PCI Compliance scanning on PayFlow Link and Payments Advanced accounts

mckilldj
Contributor
Contributor

I'll make ths as succinct a question as I can only because I'm sure others have asked but I simply can't find an accurate answer. Here goes:

 

PanOptic is the Paypal partnered security company that helps with PCI certification services. When they are doing quarterly scans as a part of PCI certification post PayFlow Link integration, do they scan the Paypal server (where for example the PayFlow Link account is actually housed) or do they scan the adjoining non-Paypal server website (eg: Steves soccer balls shop) where the PayFlow Link is integrated.

 

I ask this only because in theory it is possible to host a website on a relatively unsecure SHARED server while linking (via the secure token methods) using a product such as PayFlow Link (which actually sits on the Paypal server).

 

Thanks in advance.

Login to Me Too
9 REPLIES 9

PayPal_Frank
Administrator
Administrator

Welcome mckilldj! 🙂

 

As PayPal is already PCI DSS complaint, these scans would just be for the your store servers and how the PayPal Payments Advanced form is integrated on those pages..  I don't know exactly how the scans work but I would expect that they would be scanning for server/network vulnerabilities that would allow an attacker to take control or intercept information from your server..

 

Think of it this way, if the Steve's soccer balls server is not secure, is it possible for an attacker to intercept the sensitive information as it's being collected in the browser but just before it's being transmitted to PayPal?  With PayPal Payments Advanced (Payflow Link), the form is hosted and secured by PayPal but it's still embedded on the merchant's website.  There's lower risk compared to solutions where all the payment information is being collected directly on your website but we still have to make sure the store website itself is secure.

 

I hope this helps to clarify. 🙂

 

- Frank

If you see a helpful post, please accept it as a solution or give the author kudos. 🙂 Thanks!
Login to Me Too

mckilldj
Contributor
Contributor

Thanks Frank 🙂

 

I wonder then if the scan is looking for server vulnerabilities or is simply verifying every 3 months that the code used to iframe the hosted Paypal solution is in fact a verified Paypal connection and not an "evil iframe" 🙂 inserted as a result of a successful hack 🙂 ... I guess this is a question for one of the authorized PCI scanning companies. I'll let you know what I find out. To some degree it would seem a little silly that the Steve soccer server would have to be as tightly shut down as the cc form hosting PCI compliant server as that would essentially negate the whole purpose of hosted Paypal solutions :).

 

Dave 

Login to Me Too

mckilldj
Contributor
Contributor

OK so if it puts anyone elses mind at rest here is the breakdown (and thanks again Frank for you input):

 

I spoke with a security specialist that does the PCI testing as well as a Paypal PCI Compliance person who both advised the same thing in regard to whether or not your website has to be PCI compliant. Here are the results:

 

1) As long as you use a PCI Compliant 3rd party (hosted or otherwise) to transmit, process or store cc info then the "frontend" site if you will ... eg Steve's soccer shop (not the cc form but everything before that in checkout) ... doesn't have to be PCI compliant. If you house the form itself on your website then you will have to be PCI compliant as the cc info does touch your server if only for a split second.

 

2) Nowadays there are several respected hosting companies making shared PCI compliant hosting available. As such it doesn't hurt to use one of them as a nice peace-of-mind backup as opposed to using your current host that perhaps is a little behind the times. And before anyone goes shouting about how shared server can't be PCI compliant just go the the PCI authority and see that they do in fact reference the ability to make shared hosting PCI compliant, it's just a little harder to do for the hosting companies (https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf) which means that hosting companies that claim to have shared PCI compliant hosting are legit. In a worst case where for some reason the shared hosting fails, there are now virtual and managed dedicated servers available for very reasonable prices now (where they used to be $400 per month you can now get full customizable hosting for $30 per month). Furthermore many of these PCI aware hosting companies are offering active PCI testing support services should a PCI testing company flag anything unusual.

 

3) If you think about the logic of this too - say you have a fishing store website that processes credit cards via a simple link to Paypal Payments Standard (the most basic hyperlink only hosted Paypal option) but you also have some random friend (unconnected business wise) who happens to simply hyperlink their website to your Paypal Standard link too with a line next to it "Give my friend some money". Does this mean THEIR site has to reside on a PCI compliant server and be PCI compliant for your business JUST because of that link? Of course not. So to me it's logical that only the one handling the cc data would be required to be PCI compliant.

 

4) Lastly as an unrelated note: Just because the  hosted solution takes care of everything including SSL, it's doesn't hurt to add your own SSL, for 2 reasons:

A) Because users might want their username, address and password secured with an SSL (not just cc data)
B) Because many users actually feel safer and actively look for the SSL cert or URL reference in the address bar. 

 

Now you might say well somebody could just hack my frontend site and swap out the Paypal iframe code for something that looks identical ... but for that matter if we were stupid enough someone could place a cardboard cutout in front of your monitor and say draw your cc number here with a pen. Where do you draw the line in terms of how secure any interface is. The reality is, if you do steps 1) and 2) above, you have done pretty much all you can do so that when a PCI test comes knocking you have covered yourself as best you can.

