Ecommerce that keeps card data off your servers, and your PCI scope small
Every business that takes a card online has to meet PCI DSS. What most owners don't realize is how much of that burden is decided by how the checkout is built.
Capture card numbers on your own form or store them in your own database, and you're in the audit-heavy end of PCI: quarterly scans, long questionnaires, and full breach liability if anything leaks.
WebDevAuto builds stores where the card never touches your servers or ours: it goes straight from the customer's browser to Stripe, which hands back a token. That keeps you in the lightest PCI scope (SAQ A): and wires orders, customers, and payouts into the rest of your system.
A PCI-compliant ecommerce site is an online store built so customers' card data never touches your servers or ours, it's captured directly by a PCI-certified processor like Stripe and exchanged for a token. That keeps your business in the smallest PCI DSS scope (SAQ A) instead of the audit-heavy path you land in when card numbers flow through your own systems. WebDevAuto builds stores that way by default.
Where ecommerce sites blow their PCI scope
- ▸Card fields on your own form. If the card number is typed into an input your server can see, your whole application is in PCI scope, even if you "pass it straight to the processor."
- ▸Storing card data. Keeping card numbers (or even the full PAN "for refunds") is the single fastest way to turn a breach into a catastrophe and a routine audit into a hard one.
- ▸Cheap or abandoned payment plugins. A self-hosted cart plugin that handles card data, and hasn't been updated in a year, is both a PCI scope problem and a security one.
How we keep card data off your servers
- ▸Tokenized checkout. Card details go directly from the customer's browser to Stripe (a PCI Level 1 service provider) and come back as a token. Your server (and ours) never see the card number.
- ▸No card storage, ever. We store a Stripe token reference for refunds and repeat billing, never the card itself.
- ▸SAQ A scope by design. Because card data bypasses your systems, you're eligible for the shortest PCI self-assessment, not quarterly scans of your whole stack.
- ▸Webhook-driven orders. Order fulfillment, receipts, and CRM updates are triggered by signed Stripe webhooks, not by trusting the browser.
- ▸HTTPS + modern security baseline. Encrypted everywhere, with the same speed and accessibility invariants as every WebDevAuto build.
Wired into the rest of your system
- ▸CRM + unified inbox: every order, customer, and support message in one place, no manual export
- ▸AI Receptionist (Ava): answers pre-sale and order questions by phone, 24/7
- ▸Stripe payouts direct to you: your account, your money, no per-sale platform fee from us
- ▸Receipts + lifecycle email. Order confirmations and follow-ups run on the same automation as the rest of your marketing
Shopify / hosted store vs. self-hosted cart vs. WebDevAuto
| Shopify / hosted store | Self-hosted cart (WooCommerce, etc.) | WebDevAuto | |
|---|---|---|---|
| PCI scope | Small (SAQ A), handled for you | Large, your server is in scope; scans + full SAQ on you | Small (SAQ A) by design, card data never hits your stack |
| Card data exposure | Never touches your servers | Often flows through (or is stored on) your server | Tokenized via Stripe, never touches your servers or ours |
| Customization + ownership | Limited to the platform's themes and rules | Fully custom, but you own all the maintenance and security | Fully custom site you own, without owning the card-data risk |
| Fees | Monthly plan + per-sale platform fee on many plans | Hosting + plugins + your maintenance time | Flat monthly build; Stripe payouts direct to you, no cut from us |
| Integration with your system | Add-on apps; data often siloed from your CRM | DIY integrations, fragile glue | Orders, customers, and support land in your CRM + inbox on day one |
If a standard Shopify store fits, use it, it's PCI-friendly and inexpensive, and we'll tell you so. WebDevAuto is the right call when you need a custom store, want it integrated with your CRM and AI receptionist, or don't want a platform taking a slice of every sale, all while keeping the same small PCI scope.
Pricing for a PCI-aware ecommerce build
A straightforward store fits the Website Design & Hosting ($150/mo) (the conversion-engineered, Stripe-tokenized build, hosting, and maintenance) with payouts direct to your own Stripe account.
