Does anyone here know if Paypal Website Payments Pro will ask for proof of PCI Compliance when signing up? Or after how long do they ask for it? Or do they ask for it at all?
Why would they ask for it - they are the ones doing the payment processing so they are the ones who need to be compliant.
Yes, for Payments Standard, but I’m talking about for Payments Pro where customers enter their credit card info within the domain of my site and it’s transmitted through the shopping cart…
If you are collecting the info on your site then your site needs to be PCI compliant from the start. That is completely independent of what back end processor you pass the info into and has nothing to do with the provider of that backend processor.
If you’re considering Website Payments Pro, or anything similar, it would be a good idea to do your PCI compliance homework first - even if they don’t ask for it, you have it, and you know your customers are going to be safe.
Going without PCI compliance is like
riding a motorcycle in shorts and flip
flops …all good until something breaks
…then it’s painful as hell!
Legal obligations do not appear out of thin air. You have no direct contract with Visa or MasterCard or any other card association, so they have no power to require you meet any of their standards. It’s your contract with the specific processor that must have a clause requiring you be compliant or requiring you meet all requirements of the Visa and MasterCard Operating Guidelines that creates this responsibility. So it is completely dependent on what back end processor you contract with, in the sense of that’s who creates your legal obligation and the party that has the power to enforce the contract if you do not meet that obligation.
In this case, it is the “PayPal Website Payments Pro and Virtual Terminal Agreement”, that you must agree to as part of signing up for that service, that has the clause “Compliance with Data Security Standards” where you agree to be compliant.
The relevant portion for the OP’s question about when, if ever, they require proof of compliance:
I didn’t notice any other mention of showing proof of compliance, but I was only skimming.