tags:

views:

114

answers:

3
+2  Q: 

Is PCI Compliance required with Payflow Link?

I have tried calling PayPal themselves, and the rep on the phone didn't even know Payflow Link could work this way, so I don't trust his advice. All my searching has encountered mixed answers.

I am building an ecommerce site using Payflow Link, where the CC processing is handled on Paypal hosted pages. However, I am consider implementing the advanced integration method, whereby customers input all the CC info on a form hosted by my server, but the form gets POST'ed over SSL directly to Paypal's servers. Using this method, I can maintain the branding of my site except for the required Paypal reciept page.

The CC information, using this method, should never touch my servers. Are they required to be PCI compliant? From a technical standpoint, I can't see why it should, but from a legal standpoint, I get lost in the jargon of the PCI-DSS documents. The site does roughly 1000 transactions a year.

A: 

If you accept credit card payments through your website you have to be PCI compliant. How far you need to go will vary depending on your implementation. If you're hosting the form that the users are using to make payments you need to use an SSL certificate so that page is encrypted (even if only to make sure the lock icon appears in the user's browser. Without it you won't be doing 1000 transactions per year anymore).

John Conde  2010-07-26 18:33:54
+1  A: 

Using the model you are proposing, you do indeed have to be PCI-compliant, but at a much less restrictive level than you would if the data touched your server.

For details, goto https://www.pcisecuritystandards.org/saq/instructions_dss.shtml and click on the link for SAQ Validation Type 1 (Questionnaire A). This will tell you exactly what parts of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.

Hope this helps!

MikeH  2010-07-28 19:20:14
A: 

I'm exploring the same issue. From talking to our PCI compliance vendor, it sounds like MikeH is incorrect. Because we're hosting the form on our web site, the server itself needs to be PCI compliant. That's because the form could be hacked if the server is not secure.

I see two options:

  1. Keep the form on our site. Make the server secure (our web host does not currently pass the PCI scan, they are working on it). Fill in the much longer and detailed SAQ Validation Type 5 (Questionnaire D).

  2. Use Payflow Link's credit card capture form. Won't need to worry about the server, can then use the much shorter SAQ Validation Type 1 (Questionnaire A). But, we lose branding and may lose sales because the Payflow Link pages look so different.

The SAQ D is ugly :-(

 2010-08-03 21:48:26

related questions

Java-based eCommerce Framework
What is the best way to validate a credit card in PHP?
How do you add recommendations to your ecommerce site?
How do you measure if an interface change improved or reduced usability?
PHP + Quickbooks integration (API)
Advice on mixing legacy ASP site with .NET 2.0
How does Authorize.net Silent POST work?
How do you compare Websphere Commerce with the rest of the ecommerce tools available in the market?
Best php/ruby/python e-commerce solution
How do you detect Credit card type based on number?
Which PHP open source shopping cart solutions have features that benefit me as the web developer?
Which should I implement first, PayPal or Google Checkout, on my eCommerce website?
If I sell products online in the US, do I need to collect sales tax?
Credit card expiration dates - Inclusive or exclusive?
donation services
What's a good free and open-source ASP.NET ecommerce solution?
E-commerce tutorials
Payment Processors - What do I need to know if I want to accept credit cards on my website?
What are the pros/cons of available shopping cart solutions?
Best ASP.NET E-Commerce Framework
What is the best technology/framework to use for an online e-commerce site?
Process raw HTTP request content
Shopping Cart
Integrating QuickBooks with your e-commerce site
Implementing an online ordering system for a restaurant/cafe.