PayPal payments pro and PCI DSS compliance

0
votes

A similar question to what I am asking has been already answered on the link below.

Paypal payments pro and pci compliance

But this question is three years old. So I would appreciate if someone can give me an up to date answer.

On PayPal's website its mentioned that in order to use PayPal Pro you'll have to get PCI/DSS certified and I am trying to implement PayPal Pro on one of my e-commerce sites. I am not going to store any card details and will use a SSL certificate to transmit data securely.

Do I need to do anything else to be PCI/DSS compliant and in order to keep my PayPal Pro account active?

And is there an easy work around of making this work? For instance RackSpace offers PCI / DSS compliant servers. Switching to them will help me implement most of the network based requirements.

3
paypalpci-dsspci-compliance
Well, PCI DSS compliance covers a lot more than just SSL and whether or not your web site stores information. It's been a long time since I went through that checklist, it covers your entire operation (on/offline) - at that time that checklist changed ~yearly..to be certified, you'll need to work with a provider...Hth...EdSF
possible duplicate of Paypal payments pro and pci complianceSam Hanley

3 Answers

1
votes

As long as you're using a solid SSL and you're not saving any sensitive data to your own servers like you mentioned then you'll be just fine.

Things get a lot more difficult when you are saving credit card details to your own server.

1
votes

PCI DSS Compliance covers lot of aspect from Physical Security, Network Security , Operating Security.

If you are using Rackspace, then your Physical Security part can be out of scope but still Network Security portions like Firewalls, IDS, HIDS, Centralized Log Monitoring System followed by Operating System Security ( Linux / Windows ) will still come into picture.

Having an PCI Compliant Infrastructure helps alot but hosting website into one does not lead to PCI Compliance.

PS : PCI DSS 3 mandates use of TLS 1.2 instead of SSL :)

1
votes

There's a common misconception that PCI DSS only covers entities who "store, process, or transmit cardholder data. You need to realize:

  1. Even though it's encrypted, it's still cardholder data and still subject to PCI DSS. (see PCI DSS FAQ 1086)
  2. Any entity that can impact the flow of said cardholder data is in scope for PCI DSS, which means you.(see the same FAQ)

There are some exceptions to each of these if you read the last couple paragraphs of the FAQ.

That said, the first question you need to answer that greatly impacts your level of required compliance as well as who you should report it to is who is the merchant of record on the transactions? Will PayPal be collecting the payments and giving you a daily/weekly/monthly settlement deposit minus fees or does each payment go directly to your merchant account and you pay your PayPal fees separately.

If you are the merchant of record, you would be subject to compliance as a merchant, if PayPal is the merchant of record you would actually become their service provider.

When you are the merchant, your bank will dictate what proof of compliance you provide them depending on what merchant level you are (http://pcipolicyportal.com/what-is-pci/merchants/). You will most likely be able to self-assess. If you are using PayPal's embedded payment form then you would most likely qualify for an SAQ A, possibly an SAQ A-EP. If you use the API then you'll most likely be required to complete an SAQ D. All downloadable from the PCI SCC website.

When you are a service provider, you are at the mercy of the merchant of record, in this case PayPal. They can dictate any kind of compliance they deem appropriate as they are liable for the security of every transaction. From a PCI perspective you would either complete an SAQ D Service Provider or Report on Compliance(ROC) and Attestation of Compliance(AOC), each downloadable from the PCI SCC website.

TLDR: Just use PayPal Pro's embedded forms, complete an SAQ A and be done with it. If PayPal is the merchant of record for the transactions it's up to them to tell you what compliance steps you need to complete. If you use the API, have fun completing the SAQ D.