What is PCI Compliance? In short, it ensures sensitive data (think Cardholders, using Credit Cards) isn’t transmitted nor available on unsecured systems, and that Credit Card data remains secure at all times.
This process involves maintaining PCI Security Standards, depending on if and how you accept payments determines how this affects your organization. The Payment Card Industry Data Security Standards (i.e. PCI DSS) sets the minimum standards for data security, additional information is available on the PCI Security Standards Council Site.
Tip: To avoid much of this process from becoming very in-depth and time consuming, you can utilize a third-party payment processor. If you’re accepting donations or payments on your WordPress site, this typically involves a plugin such as Gravity Forms, which includes fields to add Credit Card processing fields on your forms. When utilizing Gravity Forms to accept donations or payments, you must use an add-on such as Stripe to accept payments i.e. You have software that adds the Credit Card section to your form (Gravity Forms), but you still need a “Payment Processor” service (Stripe) to actually transmit funds and perform the payment/sale aspect of the transaction – This process would involve working with Stripe. By creating a form for donations or to accept payments, you can then integrate the Stripe Gravity Forms Credit Card field to accept payments. Additionally, by using a service such as Stripe, you forego many of the prerequisites and requirements to maintaining PCI-Compliance, as it then falls onto the Payment Processor and the payment itself isn’t open to any vulnerabilities, and the payment processor in itself is PCI-Compliant and secure. *Refer to “Do I have to use Stripe as a payment processor?” below for additional information regarding this.
Please Note: All payment processors have their own respective fees associated with processing your payments.
I have a list of issues or requested changes… what should I do now?
Review issues and the subsequnet changes required to determine what you can change and fix, and what is above your head in regards to complex verbiage or systems you may need to modify or alter, but aren’t privy to making said changes (website back-end i.e. coding, or hosting-related changes, as rough examples). You can use one of the provided self-assessment questionnaires to assist you in determining your required level of PCI Compliance in regards to how you accept payments, since there are different questionnaires based on how you accept payments, use the guide to find the correct questionnaire for the correct results:
Then from there, click the Questionaire letter (Example: click on “A” in the above screenshot to access Questionnaire A) and complete the questionnaire to perform the related self-assessment.
Scroll down to the bottom of the page and view the Instructions and Document Library available, if you require further information to help assist with completing the questionnaire:
What should I do with scan results and how do I fix reported issues?
- Correct the issues listed in scan results; Which can involve fixing some issues yourself if possible or requesting assistance, or if required hiring a third-party to help assist with PCI Compliance.
*This is where things can become complex i.e. who is responsible for fixing what and so forth. If something is over you head and not making sense, stop and ask for additional information or assistance before making changes.
* Please Note: Some PCI Compliance processes are very in-depth and may include review time and multiple changes, some of which may incur fees if we perform this type of work – we’ll notify you ahead of time if this is the case with your PCI Compliance issues, to ensure you’re apprised to the situation beforehand. - Ensure all Steps/Compliance lists are checked, completed, and nothing is pending review or approval. Submit any outstanding reports and/or replies to ensure nothing is overlooked.
- Follow-Up on all emails received, to ensure you don’t miss any pertinent reports or scan results, and fix any new issues reported promptly.
Do I have to use Stripe as a payment processor?
No, there are various other off-site i.e. hosted solutions for accepting payments that meet and maintain PCI-Compliance, due to the variety of available platforms – researching and finding the best payment platform to suit your needs is advised (as some incur higher processing fees/terms & conditions and so forth).
Alternatively: If you wish to accept payments on your site, you must use a third-party payment processor that integrates with your site yet utilizes a third-party payment processor – You should use Stripe combined with Gravity Forms. Why? Stripe is a third-party payment processor that can still be integrated and display on your site, it’s also the only payment processor North Star supports. Additionally, WPEngine is your hosting provider which has a specific stance in regards to PCI Compliance:
“Outsourcing your payment processing is the easiest path to meeting your PCI DSS requirements. It is also the only choice that is compatible with our Services.”
Resources
Additional Information related to PCI Compliance:
PCI Security Standards Council (Learn More Here)
Self-Assessment Questionnaire (Complete for More Helpful Information)
Related to What You Use and How You Use It:
WPEngine and PCI Compliance (WPEngine, Your Official Host)
Guide to PCI Compliance (Stripe, The Payment Processor)