Understanding PCI DSS and SAQ A
PCI DSS (Payment Card Industry Data Security Standard) is a widely recognised standard designed to protect customer payment information. It is important to understand that PCI DSS compliance is not enforced by law, nor is it an obligatory requirement for every business. Instead, think of PCI DSS as a benchmark that institutions, banks, or payment providers may reference when assessing their clients’ security practices. While compliance might not currently be mandatory for you, certain providers or financial institutions could require it at any time, making preparation and compliance valuable.
For WooCommerce merchants utilising Stripe’s embedded payment solutions—such as Stripe Elements or Stripe Checkout—PCI compliance becomes significantly simplified. Typically, these merchants qualify as SAQ A (Self-Assessment Questionnaire A) because:
- Customers enter payment details directly into Stripe’s secure embedded forms (iframes).
- Your WooCommerce site does not directly store, process, or transmit cardholder data.
- Stripe handles all sensitive payment information securely on its PCI DSS-compliant servers.
How to Be PCI DSS SAQ A Compliant:
Outsource Payment Processing
Ensure that all card processing is fully outsourced to Stripe’s secure embedded forms (Stripe Elements or Stripe Checkout). Your WooCommerce store should never directly store, process, or transmit cardholder data.
Review Stripe’s Compliance Documentation
Obtain and keep a record of Stripe’s PCI DSS Attestation of Compliance (AOC), available from Stripe directly.
Keep Your Website Secure
Use Strong SSL/TLS Encryption: Secure your entire website with a valid SSL certificate, enforcing HTTPS across all pages. Detailed Guide available on Hubspot: https://blog.hubspot.com/website/wordpress-force-https
Implement a Web Application Firewall (WAF): Use a WAF to protect your website from common web-based attacks like SQL injection and cross-site scripting (XSS). Recommended plugins include Wordfence, which offers a robust firewall and malware scanning, or Cloudflare, which provides a cloud-based WAF with a free tier. Note: Most website hosting providers also implement WAF out of the box. Here’s a handy free WAF tester: https://labs.cloudbric.com/wafer/
Implement Webpage Integrity Monitoring and Change Detection: Confirm your site is not susceptible to attacks from malicious scripts as required by the new SAQ A eligibility criteria. Use tools like Wordfence for file integrity monitoring, All-in-One Security (AIOS) for file change detection.
Keep Software Updated: Regularly update WordPress core, WooCommerce, themes, and plugins to patch known vulnerabilities. You can use our WordPress Maintenance Service for that.
Limit Access with Strong Authentication: Restrict administrative access to your WordPress dashboard using strong, unique passwords and enable Two-Factor Authentication (2FA) with plugins like Wordfence to prevent brute-force login attempts.
Complete your initial or quarterly ASV Scan
See Below.
Complete Your Annual SAQ A
Each year, complete the Self-Assessment Questionnaire (SAQ A), confirming your compliance status. The current version is available here.
Quarterly AVS Scans now required for SAQ A
Recently a significant change was introduced for SAQ A merchants – requiring ASV (Approved Scanning Vendor) scans, which wasn’t previously required. To summarise:
- ASV scans are now mandatory for SAQ A merchant compliance.
- These scans must be conducted at least every 90 days
- The requirement applies even when using redirects or iFrames (like your Stripe implementation)
- The change addresses security vulnerabilities that could allow attackers to Inject malicious code, Replace legitimate payment redirects, or Intercept customer payment details.
The PCI Council’s rationale for this change appears to be addressing common security vulnerabilities that have led to breaches, including, Weak passwords, Misconfigured network devices, and Other security flaws detectable through scanning.
This is a substantial change for merchants who previously qualified for SAQ A, as it adds both a technical requirement and potentially a prohibitive cost component that wasn’t there before. You would need to engage with an Approved Scanning Vendor to perform these quarterly scans of your externally-facing systems.
Given this update, you should:
- Research and select an approved ASV
- Schedule your initial scan
- Ensure you address any vulnerabilities discovered
- Document your compliance with this new requirement
Stripe’s Tools to Simplify Compliance
Stripe offers a customised PCI compliance wizard available via your PCI Dashboard. This wizard simplifies compliance by guiding you through relevant questions and automatically generating the required documentation, tailored specifically to your business.
If Asked for PCI Compliance:
If your payment provider or bank requests proof of compliance, simply confirm:
- You’re an SAQ A merchant because your payment processing is fully outsourced to Stripe.
- You meet all SAQ A eligibility criteria.
- You’ve secured your website appropriately, as outlined above.
- Confirm specifically if they require any further documentation or additional measures (e.g., ASV scans).
This simplified checklist ensures you’re compliant without unnecessary confusion or worry.
Provider-Specific Expectations of Compliance
While PCI DSS provides the general compliance framework, some payment providers or acquiring banks may have their own specific requirements or interpretations, especially concerning technical measures like Approved Scanning Vendor (ASV) scans.
To avoid unnecessary complexity:
- Directly confirm with your payment provider or acquiring bank exactly what’s required from your business as an SAQ A merchant using Stripe.
- Specifically, ask whether ASV scans or any additional technical compliance measures are necessary for your WooCommerce store.
- Understand clearly their requirements, since additional obligations beyond PCI DSS SAQ A can vary significantly between providers.
