Welcome to WebmasterWorld Guest from 35.171.45.91

Forum Moderators: buckworks

Message Too Old, No Replies

PCI compliance - small online merchant. What steps?

PCI compliance - small online merchant. What steps?

     
7:44 pm on Dec 21, 2016 (gmt 0)

New User

10+ Year Member

joined:Apr 10, 2009
posts: 5
votes: 1


I am a small merchant, online only; no brick-&-mortar; well under $20k volume at this point. Site is not set to 'live' because PCI is not yet done. The Paypal iFrame payment portal is in place so transactions are essentially sent 'off-site' to Paypal.

There are reams of pages and lengthy guides out there, generally begininng with something like 'Track and monitor all access to network resources and cardholder data, yada, yada.....' 'For 'only' $699.95 per scan etc..'

Neither can I afford a corporate QSA team. I need true PCI compliance, quick and for cheap. What steps please?

Thanks to all in advance.
7:56 pm on Dec 21, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3511
votes: 84


>>The Paypal iFrame payment portal is in place so transactions are essentially sent 'off-site' to Paypal.

well if you don't capture or store credit card data you don't need to be pci compliant, it doesn't apply to you.
you haven't got a merchant account by the sounds of it, you are just using paypal as a payment service! you don't have anything to worry about.
8:04 pm on Dec 21, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5852
votes: 199


As topr8 pointed out, unless you are capturing/storing cc on your server, you don't need to worry.

Are you saying you do have a merchant account and want to capture/store cc info on your server, which is why you need to be PCI compliant? Can you provide more details about the end result you're trying to achieve?

I need true PCI compliance, quick and for cheap.
I'm guessing this is one of those cases where you need to pick 2 (or possibly just 1).
9:12 pm on Dec 21, 2016 (gmt 0)

New User

10+ Year Member

joined:Apr 10, 2009
posts: 5
votes: 1


Thanks guys! Correct - No, I don't have a merchant account - only Paypal Advanced Paypents API, and only the the PP iFrame portal on the site. My store does not have the ability to store CC data.

All I want to do is set my store to 'live' and go to work.

"well if you don't capture or store credit card data you don't need to be pci compliant, it doesn't apply to you."

Here's the problem: I'm getting different advice from different quarters. Believe me, I'm not discounting your advice and it's the advice I want to hear. I've asked this question on another forum and was told clearly, yes, I must still run a PCI scan, complete the 12-step questionaire, and have an SSL certificate in place. I can't see why, but that's what I hear so far, until now. The PP site also states 'greatly simplified' PCI compliance. A bit ambigous to say the least, meaning, it can be ignored altogether, or I still have to jump through hoops....?
9:19 pm on Dec 21, 2016 (gmt 0)

New User

10+ Year Member

joined:Apr 10, 2009
posts: 5
votes: 1


I want to be clear that by iFrame portal, the customer experience is that of never leaving my site. A pop-up window appears at checkout into which the CC details are entered, but this function is a 'portal' to PP, not directly part of my site.
10:11 pm on Dec 21, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5852
votes: 199


I haven't used the PayPal API, so I don't know all the details. I would say your best bet is to contact them and verify your setup is compliant.

Is it a full-sized pop-up window that clearly shows a SSL connection? If not, and your site isn't https, some customers may think they're submitting through http instead, so it might scare some off.

It sounds like your setup should be okay, but IANAPCO (I Am Not A Pci Compliance Officer).
10:16 pm on Dec 21, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3511
votes: 84


why don't you actually look on the paypal website and see what they say ...

[paypal.com...]

i assume you are using: Website Payment Pro Hosted or Website Payments Standard.
10:40 pm on Dec 21, 2016 (gmt 0)

New User

10+ Year Member

joined:Apr 10, 2009
posts: 5
votes: 1


"why don't you actually look on the paypal website and see what they say ..."

I have. That's part of the problem. There's nothing specifically addressing PCI compliance. I called their merchant support and they don't know. I know that sounds ridiculous but the rep was unable to tell me yes or no if the API meant I have to complete PCI or not. She was only vague and sent me a link that created more questions than answers.

I'm using PayPal Express Checkout - also called Paypal Advanced Payments I think.

My PP module reads: "PayPal Payments Advanced. Accept credit cards, PayPal, and PayPal Credit® payments with a PCI-compliant checkout that keeps customers on your site."

Elsewhere, I read: if you have an iframe on your website that brings up a domain other than your own then it's usually called cross-site scripting. I don't believe that is PCI compliant.
9:04 am on Dec 22, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3511
votes: 84


click/read the link i posted above, it took me a single seach to find this paypal page on my search engine of choice.
it clearly states the different paypal payment options which you can use and what is required for PCI compliance

all the paypal payment options fall into one of the following categories:

PCI compliance handled by PayPal (exact words used on paypal website)
PCI compliance handled by you (exact words used on paypal website)

it specifically lists: PayPal Express Checkout .... which is what you said you use.

so i assume you didn't even bother to read the link that i gave you... which was to a PayPal page and it answered your question.

don't expect me to bother answering any more of your questions.
6:02 pm on Dec 22, 2016 (gmt 0)

New User

10+ Year Member

joined:Apr 10, 2009
posts: 5
votes: 1


I read that page. Firstly, it is Paypal UK, so possibly different regulations than are in effect in the US, secondly, it differs from the protocol published by PCI Security Standards Council.

They say "PCI compliance handled by PayPal", and they go on to say:

"With Website Payments Standard, Online Invoicing, Express Checkout and Website Payments Pro Hosted, PayPal handles the payment card information on your behalf and so greatly eases the burden of PCI compliance."

Operative term here is "greatly eases". Not exactly the same thing as no PCI obligation. It does not clearly state what is required for PCI compliance. The PCI Security Standards Council still require at least the SAQ - Self Assessement Questionnaire.