PCI Compliance

Hello,

Paypal has recently frozen my client's account as they are saying we need to be PCI Compliant. We are running a store using Wordpress, Woocommerce (with the WooCommerce PayPal Pro (Classic and PayFlow Editions) Gateway), all hosted on a Hostgator shared plan with SSL certificate and dedicated IP address.

As far as I am aware, we don't store credit card information but would appreciate help finding out for certain if we do. I've looked in the database tables and nothing jumps out at me.

What would we need to do to get this working again? I've looked at the self-assessment questionnaire for SAQ A-EP. I think this is the correct one? It's asking lots of questions relating to the server role (which Hostgator are responsible for).It seems a huge document for an organisation of this size.

The other option would be to move to the Paypal Pro Hosted Gateway (https://woocommerce.com/products/woocommerce-gateway-paypal-pro-hosted/). It would limit the type of cards we could use, but am not sure of any other drawbacks. Would the shopping cart still operate within our own site using this?

I would appreciate any help you can provide. The online help seems to be so complicated (to account for all the variations) that I can't find any support for our situation.

Many thanks,

Graeme

 

Do you have a payment page on your site at all or is the end-user redirected to Paypal for the actual transaction? Your site shouldn't be in the PCI scope at all if there is never any credit card entry on your website.

 

No, the transaction takes place within our site. It looks like we have to do the compliance stuff, but HostGator have been less than helpful. There are lots of questions in the self-assessment relating to the management of network security. Hostgator response was that it was a self-assessment and that I need to complete the form, they cannot help me. Really frustrating as it is their procedures that are being discussed.

 

OK, we now have PCI compliance. Thanks for your comment Jestep, I really appreciate the help.

As our main dealings are with PayPal, we used Trustwave to do the scans of our site. We had a heavily discounted link from PayPal. Trustwave on the whole were very helpful. A lot of the self-assessment report included me saying that areas were not applicable as Hostgator manages these areas, and they are PCI compliant. One you have completed the self assessment report within Trustwave (we were given the D self assessment), and have the first scan done (and passed), Trustwave will contact Paypal and lift any restrictions.

 

Good to hear. Trustwave is one of the better QSA's to deal with as they tend to try and help more than many others who take a hands off approach and only answer very basic high level questions. D is by far the worst merchant SAQ to deal with as well. It's good to hear that hostgator is now compliant as a service provider. It didn't used to be that way, you would have had to get a dedicated server at the least to be able to prove there is enough segmentation to make PCI compliance even remotely possible with them.

 

Glad Trustwave helped you resolve that issue! Just wanted to jump in and point out that SSL isn't enough to help sites reach PCI compliance (https://www.pcicomplianceguide.org/pci-faqs-2/#13). If you were actually collecting credit card information, SSL isn't going to block SQL injection attempts and either a manual vulnerability assessment (which Trustware helped you with) or a web application firewall is required for PCI compliance under Requirement 6.6 (https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf). If you're not just interested in passing the test and you actually care about securing your site, I would suggest investing in a WAF or using a free security service like Cloudbric.