PCI DSS Compliance for payment processing

PCI DSS (Payment Card Industry Data Security Standard) protects credit card data. If your website accepts credit cards, you must comply with PCI DSS or use a compliant payment processor.

Do you need PCI DSS?

You need PCI DSS if you:

• Store credit card numbers
• Transmit credit card data
• Process card payments directly

You don't need PCI DSS if:

• You use PayPal, Stripe, or other external processor
• Customers enter card details on the payment processor's site (not your site)
• You never touch card data

Compliance levels

Key PCI DSS requirements

• Firewall: Network firewalls configured and maintained
• Encryption: Encrypt card data in transit and at rest
• Vulnerability scanning: Annual penetration testing and scanning
• Access controls: Limit access to card data by need
• Monitoring: Log and monitor all access to card data
• Backups: Secure, encrypted backup procedures
• Patch management: Keep software updated
• Breach notification: Notify cardholders if data is compromised

How to avoid PCI DSS

Best practice: Don't store credit card data yourself. Use a payment processor instead:

• Stripe: PCI compliant by default; handles card processing
• PayPal: Customers enter card details on PayPal's site
• Square: Encrypted card reading devices
• WooCommerce Payments: Payment processing without storing cards

This shifts PCI DSS responsibility to the payment processor, not you.

UnderHost support

We provide: Secure hosting infrastructure, SSL/encryption, firewalls, intrusion detection.

You provide: Application security, secure payment processing, access controls, audit logging.

Recommendation: Use a third-party payment processor. It's simpler, more secure, and avoids PCI DSS complexity.

Related: GDPR compliance | Secure your website | Backup encryption

Related articles