>>The Paypal iFrame payment portal is in place so transactions are essentially sent 'off-site' to Paypal.

well if you don't capture or store credit card data you don't need to be pci compliant, it doesn't apply to you.
you haven't got a merchant account by the sounds of it, you are just using paypal as a payment service! you don't have anything to worry about.

As topr8 pointed out, unless you are capturing/storing cc on your server, you don't need to worry.

Are you saying you do have a merchant account and want to capture/store cc info on your server, which is why you need to be PCI compliant? Can you provide more details about the end result you're trying to achieve?

I need true PCI compliance, quick and for cheap.

I'm guessing this is one of those cases where you need to pick 2 (or possibly just 1).

Thanks guys! Correct - No, I don't have a merchant account - only Paypal Advanced Paypents API, and only the the PP iFrame portal on the site. My store does not have the ability to store CC data.

All I want to do is set my store to 'live' and go to work.

"well if you don't capture or store credit card data you don't need to be pci compliant, it doesn't apply to you."

Here's the problem: I'm getting different advice from different quarters. Believe me, I'm not discounting your advice and it's the advice I want to hear. I've asked this question on another forum and was told clearly, yes, I must still run a PCI scan, complete the 12-step questionaire, and have an SSL certificate in place. I can't see why, but that's what I hear so far, until now. The PP site also states 'greatly simplified' PCI compliance. A bit ambigous to say the least, meaning, it can be ignored altogether, or I still have to jump through hoops....?

I want to be clear that by iFrame portal, the customer experience is that of never leaving my site. A pop-up window appears at checkout into which the CC details are entered, but this function is a 'portal' to PP, not directly part of my site.

I haven't used the PayPal API, so I don't know all the details. I would say your best bet is to contact them and verify your setup is compliant.

Is it a full-sized pop-up window that clearly shows a SSL connection? If not, and your site isn't https, some customers may think they're submitting through http instead, so it might scare some off.

It sounds like your setup should be okay, but IANAPCO (I Am Not A Pci Compliance Officer).

why don't you actually look on the paypal website and see what they say ...

[paypal.com...]

i assume you are using: Website Payment Pro Hosted or Website Payments Standard.

"why don't you actually look on the paypal website and see what they say ..."

I have. That's part of the problem. There's nothing specifically addressing PCI compliance. I called their merchant support and they don't know. I know that sounds ridiculous but the rep was unable to tell me yes or no if the API meant I have to complete PCI or not. She was only vague and sent me a link that created more questions than answers.

I'm using PayPal Express Checkout - also called Paypal Advanced Payments I think.

My PP module reads: "PayPal Payments Advanced. Accept credit cards, PayPal, and PayPal Credit® payments with a PCI-compliant checkout that keeps customers on your site."

Elsewhere, I read: if you have an iframe on your website that brings up a domain other than your own then it's usually called cross-site scripting. I don't believe that is PCI compliant.

click/read the link i posted above, it took me a single seach to find this paypal page on my search engine of choice.
it clearly states the different paypal payment options which you can use and what is required for PCI compliance

all the paypal payment options fall into one of the following categories:

PCI compliance handled by PayPal (exact words used on paypal website)
PCI compliance handled by you (exact words used on paypal website)

it specifically lists: PayPal Express Checkout .... which is what you said you use.

so i assume you didn't even bother to read the link that i gave you... which was to a PayPal page and it answered your question.

don't expect me to bother answering any more of your questions.

I read that page. Firstly, it is Paypal UK, so possibly different regulations than are in effect in the US, secondly, it differs from the protocol published by PCI Security Standards Council.

They say "PCI compliance handled by PayPal", and they go on to say:

"With Website Payments Standard, Online Invoicing, Express Checkout and Website Payments Pro Hosted, PayPal handles the payment card information on your behalf and so greatly eases the burden of PCI compliance."

Operative term here is "greatly eases". Not exactly the same thing as no PCI obligation. It does not clearly state what is required for PCI compliance. The PCI Security Standards Council still require at least the SAQ - Self Assessement Questionnaire.