Everybody knows WooCommerce for setting up an online store, but did you know you can use the famous WordPress plugin for a service-based business as well? If you are a consultant, agency, or anybody who sells their skills or expertise for money, you are in the right place.
Traditional, hosted invoicing solutions have many limitations, such as the number of invoices you can send or customers you can store – before you need to upgrade to higher plan. Some may not even support your country, due to restrictions in the agreements they have with their payment processing partners.
Integrate WooCommerce with Stripe, PayPal or other Payment Gateways
Fortunately, if you can get a Stripe or PayPal account, you can use WooCommerce to issue invoices and take payments directly on your website. Depending on what you prefer, you can provide your customers with an a la carte experience where they select the plans & packages they want from your website, and checkout at the end. Alternatively, you can create and email customized invoices directly to your customers, where paying with their debit or credit card is simply a click away.
Major Benefits of WooCommerce for Service Businesses
- Free and open-source – WooCommerce is a trusted, security-audited plugin developed by Automattic, the same team of developers that maintains WordPress.
- Not just for physical products – In the initial setup wizard of WooCommerce, you can check off an option that disables all the features pertaining to physical products, such as weight and dimensions.
- Powerful dashboard – The plugin adds the ability to manage orders, create products, and set up shipping and tax rules (if applicable) all from your WordPress dashboard. You can create as many accounts for your employees as you require.
- Fully customizable – The invoices & receipts that your customers will see, in addition to the entire cart/checkout process can be branded with your own logo, fonts, and colors, and tailored to fit your WordPress theme.
- Simple PCI compliance – With WooCommerce’s standard payment gateways, PayPal Payments Standard and Stripe Checkout and Elements, you can avoid the cost & complexity of PCI compliance.
Security and PCI Compliance Considerations for Using WooCommerce
WooCommerce is a free plugin for WordPress, but you should have a self-hosted WordPress website, not a blog hosted on WordPress.com. For security & stability reasons, we also recommend that the WordPress site is hosted on a VPS or cloud server, not shared hosting. After all, you will be handling your customers’ sensitive personal data on your website, so protecting that information should be your primary concern.
How WooCommerce has integrated the two most popular payment gateways, PayPal and Stripe, is a huge benefit particularly for small-to-medium businesses. It relieves your burden of complying with PCI requirements to accept credit cards, by outsourcing the responsibility of data security to the payment companies.
With WooCommerce’s Stripe plugin, the credit card number, expiration date, and CVV code are handled directly by stripe.js through payments.stripe.com – these details are never transmitted or stored by your server. Same as with PayPal Payments Standard, users are redirected to a hosted page on PayPal before entering any payment information. After they complete the payment, the Paypal IPN (Instant Payment Notification) API makes a callback to your server and notifies WooCommerce if the payment has been successfully completed.
If you store, process, transmit credit card information directly.
If your website were to store, process, or transmit your customers’ credit card details at any time, you would be required to complete the Payment Card Industry’s most onerous PCI compliance self-assessment questionnaire for e-commerce merchants, the SAQ-D. This form contains over 329 questions that require highly technical knowledge pertaining to how you store, limit access to, and securely destroy card information across your organization’s computer systems. Furthermore, you are required to hire a PCI authorized scanning vendor (ASV) to conduct quarterly security scans on your website – at a cost of up to $10,000/year or more.
If you use an invoicing app that hosts its own payment forms
Now you may be wondering, why does WooCommerce have an edge over other hosted invoicing solutions that integrate with Stripe or PayPal? Many apps rely on an older version of the Stripe API (Stripe v2) that involves POSTing data to Stripe from a hosted payment form, or use PayPal Express Payment (instead of Standard). Although the information is not stored on the third-party server itself, the PCI-DSS (Data Security Standard) still requires the merchant to complete a fairly lengthy SAQ-A-EP questionnaire consisting of over 100 questions. If the application you use falls into this category, you can achieve PCI compliance at a reduced cost of around $400/year by engaging a company such as Security Metrics.
If you use WooCommerce with Stripe Checkout and Elements, or PayPal Payments Standard
With WooCommerce and Stripe integration, you are allowed to use the simplest PCI compliance form, the SAQ-A. In fact, the attestation of compliance (AoC) and pre-filled questionnaire will be automatically generated for you by Stripe after you complete your first 20 transactions. The reason for this is because Stripe meets the requirements for being a PCI Level 1 service provider. As an organization that processes over 6 million card transactions per year, Stripe has met the highest standards for security of cardholder data based on audits performed by their security assessment firm. As a small business, you get great value-for-money because Stripe shoulders all of this responsibility for you, as long as you use Stripe Checkout and Elements instead of other integration methods.
When WooCommerce is integrated with PayPal Payments Standard, you don’t even need to do anything related to PCI compliance. PayPal’s position with the card companies is their members do not need to fill out any forms, if they redirect their users to a PayPal-hosted checkout pay flow entirely. Again, you are leveraging the benefits of partnering with a payment processor that handles all of the security considerations in the backend, so you don’t have to.
Deploy WooCommerce Securely in the Cloud
Just remember that even if you are using Stripe’s hosted checkout forms, it is still a requirement that you serve any shopping cart page on your website with HTTPS. The Internet giants, including Google, with their recent decision to mark any page without HTTPS as “Not Secure” in Google Chrome, are determined to make encrypted pages a requirement – with good reason. The reason for requiring HTTPS is because your clients’ other personal data, such as name, address, contact details, and logins would be otherwise exposed, even though their credit card information is protected by PayPal or Stripe. Luckily you are not required to prove PCI compliance beyond this if you are using PayPal or Stripe’s approved integration methods, so you are free to use the web hosting service of your choice without needing to find a specific “PCI Compliant Webhost.”
Our payment integrations team would be pleased to help you securely deploy WordPress with WooCommerce on your own virtual server in the cloud and ensure your SSL certificates meet the highest standards of security based on Qualys SSL Test and High-Tech Bridge. We can also help you customize WooCommerce so it is suitable for use for either a product or service-based business and connect the required email gateway so your customers will receive invoices and order confirmations by email. In addition, we will add the necessary API keys from your Stripe or PayPal account to integrate WooCommerce with your payment gateway of choice.
At the end of the day, security is everybody’s responsibility, and we are committed to helping you comply with PCI requirements without it becoming an expensive or time-consuming burden on your business. Remember to contact us before you start testing any other invoicing apps with Stripe, because once you accept 20 transactions, Stripe will determine which SAQ you need – and you will not be able to easily reverse it if your app triggered a SAQ-A-EQ or SAQ-D requirement.