SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Evangelist
    Join Date
    Feb 2006
    Posts
    426
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Does Paypal Website Pay. Pro ask for PCI Compliance proof?

    Does anyone here know if Paypal Website Payments Pro will ask for proof of PCI Compliance when signing up? Or after how long do they ask for it? Or do they ask for it at all?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Why would they ask for it - they are the ones doing the payment processing so they are the ones who need to be compliant.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Evangelist
    Join Date
    Feb 2006
    Posts
    426
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, for Payments Standard, but I'm talking about for Payments Pro where customers enter their credit card info within the domain of my site and it's transmitted through the shopping cart..

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    If you are collecting the info on your site then your site needs to be PCI compliant from the start. That is completely independent of what back end processor you pass the info into and has nothing to do with the provider of that backend processor.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    SitePoint Member
    Join Date
    Jan 2010
    Posts
    12
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you're considering Website Payments Pro, or anything similar, it would be a good idea to do your PCI compliance homework first - even if they don't ask for it, you have it, and you know your customers are going to be safe.

  6. #6
    SitePoint Addict WilliamW_321's Avatar
    Join Date
    Aug 2009
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Going without PCI compliance is like
    riding a motorcycle in shorts and flip
    flops ...all good until something breaks
    bad ...

    ...then it's painful as hell!
    PremiumWebCart
    Memberships, Up Sell, Affiliate, CRM, Project Mgr, See More

  7. #7
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    If you are collecting the info on your site then your site needs to be PCI compliant from the start. That is completely independent of what back end processor you pass the info into and has nothing to do with the provider of that backend processor.
    Legal obligations do not appear out of thin air. You have no direct contract with Visa or MasterCard or any other card association, so they have no power to require you meet any of their standards. It's your contract with the specific processor that must have a clause requiring you be compliant or requiring you meet all requirements of the Visa and MasterCard Operating Guidelines that creates this responsibility. So it is completely dependent on what back end processor you contract with, in the sense of that's who creates your legal obligation and the party that has the power to enforce the contract if you do not meet that obligation.

    In this case, it is the "PayPal Website Payments Pro and Virtual Terminal Agreement", that you must agree to as part of signing up for that service, that has the clause "Compliance with Data Security Standards" where you agree to be compliant.

    The relevant portion for the OP's question about when, if ever, they require proof of compliance:
    Quote Originally Posted by PayPal Website Payments Pro and Virtual Terminal Agreement

    You acknowledge that in the event that we receive indication of a security breach or compromise of cardholder data relating to you, you may be required to have a third party forensic auditor certified by the Associations, conduct a security review of your systems and facilities and issue a report to be provided to us and the Associations. In the event that you fail to initiate such process after our request you authorize us to take such action, at your expense.
    I didn't notice any other mention of showing proof of compliance, but I was only skimming.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •