PayPal and the PCI DSS

How PayPal relates to PCI compliance

‍

There is some confusion among online businesses over how PayPal payment acceptance relates to PCI compliance. You may have heard that by using PayPal, your business is not subject to the PCI DSS.

‍

The truth is, even accepting PayPal payments requires you to be PCI compliant. In this scenario, it is helpful to think of PayPal as a payment processor. Even though they are ultimately storing, processing and transmitting the cardholder data, as a merchant your business is the one accepting that information. Therefore, your online environment can have the ability to affect the security of the payment process/transaction.

‍

The good news? Using a PCI-compliant third party service provider (PayPal, Auth.net, etc.) can limit your scope of compliance. And, if your e-commerce business accepts less than 300,000 card payments per year, then you can self-assess your compliance rather than hire a PCI QSA.

‍

PayPal and Self Assessing PCI compliance

‍

In versions 3.0 and 3.1 of the PCI Self Assessment Questionnaires (SAQs), if the entire payment page is outsourced to PayPal or any other PCI-compliant third party service provider, then you can validate with an SAQ A.

‍

The key here is the word “entire.” The entire payment page must be rendered by the third party service provider. If you pass any data other than that required for the transaction to the payment page at the time of the transaction (like java script to render the page so that it looks like your website), then you must validate with an SAQ A-EP, which is much more burdensome. More on the differences between SAQ A and SAQ A-EP.

‍

But Wait, There’s More!

‍

There is actually a third SAQ option for e-commerce merchants: SAQ D-Merchant. So if you have an e-commerce site, I recommend checking out PCI SAQ 3.1: E-Commerce Options Explained to learn more about the online payment processing scenarios that map to SAQ A, SAQ A-EP and SAQ D-Merchant.

‍

Need more information on how to self-assess to your business’s PCI compliance?

‍

PayPal and the PCI DSS

How PayPal relates to PCI compliance

PayPal and Self Assessing PCI compliance

But Wait, There’s More!

Need more information on how to self-assess to your business’s PCI compliance?

Examines how PayPal relates to PCI DSS compliance

VIKINGCLOUD NEWS & RESOURCES

Beyond Fingerprints: Exploring Behavioral Biometrics for Secure Identity Verification

PA-DSS Transformation to SSF

Managed Security Services

PayPal and the PCI DSS

Cybersecurity Awareness Month: See Yourself in Cyber

EDR or SIEM: Which Should You Choose?

3 Common Pitfalls to Meeting PCI DSS Compliance

“Does my backup services business need to be PCI compliant?”

PCI Myths

Working with Multiple Compliance Standards

PTS POI v3 Device Expiration: Are You Ready?

Small Business and PCI Cost vs. Benefit

SEC Adopts New Rules on Cybersecurity Risk Management, Incident Disclosure, and Ransomware Payments by Public Companies

PCI DSS 4.0: Targeted Risk Analysis

PCI DSS 4.0: Multifactor Authentication

Serving Up Reliable Security

Avoid Audit Fatigue - Using Automation to Create an Efficient Compliance Framework (and Stay Sane)

“Can We Securely Store Card Data for Recurring Billing?”

Penetration Testing

Staples, 23andMe respond to holiday data breaches

No Windows XP Support, No PCI Compliance?

Is PCI Compliance a Law? Should it be?

5 Reasons Your Customers May Not Trust You With Their Personal and Financial Data

VikingCloud to take seat at PCI SSC Global Executive Assessor Roundtable

In a comply-or-else industry, this payment solutions provider doesn’t just clear the bar, but surpasses the competition.

VikingCloud Announces Industry’s First PCI L4 Compliance Program with Integrated Cyber Risk Score

How Do Cybercriminals Profit From My Stolen Data?

“Are ‘Knuckle Busters’ PCI Compliant?”

The Real Cost of Data Breach

Microsoft Ending Support for Windows Server 2003

Why there’s no one-size-fits all solution to security maturity

When the Internet Goes Out, this QSR Relies on a Seamless and Secure Backup

The PCI Basics & Quick Guide

How women in payments, fintech, and cybersecurity are breaking the glass ceiling?

Cyber Threat Unit Spotlight: Robin Divino

PA-DSS and PCI DSS: Beware the critical difference!

Finding The Cure for Swelling Cyber-threats

Improving Security Awareness - Best Practices

PCI Security Standard Council Announces New SLA Timelines - Effective September 27, 2023

PCI DSS v4.0 – Best Practices for Automated Log Reviews

IMPORTANT LINKS

Ensuring Penetration Testing Leads to Security

PCI DSS v4.0: Authenticated Scans

PCI DSS 4.0 - Risk vs. Requirement

CISOs on alert following SEC charges against SolarWinds

PCI DSS 4.0 - Implementing and Validating Requirements

The 2019 PCI Compliance Annual Plan

Web Risk Monitoring

5 “Buts” Your QSA Doesn’t Want to Hear

High Availabilty Solution

Staying PCI DSS compliant as the global payment landscape evolves

3 Basic Ways to Avoid PCI Paralysis

ISO27001 vs. ISO27002

Cryptography in the Face of Quantum Computing

How Can Your PCI Compliance Efforts Ultimately Save Your Business Money?

Business Protection Services

PCI DSS v4.0 Compliance: 5 Key Reasons to Define Roles and Responsibilities

Cybersecurity’s GenAI Hype Cycle – and How to Break Out

Managed Compliance Services

Cloud Security and Zero Trust

PCI Compliance and Your Website: A Guide

What to look for in a PCI Forensic Investigator

How to Prepare for Heightened Board Involvement in Cybersecurity

PCI DSS 4.0 - Self Assessment Questionnaires

VikingCloud Welcomes Jim Burke as New CEO

Hardening Against Potential Attacks from Elevated Geopolitical Cybersecurity Risks

Cybersecurity Awareness Month – 7 Tips to Keep Your Organization Safe from Cyber Threats

PCI DSS v4.0 and the Evolution of the Self-Assessment Questionnaire (SAQ) for E-commerce Merchants

A different kind of food safety

How To Secure Your Software Supply chain

Digital Certificates

The PCI DSS, Chaining and the Franchise Relationship

Cyber attackers and defenders are racing to up their AI game