Is Gravity Forms PCI Compliant?

The short answer is yes, Gravity Forms is PCI compliant. However, this is subject to change depending on your environment and setup, as Gravity Forms is simply a single piece of the puzzle.

Gravity Forms is only used to collect user input, it is not a payment processor. Instead, Gravity Forms transmits that data to the credit card processor of your choice, such as Stripe, Authorize.Net, or PayPal, to handle authorization and payment.

PCI Compliance Requirements in Gravity Forms

Below are the requirements for PCI compliance that pertain to Gravity Forms:

  • Protect stored cardholder data
    Gravity Forms does not store any cardholder data.
  • Encrypt transmission of cardholder data across open, public networks
    Gravity Forms requires SSL (https), for any add-ons that transmit credit card information to a 3rd party payment processor. Note that add-ons such as the PayPal Standard add-on do not require SSL as the customer is being redirected to PayPal and there is no credit card data entered within your form.
  • Develop and maintain secure systems and applications
    Gravity Forms is regularly checked for security. (Read our Security white paper here.) Please note that while Gravity Forms is developed with security in mind, your other plugins and themes can impact this. Read more about WordPress and Gravity Forms Security Practices here.
  • Log payment application activity
    Gravity Forms keeps a log of all transactions that occur.

More Information on PCI Compliance

PCI Security Standards Council

WP Engine Article on PCI Compliance with some good general information which applies to WordPress sites on any host.