The information provided in this FAQ is meant to be helpful to you, but please note that WP Engine is not qualified to assess your compliance with the standards discussed here. You are responsible for understanding the risks and requirements related to accepting online payments and for seeking third-party experts should you require any assistance.
What is PCI?
The payment card industry (“PCI” for short) is the global collective of businesses associated with accepting and processing credit and debit card payments. The PCI Security Standards Council (“PCI SSC”) is an industry group, comprised of American Express, Discover Financial Services, JCB, MasterCard, and Visa, which has established the PCI Data Security Standard (“PCI DSS”), the most recent version of which was released in April 2016. PCI DSS provides a set of consistent security measures for anyone processing credit card payments or otherwise managing cardholder data. More information can be found on the PCI SSC web site.
Who needs to be compliant?
PCI DSS is an industry standard. If you are licensed by or accept payments for or on behalf of any of the participating members of PCI SSC, you must comply with the standards they publish. Each member is individually responsible for enforcement and may have different requirements for proving compliance, though traditionally they all follow the published standard.
Is WP Engine PCI compliant?
Yes. For the services we provide to you and the data we collect, we are fully compliant with PCI DSS v3.2. This does not mean you’re in compliance simply by hosting with us, however. While WP Engine manages the server infrastructure and core software components common to all of our customers, we don’t operate your e-commerce site or accept payments on your behalf. While you can rest at ease that your payment details are safe with us, you are responsible for any end user data. The good news is that compliance isn’t hard, as long as you understand the requirements.
ok, so how do i comply?
Since PCI DSS applies to “entities that store, process, and/or transmit cardholder data,” the easiest way to comply with the standard is to avoid storing, processing, or transmitting any cardholder data. Even if you host an e-commerce site, there are third-party payment processors who can accept and process credit card payments on your behalf, meaning you can manage your e-commerce site without ever needing access to protected cardholder data. Some examples of third-party payment processors include Authorize.net, Braintree, Payeezy, PayPal Pro, and Stripe. Such third-party payment processors maintain information about their own compliance and can help you with any PCI reporting or attestation requirements.
Do I have to use a third-party payment processor?
Outsourcing your payment processing is the easiest path to meeting your PCI DSS requirements. It is also the only choice that is compatible with our network. WP Engine’s Acceptable Use Policy prohibits you from storing, processing, or transmitting cardholder data (or, in other words, doing anything that would bring you in scope with the PCI DSS). If you have any further questions, we are more than happy to talk to you and/or your third-party developer, auditor, or assessor.