Larger catalogs, custom checkout, or subscription/marketplace logic are scoped as a Custom App build. Stack the CRM ($200/mo) so every order and customer lands in one system; AI features are usage-billed.
Engagement
Monthly Services
Three à-la-carte monthly services: website, SEO, and CRM. No setup fees, no deposits, no contracts. Take one or stack all three.
Not sure where to start? Run a free diagnostic on your current site first.
Website Design & Hosting
A conversion-engineered website that loads fast, captures leads, and stays maintained, month to month.
- Custom conversion-engineered website
- Loads under 2 seconds
- Lead forms wired to your inbox
- Hosting + monitoring + maintenance
- No setup fee, month-to-month
Any business that needs a professional, high-performing web presence without a big upfront commitment.
SEO & Google Business Profile Optimization
Ongoing SEO and Google Business Profile management so you rank on search, Maps, and AI assistant answers.
- Ongoing on-page + technical SEO
- Google Business Profile setup + optimization
- Rank on Google search and Maps
- Show up in AI assistant answers
- Monthly rankings + traffic reporting
Local service businesses where organic search and Google Maps are the primary lead source.
AI CRM
Customer database, pipelines, unified inbox, invoicing, and automated follow-ups, with AI billed by what you use.
- Customer database + pipelines + analytics
- Unified inbox (email + text)
- Invoicing with built-in payments
- Automated follow-ups + scheduling
- AI features (billed by usage)
- Ava answers your calls
- AI texts & emails customers back
- Content + ad generation
Businesses ready to systematize follow-up, automate ops, and add AI on their own terms. AI features are billed based on usage, you only pay for what you actually use.
See whether your store is in the PCI scope you think it is
Engineering Diagnostic
We audit your existing store (including how checkout handles card data and where your PCI scope actually sits) and email you a full report.
Frequently asked questions
- Does my ecommerce site need to be PCI compliant?
- Yes, every business that accepts card payments must comply with the PCI Data Security Standard. The real question is which level of self-assessment (SAQ) you fall under, and that depends on how your checkout is built. A store where card data never touches your servers qualifies for SAQ A, the shortest path; one that handles card data directly lands in the audit-heavy levels.
- How do you keep my PCI scope small?
- We build checkout so card details go straight from the customer's browser to Stripe (a PCI Level 1 certified processor) and come back as a token. Because the card number never reaches your servers or ours, your business is eligible for SAQ A (the shortest self-assessment) instead of quarterly scans and a full audit of your systems.
- Is Shopify PCI compliant, why not just use it?
- Shopify keeps you in SAQ A scope and is genuinely a great, inexpensive choice for a standard store: if it fits, use it. WebDevAuto makes sense when you need a custom store, want it wired into your CRM and AI receptionist, or don't want to pay a platform a per-sale fee, while keeping the same small PCI scope.
- Do you store credit card numbers?
- No, never. Card data is tokenized by Stripe at the moment of entry; we store only a token reference, which is used for refunds and repeat billing and is useless to an attacker on its own. Not storing card data is the single biggest factor in keeping both your PCI scope and your breach risk small.
- Who is responsible for PCI compliance, you or me?
- It's shared. Stripe maintains the certified environment that processes cards. WebDevAuto builds the store so card data stays out of your scope, keeping you eligible for the lightest self-assessment. You (the merchant) still complete your SAQ and keep your account in good standing. We tell you exactly what's left on your side so nothing is assumed.
- How much does a PCI-compliant ecommerce build cost?
- A straightforward store fits the Website Design & Hosting ($150/mo): the conversion-engineered, Stripe-tokenized build, hosting, and maintenance. A larger catalog, custom checkout flow, or subscription/marketplace logic is scoped as a Custom App build. Add the CRM ($200/mo) so orders and customers flow into one system; AI features are billed by usage.
Sources
- 1.Google: Core Web Vitals research (mobile load-time abandonment thresholds) (https://web.dev/vitals/)