PCI DSS (Payment Card Industry Data Security Standard) applies to any business that processes, stores, or transmits cardholder data. Even if you use a hosted payment gateway like Stripe or PayPal, your hosting environment is still within PCI scope because it serves the pages that lead to payment.

The hosting-specific requirements include: encryption of data in transit (TLS 1.2+) and at rest, network segmentation between environments, access logging and audit trails, regular vulnerability scanning, and secure default configurations. See our guide on SSL, TLS, and HTTPS for encryption details.

Where your WooCommerce store sits in PCI scope

Most WooCommerce stores use SAQ A-EP (Self-Assessment Questionnaire A-EP), which applies when payment processing is outsourced but your website controls the checkout experience. This means your server never touches card numbers, but it must still meet specific security requirements.

Stores using a fully-redirected payment flow (Stripe Hosted Checkout, PayPal Standard) may qualify for the simpler SAQ A. Stores that accept card numbers directly on their own checkout page are in SAQ D territory with significantly more extensive requirements — most WooCommerce stores should avoid this path by using integrated gateways that keep card data off their servers.

Common compliance gaps in hosting environments

The most frequent issues found during PCI assessments of WordPress hosting environments are: unpatched server software, missing or misconfigured web application firewalls, inadequate access controls (shared admin credentials, no MFA on server access), missing or incomplete access logs, and failure to implement file integrity monitoring. Each is a documented control failure under PCI DSS and each is straightforward to address at the infrastructure level.

Learn more about common WordPress attacks and how infrastructure-level protection works.

Frequently Asked Questions

Do I need to worry about PCI DSS if I use Stripe or PayPal?

Yes. Using a hosted payment gateway like Stripe or PayPal does not eliminate your PCI DSS obligations — it significantly reduces them. Your hosting environment is still within PCI scope because it serves the pages that lead to payment. The pages where customers enter their card details, the checkout flow, and the server handling the order creation request are all subject to PCI requirements. Your scope is SAQ A or SAQ A-EP depending on your integration method, rather than the full SAQ D — but you still have hosting-specific requirements to meet.

What hosting requirements does PCI DSS impose on WooCommerce stores?

PCI DSS hosting requirements include: encryption of data in transit using TLS 1.2 or higher (your checkout and all pages in the payment flow must be HTTPS), encryption of stored data at rest, access logging and audit trails for server access, regular vulnerability scanning of the hosting environment, secure default server configurations, network segmentation where appropriate, and patch management ensuring server software is kept current. Managed hosting that handles these at the infrastructure level significantly reduces the compliance burden on store owners.

What is a SAQ A and does my WooCommerce store qualify?

SAQ A (Self-Assessment Questionnaire A) is the simplest PCI DSS compliance path, applicable to stores that fully outsource payment processing to a compliant third party and do not directly process, store, or transmit cardholder data on their own systems. This typically applies to WooCommerce stores using Stripe’s Payment Intents integration or PayPal Hosted Payment Pages, where card entry happens entirely on the payment provider’s systems. If your checkout loads a hosted payment form in an iframe, SAQ A may apply. If card data ever touches your server or your checkout page JavaScript, you may need SAQ A-EP or higher.

Does UK hosting help with PCI DSS compliance?

UK-based hosting simplifies compliance by ensuring all cardholder-related data is processed within a UK legal jurisdiction with known security standards. UK data centres typically hold ISO 27001 certification and are subject to UK GDPR requirements that align with PCI DSS security expectations. The key hosting attributes for PCI compliance are not geographic per se but rather: documented security controls, regular penetration testing, vulnerability scanning, encrypted storage, access logging, and a formal Data Processing Agreement — all of which reputable UK managed hosting providers should offer.

How often should WooCommerce stores run PCI compliance vulnerability scans?

PCI DSS requires quarterly external vulnerability scans by an Approved Scanning Vendor (ASV) for most merchant levels, as well as an annual Self-Assessment Questionnaire. Internal vulnerability scans should be run after any significant infrastructure change. Many managed hosting providers include vulnerability scanning as part of their service or can recommend ASV-certified scanning tools. Store owners are also responsible for keeping WordPress core, WooCommerce, and all plugins patched — unpatched plugin vulnerabilities are a common PCI compliance failure point.