How PayPal relates to PCI compliance
There is some confusion among online businesses over how PayPal payment acceptance relates to PCI compliance. You may have heard that by using PayPal, your business is not subject to the PCI DSS.
The truth is, even accepting PayPal payments requires you to be PCI compliant. In this scenario, it is helpful to think of PayPal as a payment processor. Even though they are ultimately storing, processing and transmitting the cardholder data, as a merchant your business is the one accepting that information. Therefore, your online environment can have the ability to affect the security of the payment process/transaction.
The good news? Using a PCI-compliant third party service provider (PayPal, Auth.net, etc.) can limit your scope of compliance. And, if your e-commerce business accepts less than 300,000 card payments per year, then you can self-assess your compliance rather than hire a PCI QSA.
PayPal and Self Assessing PCI compliance
In versions 3.0 and 3.1 of the PCI Self Assessment Questionnaires (SAQs), if the entire payment page is outsourced to PayPal or any other PCI-compliant third party service provider, then you can validate with an SAQ A.
The key here is the word “entire.” The entire payment page must be rendered by the third party service provider. If you pass any data other than that required for the transaction to the payment page at the time of the transaction (like java script to render the page so that it looks like your website), then you must validate with an SAQ A-EP, which is much more burdensome. More on the differences between SAQ A and SAQ A-EP.
But Wait, There’s More!
There is actually a third SAQ option for e-commerce merchants: SAQ D-Merchant. So if you have an e-commerce site, I recommend checking out PCI SAQ 3.1: E-Commerce Options Explained to learn more about the online payment processing scenarios that map to SAQ A, SAQ A-EP and SAQ D-Merchant.
ControlScan can help. Subscribe to this blog for additional tips and webinar announcements.