I've tried sifting through all the discussions online about PCI compliance when using PayPal payments pro, but there's no clear answer. Other than having SSL, since I'm not storing cardholder information (I'm only transmitting it), what do I need to do to be pci compliant? I've implemented direct payment, express checkout, and recurring billing.
2 Answers
PCI compliance is determined by passing a PCI audit. A service can advertise itself as PCI compliant only if it's passed the initial audit and any periodic audits.
Any service can adhere to the PCI guidelines - and should - but adherence and compliance are two different things.
A more direct answer to the question:
PayPal stores and manages all customer payment information so they shoulder the majority of the burden that comes with adhering to the PCI guidelines. In your case, at a minimum you should:
- Make sure that no financial data is stored on your server (not even in a session cookie).
- Collect customer data and transmit it to PayPal in a secure manner. This usually means using SSL for all customer financial data transmitted to your server, and when re-transmitting this data to PayPal's API.
- Keep your software/infrastructure up to date to protect against zero-day exploits and other vulnerabilities.
There are a variety of modes you can run Paypal Payments Pro in. If you're using their Hosted Pages or Transparent Redirect or Express Checkout features, you should have an easy time passing any PCI compliance requirements that PayPal imposes on you.
If you're using their direct payment options (where your site has the credit card numbers themselves), you will have to go through an extensive process which I highly recommend. If you are collecting credit card #s directly, you might consider using Braintree instead of PayPal because their API is much friendlier and has straightforward documentation and they'll do much of the PCI compliance work for you.
If you do need to use a PCI Compliance consulting company, http://www.panopticsecurity.com/paypal/ has a reasonable rate and they are pretty responsive to questions.