Login to Me Too

PayPal_Frank
Administrator
Administrator

Hi mckilldj,

 

Thank you so much for sharing this information with the community! 😄

 

To add some further clarification for those reading this thread that don't know about PayPal Payments Advanced:

 

PayPal Payments Advanced is a little different than Standard or Pro in that the billing form itself is hosted by PayPal but the form still appears on the store website.  PayPal Payments Standard is doing a full redirect to paypal.com so the store website is not required to complete PCI-DSS requirements (although using SSL/TLS is recommended for any store for customer privacy reasons).

 

PayPal Payments Pro is completely hosted in the store so full PCI-DSS compliance is required.  There are PCI-DSS requirements for PayPal Payments Advanced because there is an increased risk of cross-site and cross-frame scripting attacks on the embedded form.  While the form is PayPal hosted, there are still requirements to fill out a Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans.  These steps are much simpler than full PCI-DSS compliance.  And as mckilldj mentioned, there are many hosting and shopping cart providers that offer PCI-DSS compliance with their services.

 

PayPal also hosts a list of PayPal compatible hosting and shopping cart providers here:

PayPal Partner Directory

 

Thanks again mckilldj! 🙂

 

- Frank

 

If you see a helpful post, please accept it as a solution or give the author kudos. 🙂 Thanks!
Login to Me Too

mckilldj
Contributor
Contributor

The part that is still not 100% clarified officially by Paypal I guess is the part where you mention ... in relation to hosted paypal options that "while the form is PayPal hosted, there are still requirements to fill out a Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans."  From what I gathered from the two specialist I spoke with (and I pushed my question specifically on this matter several times) the SAQ and scans refer to the business practices and network and IP rather than the website BECAUSE in this case the paypal hosted service negates the need for scanning the "frontend" website. At least that is what a compliance paypal person and a scanning specialist told me over the phone separately.

 

Frank what is your input on that, in an official capacity?

Login to Me Too

mckilldj
Contributor
Contributor

I guess the quesiton is ... can someone at Paypal check with PanOptic (the Paypal PCI partner) to see what they say with regard to Frank's very valid XSS scripting attack question and what their current practices are. 

Login to Me Too

PayPal_Frank
Administrator
Administrator

@mckilldj wrote:

The part that is still not 100% clarified officially by Paypal I guess is the part where you mention ... in relation to hosted paypal options that "while the form is PayPal hosted, there are still requirements to fill out a Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans."  From what I gathered from the two specialist I spoke with (and I pushed my question specifically on this matter several times) the SAQ and scans refer to the business practices and network and IP rather than the website BECAUSE in this case the paypal hosted service negates the need for scanning the "frontend" website. At least that is what a compliance paypal person and a scanning specialist told me over the phone separately.

 

Frank what is your input on that, in an official capacity?


 

Thanks for clarifying. I'll defer to the specialists on this. 🙂  I do know that quarterly scans are required for PayPal Payments Advanced.   The PayPal Payments Advanced page states: "With this solution, the only remaining requirements are a greatly simplified Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans." from hovering over "PCI Compliance"

 

I understand that your concerns are about what exactly is being scanned eg. website, business practices, network, IPs, etc. The scanning requirements are not set by PayPal.  I recommend checking with an Approved Scanning Vendor for more information about specifically what is being scanned.  While the hosted form may negate the need for a website scan, it's possible that may still need to be completed for compliance.

 

There are more details about the quarterly scanning requirements in these PCI docs as well:

 

PCI DSS Technical and Operational Requirements for Approved Scanning Vendors

PCI Scanning Procedures

 

 

- Frank

 

If you see a helpful post, please accept it as a solution or give the author kudos. 🙂 Thanks!
Login to Me Too

mckilldj
Contributor
Contributor

Frank - that reference is what got me started on this whole thing haha! Worst case if in fact they do scan the "frontend" it is probably a general security scan ... SQL injection, XSS etc (like you said) ... of the "frontend" site. Honestly something that everyone practising eCom should probably be doing anyway! Your logic does make sense though ... like I say the "frontend" site, if not secured", could FUBAR the whole compliance purpose 🙂 it's just a matter of where to draw the line.

 

Login to Me Too

PayPal_Frank
Administrator
Administrator

@mckilldj wrote:

Frank - that reference is what got me started on this whole thing haha! Worst case if in fact they do scan the "frontend" it is probably a general security scan ... SQL injection, XSS etc (like you said) ... of the "frontend" site. Honestly something that everyone practising eCom should probably be doing anyway! Your logic does make sense though ... like I say the "frontend" site, if not secured", could FUBAR the whole compliance purpose 🙂 it's just a matter of where to draw the line.

 


Hehe, sorry about that. 🙂 Sometimes I make questions more complicated than they really are.

 

So to answer your original question in the simplest way possible:

 

I suspect that the scan wouldn't be any different than the scan they do for a website or store that is collecting the card holder data directly.  For PayPal hosted checkouts, there would just be a smaller amount of data that the merchant would need to worry about securing when they are setting up the store server and pages.

 

- Frank

If you see a helpful post, please accept it as a solution or give the author kudos. 🙂 Thanks!
Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.