x
Your opinion in 1 minute.
Help us improve by answering 4 quick questions.
Take Survey Now
18.119.107.96
18.119.107.96
Start Thread
Can't find what you're searching for? Start Thread
wilhud
‎03-22-2019 10:12 AM

WooCommerce Integration

Does anyone by chance know if the WooCommerce/Square connection is PCI SAQ A or PCI SAQ A-EP compliant? I am trying to find out this information before recommending this solution to a client, but am having difficulty finding the information. I tried contacting WooCommerce, but they didn't reallt give direct response to my question, just sent me off to a generic PCI support page. Are Square's integrations in general setup in a way so that the card data never even touches our server?

 

Thanks,

Wil

Reply
0 Likes
1,069 Views
Message 1 of 4
Report
3 REPLIES 3
wilhud
‎03-22-2019 10:45 AM

Digging a little deeper, I checked the plugins gateway code and it appears to be utilizing this code...

 

https://github.com/square/connect-api-examples/tree/master/connect-examples/v2/php_payment

 

After looking up more information on that method of integrating Square, I believe this does fall under the SAQ A level of Compliance...

 

"The SqPaymentForm library renders the card inputs and digital wallet buttons that make up the payment form and returns a secure payment token (nonce). For more information, see https://docs.connect.squareup.com/payments/sqpaymentform/what-it-does."

 

https://docs.connect.squareup.com/payments/sqpaymentform/what-it-does

 

It still only says it is PCI Compliant and does not specify SAQ-A or SAQ A-EP but based on the description of how the form fields are rendered for taking payment and the fact that it is using a nonce makes it sound as if this would fall into the SAQ A realm, since the form fields do not sound as if they would be residing on our server.

 

If anyone can confirm this or has any additional insight, it would be much appreciated.

 

Thanks,

Wil

Reply
0 Likes
1,064 Views
Message 2 of 4
Report
wilhud
‎03-22-2019 11:11 AM

In response to wilhud

I went ahead and installed the plugin in a development environment and loaded SSL onto the server so that I could test out the plugin. Once I went to the checkout page, I could confirm that the fields were being loaded into the checkout as iframes being fed from Square. So it does look like this solution is PCI SAQ A compliant as far as I can tell.

 

Wil

Reply
0 Likes
1,061 Views
Message 3 of 4
Report
nika
Admin
‎07-10-2019 01:31 PM

In response to wilhud

Really sorry for the delayed reply here @wilhud! Not sure what happened!

 

Unlike traditional merchant companies, we don't require account holders to go through a complicated and expensive PCI compliance application. Square APIs facilitate PCI-DSS compliant payment processing with no PCI or security fees.

 

As the merchant of record, Square relieves sellers of the need to complete annual checklists and/or audits, and maintains liability in the case of a data breach. However, we rely on Square Sellers to use PCI requirements as guidelines for securing their websites and connected systems. Thus, reducing the risk of credit card data being compromised before it is passed on to the Square APIs.

 

You can read more about our PCI Compliance.

 

Hope this helps clarify.

Bea_
Beta Community Manager, Square
Join the Beta Community
Evaluate | Influence | Engage
Reply
0 Likes
990 Views
Message 4 of 4
Report
Anonymous
© 2022 Square, Inc.