Infrastructure
Your SSL Certificate Does Not Make Your Website PCI Compliant

Everyone selling online in Ireland has heard some version of the same reassurance: get an SSL certificate, plug in Stripe or PayPal, and you are PCI compliant. Job done. That reassurance is wrong, and it is wrong in a way that quietly leaves checkout pages exposed long after the padlock icon shows up in the address bar.
I have reviewed enough client integrations over the years to know why the myth survives. The padlock is visible. The Stripe or PayPal badge is visible. PCI DSS itself is not, so business owners reasonably assume that if the visible parts look secure, the invisible parts must be handled too. They are not, not automatically, and the gap between "looks secure" and "is compliant" is exactly where small WordPress and WooCommerce stores get caught out.
What PCI DSS Actually Covers
PCI DSS stands for Payment Card Industry Data Security Standard. It was written jointly by the five major card brands, Visa, Mastercard, American Express, Discover, and JCB, and it runs to twelve separate requirement areas: encryption, access control, vulnerability management, monitoring, physical security, and more. An SSL or TLS certificate satisfies one small piece of one requirement, the part covering encrypted transmission of data over public networks. It says nothing about the other eleven areas.
So what does that mean for a business owner who is not going to read a standards document? It means the padlock in the browser bar is proof of exactly one thing: the connection between the visitor and the server is encrypted. It is not proof that card data is stored safely, that access is controlled, that the site is monitored, or that the checkout page itself is trustworthy. Treating it as a substitute for the other eleven requirements is the myth in a single sentence.

Card payment security and personal data protection overlap more than most business owners realise. If you have never worked through what GDPR actually asks of a website handling customer information, a checklist of the mistakes that fail Irish data protection audits is worth reading alongside this one, since a chunk of the access-control and monitoring requirements below apply to both.
Your Payment Gateway Carries Most of the Weight, Not All of It
Here is where the myth gets closer to true, which is exactly why it spreads. Stripe operates as a PCI DSS Level 1 Service Provider, independently assessed every year, and describes PCI compliance as a shared responsibility between itself and the business using it. If you use a hosted integration, Stripe Checkout, Stripe Elements, or PayPal's hosted buttons, card numbers never touch your server at all. They go from the customer's browser straight to the payment provider.
That matters because of a document called the Self-Assessment Questionnaire, or SAQ. Merchants who never store, process, or transmit card data on their own systems can usually self-certify using SAQ A, the shortest version, rather than a full external audit. WooCommerce's own documentation confirms that its official gateways never store card details directly, retaining at most a token and the last four digits. For most small shops, that removes the heaviest PCI obligations before you have done anything yourself.
I misjudged how much weight a single "PCI Level 1" badge could carry the first time a client showed me their setup. The badge covered the payment processor's own infrastructure, not the custom checkout form the client's developer had bolted on top of it. Worth checking exactly which layer a badge is describing before you assume it covers yours too.
The Part Nobody Outsources: What Happens on Your Checkout Page
This is the part the myth leaves out entirely, and it is the part that changed materially in the last eighteen months. PCI DSS version 4.0.1 introduced requirements 6.4 and 11.6, both mandatory since 31 March 2025. They require merchants to maintain an inventory of every script running on the payment page and to confirm each one is authorised, with a method to detect unauthorised changes to that page.
The reason is a category of attack called digital skimming, sometimes referred to by the name of the malware family, Magecart. A compromised plugin, a marketing pixel nobody remembers adding, or an abandoned-cart tool injects a few lines of script into the checkout page. That script quietly copies card details as the customer types them, before the form ever reaches Stripe or PayPal. The transaction still completes. The customer's payment still goes through. Nothing on screen looks different.
Picture a small WooCommerce shop, a hand-poured candle maker somewhere like Monaghan is as good an example as any, that installed a checkout upsell plugin two years ago and never thought about it again. Consider a typical version of how this plays out: the SSL padlock never disappears, WooCommerce never throws an error, and the first sign of a problem is a run of unfamiliar chargeback disputes months later, followed by a compliance questionnaire from the payment processor that nobody was expecting. That is the call no business owner wants to take, and it has nothing to do with whether the site had a valid certificate.

