Support » Plugin: WooCommerce » PCI DSS security failure!

  • More than 3 months preparations, migration that has costed us fortune and now we are facing a choice of spending over £10k or finding another solution.

    I have read several articles including the one below:

    Then I have decided on convincing all my colleagues to move away from BigCommerce and Jigoshop. As soon as Security auditor heard WooCommerce it was the end of the conversation… PCI DSS will not approve software which is not supported by PCI DSS accredited company + software that comes from development company which had a breach on their website.

    Later I found this:

    If anyone thinks of using WooCommerce ask them for a PCI DSS SAQ D level certificate. Until they show you one, all the payment gateways which take payment on your website are in breach of PCI DSS. Complete waste of time and money!

    After losing fair bit of money we are moving our bigcommerce websites to Jigoshop, a decent software provider.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Mike Jolley


    Hi there,

    The PCI DSS SAQ D questionaire is specifically for merchants and service providers (such as web hosts). WooCommerce, the plugin, is neither.

    I found a fantastic quote which sums this up the answer to the question “is WC PCI compliant” (it’s talking about Open Cart, but the same applies to WooCommerce):

    Is Opencart PCI compliant? The answer to that question is… ‘the question doesn’t make sense’. To illustrate, you could also ask a similar question like ‘are dogs friendly?’. The question is too broad in the first place. A better question is ‘Can Opencart be part of a PCI compliant solution?’ The answer to that question is yes.

    WooCommerce *can* be part of a PCI compliant solution – PCI compliance has more to it that just the plugin. Same applies to any eCommerce plugin which you host yourself.

    This doc on the WooThemes site has more information, and goes into more detail about WooCommerce and PCI.

    And of course, if you want to avoid the hassle of PCI entirely, choose a different gateway or choose a gateway which guides you through the process. There are hundreds of choices.

    Good luck with your store anyway.

    Hi mikejolley,

    Your lack of understanding of PCI DSS is amazing!

    Quotes and links to official PCI DSS documentation below:

    In a document above, (“getting started with PCI DSS”) on page 1 you can find “PCI Data Security Standard Requirements” table. One of the points for merchants is:
    6. Develop and maintain secure systems and applications

    There are number of requirements that cover secure system and applications but the bottom line is: if you use a 3rd party software there is a chain of dependencies. Merchant has to confirm that the software developed by a third party is compliant with PCI DSS.
    In terms of PCI DSS SAQ D, you have provided incorrect information again as PCI DSS SAQ D applies to all the merchants that take payment on their websites and hence merchant has to be compliant with PCI DSS the chain of dependencies on a 3rd party software is required.

    Last but not least, I’m not sure whether it was a deliberate act of misinformation or yet another example of your understanding of PCI DSS, but your comment regarding being able to “to avoid the hassle of PCI entirely” is simply wrong. Even with payment gateways paypal standard or sagepay form integration merchant is still required to be compliant with PCI DSS SAQ A as per page 2 of the same document.
    Call sage and ask them what is “Simplified PCI DSS compliance” – and tell me if I’m wrong 😉

    In short WooCommerce representative, including yourself have no clue about security and therefore thousands of clients/websites are at risk!

    I have spent many hours on various conference calls, meetings and exchanging emails during our recent PCI DSS assessment + I have been reading a lot about those subjects. I’m confident that information which I have received and in turn published on this forum is accurate and it’s supported by official documentation from reliable sources.

    I have send a link to your response to our PCI DSS consultant… In response I have received: “Now you know why we won’t certify any website that runs on woocommerce”.

    Plugin Author Mike Jolley


    I think the doc I linked you too covers everything that needs to be said here ( Just because a plugin (or even WordPress itself) is not certified compliant, does not mean the site cannot certify compliant.

    In terms of PCI DSS SAQ D, you have provided incorrect information again as PCI DSS SAQ D applies to all the merchants

    I didn’t say it didn’t affect merchants. I stated that PCI DSS SAQ D is for merchants and service providers only. No need to twist my words.

    If your ‘consultant’ will certify WordPress based stores running other plugins, but not WC stores then that just crazy. They are all fundamentally the same, and all have the same problems to overcome during certification.


    p.s. Just for the record, PCI compliant != secure. WC has been subject to many security audits and it’s something taken seriously by WooThemes.

    Take a look at JigoShop’s response to #NortonAsp here:

    “I have been made aware of your recent comments on our competitor’s wordpress page and therefore I would rather prefer to answer your questions offline. However, I would like to bring to your attention the fact that your comments are not accurate.”

    I use Woocommerce and we are in the process of becoming PCI compliant. It’s based on the gateway and merchant more than the software. A 3rd party is required to evaluate your site in terms of security, much of which is standard in WP if you use a reliable host. Remember, PCI compliance is a set of “guidelines” not specific instructions – therefore it has to be evaluated despite which solution you use. You will note that the hosted services that offer PCI compliance do not let you have any control over the transaction (pages, processes et al) – this is because they don’t want to “evaluate” for each of their hosted stores.

    To be PCI compliance is not merely a gateway and merchant issue. For instance if you are on a shared hosting forget about being PCI compliant. Furthermore they are not guidelines but requirements! It also means even if your gateway or even if your hosting company is PCI compliant it doesn’t mean YOU are PCI compliant. It is a process which has to be followed by the person running the website as well.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘PCI DSS security failure!’ is closed to new replies.