PCI compliance on each?

Roughly equivalent, as long as both use tokenized payment forms.

WooCommerce: with Stripe / Braintree / PayPal / Square (the standard payment plugins), card data never touches your server. PCI scope is SAQ A — the easiest tier, basically a self-attestation. Cost: $0 extra. With on-server gateways like Authorize.Net AIM (rare on Woo, but possible), PCI scope jumps to SAQ A-EP — quarterly ASV scans, $5k–$25k/yr in compliance work.

Magento: identical situation. With Stripe Elements / Braintree Hosted Fields / Adyen drop-in / PayPal smart buttons, you stay in SAQ A. With on-server payment forms (rarely seen on modern Magento), you move to SAQ A-EP or SAQ D.

Where Magento has a small edge: Adobe Commerce ships with PCI-DSS Level 1 attestation for hosting; Adobe Commerce Cloud is PCI-DSS Level 1 certified at the infrastructure layer. WooCommerce hosting is host-dependent — managed WP hosts (WP Engine, Kinsta) are usually PCI-DSS Level 1 at the infra layer too, but you have to confirm with each host.

Verdict: not a real differentiator in 2026. Both platforms with tokenized gateways = SAQ A.