Showing results for 
Search instead for 
Did you mean: 

Are you wondering if your Business is PCI Compliant?

Volunteer Advisor

Are you wondering if your Business is PCI Compliant?

Are you wondering if your Business is PCI Compliant?


What is PCI Compliance?


Being PCI Compliant is a requirement by the Credit Card Associations for all merchants that accept and process credit card data over the internet. You may be required to meet Payment Card Industry (PCI) standards within your business to complete your processing needs.


How do you know if you need to be PCI Compliant?


    •  If you use Website Payments Standard, e-mail payments, or Payflow Link, PayPal manages all of the PCI compliance standards for these products.


    • If you use PayPal Website Payments Pro or Virtual Terminal, you’re responsible for meeting the PCI Security standards.  To meet these security standards, you need to enroll with a Visa or MasterCard-certified security vendor for PCI certification services.  These services must include a quarterly security scanning of your office and store internet connections and website as well as the completion of a Security Self-Assessment questionnaire.


    • If you use Payflow Pro, you’ll need to obtain PCI compliance validation and certification by enrolling with a Visa or MasterCard-certified security vendor for PCI certification services.



To find more information about PCI Compliance here are a few resources –


PCI Security Standards Council website

PayPal Blog


~ Misty


Re: Are you wondering if your Business is PCI Compliant?

I am not certain that what you are saying here is correct.


We are being irritated by Business Support harping on about PCI and sending us emails with Paypal web links which are wrong. We know all about PCI Compliance btw as we also have a BoS/FirstData Merchant Account.


If you now look at Website Payments Pro page

then you will see that Paypal has introduced a new terminology "Website Payments Pro Hosted" for which Paypal covers PCI compliance. No one from Paypal Business Support has mentioned this change but they are happy, like you, to utter the magic PCI Compliance standard mantra phrases (let's not divert here to discuss why the banking industry had to find a way to keep their profits and dump the responsibility on traders).


So what exactly is Website Payments Pro Hosted ?


One would expect that if you click on the link on that page then all would be revealed but surprise, surprise ! One is taken to exactly the same page as Website Payments Pro.


Is Paypal run by amateurs ? I can't imagine that is the case but the impression I have is .. yes, it is :-)


First I have almost threatening emails from Business Support with links that don't work and now one finds a new product definition again with links that don't work.


To my mind if one has the original Website Payments Pro then the payment is not hosted by us and all of the transaction takes place chez Paypal before the client is returned to our site. It is clear that if you have Virtual Terminal (standard issue with Website Payments Pro) then you handle card data directly and must then be PCI compliant. So why offer it ?


Seems like PP need to be educated first to be able to talk to their customers - do you know the answer ?

PayPal Employee

Re: Are you wondering if your Business is PCI Compliant?



If you're signed up for Website Payments Pro, you can use both the DoDirectPayment API call as well as Website Payments Pro Hosted.

Website Payments Pro (DoDirectPayment) will obviously require more stringent controls than Website Payments Pro Hosted. However, with both you must meet at least a minimum set of checks.


I believe you're still in contact with my colleagues on this; as this issue is specific to your situation, let's continue this discussion off thread.

For technical assistance with PayPal merchant product offerings, please file a ticket at

Re: Are you wondering if your Business is PCI Compliant?

RobG - appreciate your thoughts.


Well for now, no one has replied from Business Support. I was hoping that I would get some positive help (viz. someone telling me what & how I can do to sort this out). So far it has been negative help. I asked for Virtual Terminal (a real PCI risk) to be terminated - they did that promptly.


You say that both Website Payments Pro (DoDirectPayment) and Website Payments Pro Hosted must "meet at least a minimum set of checks."


This is not what is written or offered on the website ... under Website Payments Pro Hosted, Paypal says "PCI Compliance handled by Paypal" whereas for the Website Payments Pro there is a clear line crossed to "PCI Compliance handled by You" .. as a Levle 4 "risk" that latter PCI is an annual SAQ plus a third party port scan 4 times a year.


This is a little like the proverbial "blood-from-stone" ... who knows what "Website Payments Pro Hosted" means ?


PS. Whilst I am happy to "continue this discussion off thread" that requires your colleagues to engage with us. So far no sign.