Who Actually Handles What
| Requirement area | Handled by your payment gateway | Still yours to verify |
|---|---|---|
| Card number storage | Yes, if using a hosted integration | Confirm no custom form captures raw card data |
| Encrypted transmission (SSL/TLS) | Partly | Certificate must be valid and correctly configured |
| Checkout page scripts | No | Audit and authorise every script on the payment page |
| SAQ paperwork and attestation | No | The self-assessment is the merchant's responsibility |
The Realistic PCI Checklist for a Small Business Site
Verify your integration type. Confirm your gateway hosts the card entry fields itself, Stripe Checkout, Stripe Elements, or a hosted PayPal button, rather than a custom form that ever touches a raw card number.
Complete your SAQ A. Most small WooCommerce and equivalent setups qualify for the short self-assessment rather than a full audit. It takes an afternoon, not a security team.
Audit every script on the checkout page. List live chat widgets, analytics tags, marketing pixels, and abandoned-cart plugins. Remove anything you cannot justify keeping, and document the rest.
Keep the stack patched. WordPress core, WooCommerce, and every payment-related plugin updated on a schedule, deployed to a staging environment first if the change touches checkout at all.
Know your rollback. If a plugin update introduces a conflict on the payment page, you need to be able to roll back to the last known-good state before customers notice, not after.
Where Hosting Fits, and Where It Does Not
Managed hosting cannot complete your SAQ for you, and any provider who implies otherwise is overselling. What it can do is remove the excuses around the edges. This is the same ground covered in more depth in our full WordPress security and backup guide, but the short version is that Web60's enterprise-grade Irish infrastructure provisions and automatically renews SSL through Let's Encrypt, applies server-level hardening and fail2ban intrusion prevention, and runs automatic malware scanning across every site on the platform. If a compromised plugin does get through, nightly backups with pre-update snapshots mean a production environment can be rolled back to a clean state in minutes rather than rebuilt from nothing.
None of that fills in your Self-Assessment Questionnaire. No hosting provider, us included, can verify that your specific checkout integration is coded correctly or decide which scripts you genuinely need on that page. That paperwork and that plugin audit stay with the business owner. What good infrastructure does is shrink the list of things that can go wrong before you even get to the compliance questions, which is a meaningfully different job to actually doing your compliance for you.
If you are running a business that stores card numbers directly, a booking platform processing thousands of transactions a day with its own payment infrastructure, you need hosting built and independently audited to PCI Level 1 Service Provider status, with a dedicated compliance team validating it every year. That is a different tier of infrastructure entirely, and for that scale it is the right one. Most small WooCommerce stores and service businesses running a handful of transactions a week are not that business, and paying for that tier of compliance overhead is money better spent on the checklist above.
Conclusion
PCI compliance for a small WordPress store rarely means becoming a security specialist overnight. It means knowing which of the twelve requirements your gateway has already handled, checking what is genuinely left, and being honest about the checkout page scripts you added years ago and never looked at again. Do that, and you will have gone further than most of the businesses currently relying on a padlock icon and a Stripe account to explain the whole picture.
Frequently Asked Questions
Does using Stripe or PayPal make my website PCI compliant?
It covers most of the heavy requirements, particularly around card data storage, but not all of them. If you use a hosted integration where card numbers never touch your server, your business still needs to complete its own Self-Assessment Questionnaire and keep the checkout page itself secure.
What is a PCI DSS Self-Assessment Questionnaire?
An SAQ is a self-certification document merchants complete annually to confirm they meet the PCI DSS requirements that apply to their setup. Most small WooCommerce or hosted-checkout businesses qualify for SAQ A, the shortest version, because they never store card data directly.
Do I need an SSL certificate for PCI compliance?
Yes, but it only satisfies one requirement out of twelve. A valid, correctly configured certificate covers encrypted transmission of data. It says nothing about access control, script security on your checkout page, or the other requirement areas.
Can my web hosting provider make my site PCI compliant?
No single provider can complete your compliance for you. A good host reduces risk through SSL management, server hardening, malware scanning, and backups, but the SAQ, your checkout integration, and your script audit remain the business owner's responsibility.
Does WooCommerce store customer card details?
Official WooCommerce payment gateways do not store full card numbers. They typically retain a payment token and the last four digits for reference, with the actual card data held by the payment processor.
What happens if my checkout page has an unauthorised script running on it?
It can silently capture card data as customers type it, even though the payment itself still completes normally through your gateway. This is why PCI DSS 4.0.1 requires an inventory of every script on the payment page, checked since 31 March 2025.
Sources
PCI Security Standards Council – SAQ A eligibility documentation Stripe – What is PCI DSS compliance? WooCommerce – PCI-DSS compliance and WooCommerce Central Bank of Ireland – Payment Institutions regulatory requirements and guidance
Graeme Conkie founded SmartHost in 2020 and has spent years building hosting infrastructure for Irish businesses. He created Web60 after seeing the same problem repeatedly — Irish SMEs paying too much for hosting that underdelivers. He writes about WordPress infrastructure, server security, developer workflows, managed hosting strategy, and the real cost of hosting decisions for Irish business owners.
More by Graeme Conkie →Ready to get your business online?
Describe your business. AI builds your website in 60 seconds.
Build My Website Free →More from the blog
The Fine Print in Your Cyber Insurance Policy Is a Website Security Checklist
Cyber insurance will not pay out if your website security does not match what you told the insurer. Here is what Irish policies actually check.
A Strong WordPress Password Is Not the Same Thing as a Safe One
A strong WordPress password means nothing if it is reused elsewhere. Credential reuse, not weak passwords, is the real risk to your admin login.
