WordPress Security Compliance & Regulations

Security compliance and regulations are topics that are not often discussed in the context of WordPress, but this is going to change significantly in the coming years. GDPR was one of the first regulations to make some compliance practices mainstream in the WordPress ecosystem.

At the end of this month (31st March 2024), PCI DSS v3 will retire and be replaced by PCI DSS v4, which will introduce significant changes to compliance for everyone who accepts credit card payments on their website (regardless of whether the processing is done via a third-party provider).

Then there’s also the upcoming European Cyber Resilience Act, which brings significant regulatory security requirements to the open-source software ecosystem. This is so significant that WordPress, Drupal, Joomla!, and TYPO3 joined forces to send a letter of concerns to the European Union.

Whether we want it or not, new regulations are coming.

The New PCI DSS Version 4

The first one to take effect is PCI DSS version 4 (31st March 2024), which introduces more than 50 new requirements for vendors (such as WooCommerce sites) who process payment data.

One of the most significant changes is that merchants can no longer bypass PCI requirements just because they use a third party to process payments for them. The new PCI DSS v4 specifically states that merchants need to protect the payment pages.

As mentioned, there are 50 new requirements that come with the new PCI compliance, but I would like to highlight two of them, which will probably create a significant shift in the market.

Requirement 6.3: Security vulnerabilities are identified and addressed.

Vulnerability management is no longer an option. Every website that has payment pages where a customer can enter credit card information must have an ongoing overview of security vulnerabilities present in the application, and the application needs to be protected.

Multi-Factor Authentication (MFA) Requirement

Websites that handle payment information, store it, and show it back to the user must enforce multi-factor authentication. The new PCI DSS v4 is quite clear about the fact that 2FA/MFA should essentially be deployed for everyone.

There’s a lot to unpack when it comes to PCI, but I recommend everyone who accepts credit card payments on their website or shop to look into this.

EU Cyber Resilience Act

The European Cyber Resilience Act is essentially regulating how security should be managed for software products. The CRA puts its obligations on software manufacturers, those who publish code that is available in the EU.

This actually covers anyone who publishes software on the Internet, open source or not, regardless of whether you’re in the EU or not – as you would likely have EU users.

This will directly affect all WordPress plugin developers, for example, who will be required to perform regular security audits and code reviews on what they produce, and they will need to enforce a coordinated vulnerability disclosure policy (no more hidden security fixes).

Last Tuesday, the European Parliament already approved the new cyber resilience act standards, so it’s expected to become enforced already somewhere in 2024. Every plugin/theme developer in the WordPress ecosystem should already start looking into the requirements today. As with most recent European technology regulation, non-compliance could result in significant fines: up to the higher of €15 million or 2.5% of global turnover.

Just like with PCI, there’s also a lot to unpack with the CRA. I’ll add resources for that as well.

---

Resources:

• PCI document library
• PCI vulnerability management requirement overview
• CRA quick overview