Wix, Shopify, or Squarespace: Do Hosted Stores Still Need PCI ASV Scans?

Hosting your store on Wix (or similar) does not automatically make you PCI compliant. Learn why PCI DSS v4.0 still requires quarterly ASV (Approved Scanning Vendor) scans for many hosted stores and how to confirm whether your domain is covered.

A simple Google search seems to indicate that “most Wix store owners do not need to perform their own quarterly PCI scans.”; at least that's what the AI says, but could that be the truth? If news has shown us recently, it would be wise to take what AI says with a grain of salt and do your own validation. The objective of this article is to provide that validation by searching within Wix’s own payment terms of service, an article on Wix’s PCI compliance (which customer support likes to share with any PCI-related question), PCI Security Standards Council’s official resources, and finally a conversation with Wix Support to confirm if they can provide me with proof and written confirmation that my site manriq.com is indeed covered under Wix’s own quarterly PCI 4.0 external ASV scans.

Let's start with the basics

Before we dive into PCI DSS 4.0 details, we need to look at the requirement that triggers external vulnerability scanning. According to Requirement 11.3.2 of PCI DSS v4.0.1:

The obvious follow-up question is: Does this apply to my Wix e-commerce site (or a similarly hosted site)? Suppose you’re outsourcing all payment functionality to a Third-Party Service Provider (TPSP) like Wix, Shopify, or Squarespace. In that case, your environment will often fall under SAQ A, defined as “Card-not-present merchants, all cardholder data functions fully outsourced.”

When SAQ A still requires ASV scans

According to PCI-SSC’s blog post with the title Resource Guide: Vulnerability Scans and Approved Scanning Vendors, “ASV scan requirements in SAQ A only apply to e-commerce merchant system(s) that hosts the webpage that either 1) redirects payment

transactions to a PCI DSS compliant TPSP or 2) includes an embedded payment page/form from a PCI DSS compliant TPSP." They also included a nice graphic to make it clear.

What about Wix’s position on the matter?

Wix has a couple of places with clues regarding PCI compliance and how it is extended (or not) to their users, such as the article titled "Security of Wix's Billing Services and PCI Compliance" and the Wix Payment Terms of Service.

In the article “Security of Wix’s Billing Services and PCI Compliance,” Wix mentions that they are indeed PCI compliant: “Wix is Payment Card Industry Data Security Standards (PCI DSS) compliant and is accredited as a Level 1 service provider and merchant.” Further down in the FAQ, there is a question “How do I make my Wix site PCI compliant?” with the answer being “Every site built on Wix is automatically PCI compliant by default with the highest Payment Card Industry Data Security Standards, regardless of the payment provider used.” They seem to repeat that quote in questions regarding scan results. This sounds nice and reassuring, but is it backed by their terms of service?

Within the Wix payment terms of service, term 5.4 #TLDR says “You are solely responsible to comply with PCI-DSS and/or PA-DSS standards and requirements and to have relevant physical and logical controls in place before using Wix’s Services.” furthermore a part of 5.4(iii) says “Upon request, the User will provide Wix with relevant documentation evidencing compliance with PCI-DSS and/or PA-DSS.” which I interpret it as, at any time Wix can request for evidence to check if you are indeed compliant with PCI-DSS, if you are an SAQ-A meeting the two aforementioned conditions that would be evidence of passing ASV scans.

At this point, it is not clear whether Wix indeed takes care of all our PCI-DSS requirements or if they would place the burden on us if an acquiring bank (AKA acquirer) decides to request evidence of compliance.

So, how can I be 100% sure if I need to scan my site?

Returning to the PCI SSC guidance on Vulnerability Scans & Approved Scanning Vendors, there’s an important question in the FAQ:

So far, item (1) is covered, as Wix publicly states Level-1 PCI DSS compliance. However, I couldn’t find any link in the Wix dashboard that explicitly confirms my site by URL, IP, or domain (manriq.com) is included in their ASV scans scope. So I followed the Council’s advice and contacted Wix to request either (a) documentation that my exact domain/URL is included in their quarterly scans, or (b) guidance to arrange my own quarterly scans.

Contacting Wix Support

It wasn’t immediately apparent how to reach a human via phone or email, so I found that using Wix’s AI chat and requesting an escalation was the path to take. After presenting the Wix Payments Terms versus the Wix PCI help article and requesting proof that manriq.com is included in Wix’s quarterly ASV scope, support could not provide documentation. In the end, they confirmed I should arrange my own ASV scans.

______________________________________________________________________________

______________________________

Conclusion

Unless you obtain explicit documentation from your TPSP that your exact domain/URL/IP is included in their quarterly ASV scans, you should assume the responsibility to run your own quarterly ASV scans and maintain a tidy evidence pack (SAQ A plus quarterly Attestations of Scan Compliance). That way, you’re prepared for requests from your acquirer, your processor, or even Wix per its Terms of Service.