WP Engine and PCI Compliance

IMPORTANT: The information provided in this FAQ is meant to be helpful to you, but please note that WP Engine is not qualified to assess your compliance with the standards discussed here or any other legal obligations you may have. You are responsible for understanding the risks and requirements related to accepting online payments and for seeking third-party experts should you require any assistance.


About PCI

The payment card industry (“PCI” for short) is the global collective of businesses associated with accepting and processing credit and debit card payments. The PCI Security Standards Council (“PCI SSC”) is an industry group, comprised of American Express, Discover Financial Services, JCB, MasterCard, and Visa, which has established the PCI Data Security Standard (“PCI DSS”), the most recent version of which was released in April 2016. PCI DSS provides a set of consistent security measures for anyone processing credit card payments or otherwise managing cardholder data. More information can be found on the PCI SSC web site.


Who needs to be compliant?

PCI DSS is an industry standard that applies to anyone who stores, processes, or transmits cardholder data. If you are licensed by, or accept payments for, or on behalf of any of the participating members of PCI SSC, you must comply with the standards they publish. Each member is individually responsible for enforcement and may have different requirements for proving compliance, though traditionally they all follow the published standard.


Is WP Engine PCI compliant?

WP Engine does not store, process, or transmit cardholder data on our platform, and our Acceptable Use Policy prohibits you from doing the same. Note, however, that we don’t operate your web site or interact with your end users, and you are ultimately responsible for the way in which you handle any cardholder data.


Ok, so how do I comply?

Please refer to the official guidance at pcisecuritystandards.org.

If you host an e-commerce site, there are third-party payment processors who can accept and process credit card payments on your behalf. Some examples include Authorize.net, Braintree, Payeezy, PayPal Pro, and Stripe.

Each third-party payment processor is responsible for maintaining information about their own compliance and may be able to help you with any PCI reporting or attestation requirements.


Do I have to use a third-party payment processor?

Outsourcing your payment processing is the easiest path to meeting your PCI DSS requirements. It is also the only choice that is compatible with our Services.

WP Engine’s Acceptable Use Policy prohibits you from using our Services to store, process, or transmit cardholder data. If you have any further questions, we are more than happy to talk to you and/or your third-party developer, auditor, or assessor.


If I take these steps, will my site pass a PCI audit/scan?

If you are providing e-commerce services and choose to include your WP Engine site in your PCI vulnerability scanning scope, please be aware that scan results may not be correct as we run customized versions of various components.

In any case, we suggest you confirm with your PCI QSA whether your WP Engine site should be included or not as they may not be clear on how your WP Engine site works.


NEXT STEP: Check out all of WP Engine’s legal resources here

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.