There’s a good chance you haven’t heard about this yet. And honestly, that’s part of the problem.
As of March 31, 2025, new security rules from the Payment Card Industry (PCI DSS 4.0) went into effect that impact every website accepting credit card payments — and that includes your WordPress site with WooCommerce, your nonprofit’s donation page, and even a simple checkout form using Stripe.
We manage websites for clients across a range of industries, and we’re writing this because we want you to understand what changed, why it matters, and what your options are. No fear-mongering, just the facts.
Somebody’s paying for fraud — and it might be you
Here’s something most people don’t think about. When someone steals your credit card number and goes on a shopping spree — say, a few hundred dollars worth of expensive ping pong balls shipped to Michigan (true story, happened to one of us) — your bank reverses the charges and you move on with your life. It feels like the problem just disappeared.
But somebody paid for those ping pong balls. That cost doesn’t vanish — it rolls downhill. The card network charges back the merchant’s bank. The bank passes it to the business that processed the transaction. And if that business wasn’t following the required security standards? They’re on the hook — not just for the fraud, but potentially for fines, investigation costs, and the expense of reissuing every card that was compromised.
For years, the major credit card brands have maintained security standards (called PCI DSS) to prevent exactly this kind of thing. But as online fraud has gotten more sophisticated, the rules have tightened — and as of 2025, the responsibility has shifted more directly onto website owners.
What changed?
For years, the standard approach for small businesses was straightforward: use a payment processor like Stripe or PayPal, embed their form on your site, and let them handle the security. The thinking was, “The card data never touches my server, so I’m good.”
That’s no longer the full picture.
Hackers figured out they didn’t need to steal card data from your server — they could inject malicious scripts directly into checkout pages to skim card information as customers typed it in, even on sites where the payment form itself was provided by a secure third party. After a series of high-profile attacks using this technique, the PCI Security Standards Council updated the rules. The new requirements specifically target websites that embed payment forms, and they apply to the site owner, not just the payment processor.
What does this mean for your website?
If your WordPress site has an embedded payment or donation form (meaning the customer enters their card info on a page that lives on your domain), you’re now responsible for:
Quarterly vulnerability scans. An approved scanning vendor (ASV) must scan your site every 90 days and provide a report. If vulnerabilities are found, they must be fixed.
Script inventory and authorization. You need to document every script running on your checkout pages — analytics tools, marketing pixels, tag managers, fonts, everything — and justify why each one is there.
Change detection. You need a process to detect if any unauthorized scripts are added to or modified on your payment pages.
Annual self-assessment. You’ll complete a Self-Assessment Questionnaire (SAQ) and submit an Attestation of Compliance to your payment processor.
This isn’t a suggestion or best practice. It’s mandatory for any business accepting card payments online.
Who does this apply to?
If you answer “yes” to any of these, the new rules apply to you:
- You have a WooCommerce store with an embedded Stripe or payment gateway checkout
- Your nonprofit has a donation form embedded on your website
- You accept payments through any form on your WordPress site where card details are entered on your domain
It doesn’t matter how many transactions you process. A small shop doing 50 orders a month has the same baseline requirements as a large retailer. The difference is only in the level of scrutiny and documentation — but the quarterly scans and script management apply across the board.
What happens if you don’t comply?
Let’s be direct: PCI compliance isn’t legally mandated by the government, but it is mandated by the credit card companies through your payment processor. The consequences of non-compliance are real and can be severe, especially if a breach occurs while you’re not compliant.
Fines from card networks can range from $5,000 to $100,000 per month, passed down through your bank. If customer data is compromised, you could be liable for fraud reimbursement, card reissuance costs, and legal damages. And a breach automatically escalates your compliance requirements to the highest (and most expensive) tier, regardless of your business size.
For small businesses, this can be existential. Studies show that a majority of small businesses that suffer a data breach close within six months.
The good news: you have a simple option
Here’s what most small business owners don’t realize — you can avoid nearly all of these requirements with one architectural decision: move your payment form off your website.
Instead of embedding a checkout form on your site, you can use a hosted payment page provided by Stripe, PayPal, or your payment processor. Your customer clicks “Checkout,” is briefly taken to a branded, secure payment page hosted by your processor, enters their card info there, and is redirected back to your site with a confirmation.
With this setup, your website never has payment form fields on it, which means it’s not in scope for the new PCI 4.0 requirements. No quarterly scans. No script inventory. No change detection monitoring. You still complete a simple annual self-assessment, but the burden is minimal.
The tradeoff is a slight interruption in the checkout experience — the customer briefly leaves your site. But modern hosted checkout pages are customizable (your logo, your colors) and the experience is smooth. And here’s a bonus: hosted checkout pages from Stripe automatically include Apple Pay, Google Pay, and Stripe Link — so your customers get all the fast-pay options without any extra work on your end.
For most small businesses and nonprofits, this is the right call.
If you want to keep embedded checkout
Some businesses prefer the seamless on-site checkout experience and are willing to invest in the compliance that comes with it. That’s completely valid — and it’s a service we offer.
We coordinate quarterly ASV scans, maintain your script documentation, monitor your checkout pages for changes, and handle remediation when issues come up. It’s a hands-off experience for you, and it keeps you fully compliant.
What should you do right now?
1. Find out what kind of checkout your site uses. Log into your site and go through your own checkout process. If you enter card details on a page that’s on your domain (yourbusiness.com/checkout), you have an embedded form and the new rules apply to you.
2. Talk to your web team. If you’re a Made Right Media client, we’re already on top of this and will be reaching out to discuss your options. If you work with another agency or manage your site yourself, ask them specifically about PCI DSS 4.0 compliance and whether your site is in scope.
3. Decide which path is right for you. For most of our clients, we recommend the hosted checkout approach — it’s simpler, less expensive, and eliminates the compliance burden entirely. For businesses where the on-site experience is critical, we offer a full compliance management plan. Either way, the important thing is making an informed choice rather than ignoring the issue.
Not sure where your site stands? That’s completely normal — most business owners have never had to think about this before.
Reach out for a quick consultation and we’ll take a look at your setup, let you know if you’re in scope, and point you in the right direction. No pressure, no jargon — just clarity.
Made Right Media manages WordPress websites for businesses and nonprofits across Idaho and beyond. If you have questions about how PCI DSS 4.0 affects your site, get in touch — we’re happy to walk through your options.
