0

So after MUCH research online, I'm coming to the one place I know someone will be able to help me!

We have a site that WILL accept credit card payments via PayPal's Classic API. More specifically, we'll be accepting credit cards for recurring payments. I know I have to be PCI compliant, and after speaking to PayPal today, I have been told (in writing) that:

"Once your account has processed over 20 transaction in the last 3 weeks (or 100 in a year), you will be able to register with Trustwave to become PCI compliant."

AND that I

"do not need to prove your compliance before reaching these levels"

Not sure what it is, but something doesn't sit right with me. Mainly, that I think I should be PCI compliant from the get-go. I think what they're saying is that I won't need to prove anything until then, but that I should be PCI compliant.

If anyone could give me a bit of guidance on this, it would be great. Here's a little bit more about our situation:

  1. We will not store ANY customer card details on any system we run.
  2. We send the details to the PayPal API by a regular old HTML POST form.
  3. Recurring payments don't allow for a hosted solution by Paypal, so we are required to do it via our own form.

I'm sure I'm missing something here, but know that someone here will have had experience/be able to point me in the right direction!

Cheers guys!

Dan
  • 524
  • 1
  • 5
  • 17

1 Answers1

0

You do indeed fall under PCI requirements immediately as a web page in your environment captures card-holder data and then transmits (the key term) it to PayPal. PCI/DSS does not have a volume threshold below which it does not apply.

Perhaps the thing that doesn't feel right is that they are happy to brush off any and all responsibility for your PCI compliancy by presenting the option of signing up with "Trustwave" whom I guess will present you with a SAQ to fill in and then take care of your quarterly scans.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
  • Yeah, that was my feeling. I've also been reading that because we don't store data, it will be much easier to be compliant. I'm thinking we need to securely transmit data, but from thereon it's Paypal's PCI which covers everything. Any thoughts? – Dan Sep 27 '13 at 13:40
  • In addition, I'm not surprised so many merchants choose to ignore PCI compliance. Far be it from me to suggest that people bury their heads in the sand, but it seems SO hard to get a clear answer from anyone (GoDaddy even told me that all I needed was SSL)... – Dan Sep 28 '13 at 13:03
  • Short answer - if you handle credit cards you need to be PCI compliant in some fashion. If you ever have the CC # on your server anywhere (even memory) then your PCI complication goes up. If you don't store the CC # anywhere it's not that bad. – Zippit Oct 04 '13 at 04:59