PCI DSS (Payment Card Industry Data Security Standard) is the security framework that governs how businesses handle cardholder data. Most WooCommerce merchants know they’re supposed to be PCI compliant but aren’t entirely sure what that means in practice. This guide explains what PCI actually requires, what your payment processor takes off your plate, and how to minimize your compliance obligation without compromising security.
What PCI DSS Actually Requires
PCI DSS is a set of 12 requirements spanning network security, access control, monitoring, and data handling. The full standard runs to hundreds of pages. For most merchants, the relevant question is simpler: what is your Cardholder Data Environment (CDE), and what SAQ (Self-Assessment Questionnaire) do you need to complete?
PCI SAQ Types for Ecommerce Merchants
SAQ A (Most Common for Online Merchants)
Applies when: all cardholder data functions are outsourced to a PCI DSS-compliant third party, and your website doesn’t capture card data directly. This is the scope you achieve when you use an iframe-based embedded checkout or a redirect to a hosted payment page card data never passes through your server. SAQ A has only 22 requirements, most of which your hosting environment already satisfies.
How ConvesioPay achieves this: Card entry happens in a ConvesioPay-hosted iframe embedded in your WooCommerce checkout. The raw card number never reaches your server or WordPress installation.
SAQ A-EP
Applies when: you redirect to a hosted payment page AND your website scripts could be used to capture card data in transit. If your site has third-party JavaScript that could theoretically intercept the redirect, you fall here. More requirements than SAQ A but still far less than full compliance.
SAQ D (Most Complex)
Applies when: card data passes through your server in any way. If you ever touch raw card numbers, this applies, and it’s extensive. Merchants handling PAN data on their own servers typically need a Qualified Security Assessor (QSA) and annual assessment. This is the scope level you want to avoid entirely.
What Your Processor Handles vs. Your Responsibility
| Responsibility | Who Handles It |
|---|---|
| Card data encryption in transit | Payment processor (iframe/hosted checkout) |
| Cardholder data storage and tokenization | Payment processor (PCI-certified vault) |
| Physical security of processing infrastructure | Payment processor / data center |
| Your server and network security | You |
| Access controls to your WordPress admin | You |
| Annual SAQ completion | You (with processor support) |
| Security of third-party scripts on your site | You |
PCI Compliance Fees: What’s Legitimate vs. Padding
Many processors charge a separate annual PCI compliance fee ($99–$299). On the other hand, some processors include PCI compliance support in their standard service. ConvesioPay charges no separate PCI fee, compliance support is included in the flat-rate pricing of 2.9% + $0.30 per transaction, no monthly fees.
Practical Steps to Achieve SAQ A Compliance
- Confirm your payment integration uses an iframe or redirect (no card data on your server)
- Complete your processor’s SAQ A questionnaire annually
- Keep your WordPress installation, plugins, and themes updated (outdated software is the primary attack vector)
- Enable two-factor authentication on your WordPress admin and hosting control panel
- Ensure your hosting provider’s infrastructure meets PCI scope requirements
Ready to get started? Learn more about ConvesioPay or view pricing.