x

WooCommerce Integration

Does anyone by chance know if the WooCommerce/Square connection is PCI SAQ A or PCI SAQ A-EP compliant? I am trying to find out this information before recommending this solution to a client, but am having difficulty finding the information. I tried contacting WooCommerce, but they didn't reallt give direct response to my question, just sent me off to a generic PCI support page. Are Square's integrations in general setup in a way so that the card data never even touches our server?

 

Thanks,

Wil

1,303 Views
Message 1 of 4
Report
3 REPLIES 3

Digging a little deeper, I checked the plugins gateway code and it appears to be utilizing this code...

 

https://github.com/square/connect-api-examples/tree/master/connect-examples/v2/php_payment

 

After looking up more information on that method of integrating Square, I believe this does fall under the SAQ A level of Compliance...

 

"The SqPaymentForm library renders the card inputs and digital wallet buttons that make up the payment form and returns a secure payment token (nonce). For more information, see https://docs.connect.squareup.com/payments/sqpaymentform/what-it-does."

 

https://docs.connect.squareup.com/payments/sqpaymentform/what-it-does

 

It still only says it is PCI Compliant and does not specify SAQ-A or SAQ A-EP but based on the description of how the form fields are rendered for taking payment and the fact that it is using a nonce makes it sound as if this would fall into the SAQ A realm, since the form fields do not sound as if they would be residing on our server.

 

If anyone can confirm this or has any additional insight, it would be much appreciated.

 

Thanks,

Wil

1,298 Views
Message 2 of 4
Report

I went ahead and installed the plugin in a development environment and loaded SSL onto the server so that I could test out the plugin. Once I went to the checkout page, I could confirm that the fields were being loaded into the checkout as iframes being fed from Square. So it does look like this solution is PCI SAQ A compliant as far as I can tell.

 

Wil

1,295 Views
Message 3 of 4
Report
Admin

Really sorry for the delayed reply here @wilhud! Not sure what happened!

 

Unlike traditional merchant companies, we don't require account holders to go through a complicated and expensive PCI compliance application. Square APIs facilitate PCI-DSS compliant payment processing with no PCI or security fees.

 

As the merchant of record, Square relieves sellers of the need to complete annual checklists and/or audits, and maintains liability in the case of a data breach. However, we rely on Square Sellers to use PCI requirements as guidelines for securing their websites and connected systems. Thus, reducing the risk of credit card data being compromised before it is passed on to the Square APIs.

 

You can read more about our PCI Compliance.

 

Hope this helps clarify.

nika
Beta Community Manager, Square
Join the Beta Community
Evaluate | Influence | Engage


1,224 Views
Message 4 of 4
Report