networks which contain, process or transmit the data. The latest version of the DSS as of this writing is 3.1, and it contains 12 requirements within six broader categories.

  • Build and Maintain a Secure Network and Systems
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

The standard is technology agnostic. It provides best security practices to protect cardholder data. That means the PCI DSS applies the same to WordPress websites as it does to other platforms.

How much of the standard applies is up to the website owner. If the website uses shared hosting and a third party gateway to process payments, much of PCI DSS may be out of scope. If the website is self-hosted and accepts cardholder data, the entire standard may apply.

Some WordPress websites with e-commerce use off-the-shelf plugins that use PCI-compliant third-party gateways to accept and process credit card transactions. This takes the website out of scope of the standard as the payment gateway handles compliance. If credit cards are accepted on the WordPress website, even if a third-party gateway is used, it’s advisable to become PCI compliant. Compliance provides a proper assessment of e-commerce practices, a strong foundation for website security and peace of mind for customers.

Regardless of gateway used, payment processors may mandate PCI compliance. Here are a few tips to help secure your WordPress website and help bring it closer to compliance.

  • Configure SSL for the site — SSL is essential for e-commerce, for the security of customer data and the customer’s peace of mind.
  • Control administrative user access — Tightly control who has admin access to the website and make sure they…
  • Use strong passwords — Configure all users with strong, non-dictionary passwords and change them at regular intervals.
  • Keep everything up-to-date — Always keep WordPress, plugins and themes up-to-date with the latest versions.
  • Maintain the site — Remove unnecessary users and plugins and keep development code and backups off of the production site.

Providing your customers a worry-free holiday shopping experience is the main objective for any WordPress e-commerce website. To ensure you are meeting PCI requirements contact SiteLock at 855-759-1108 for a free consultation.