Being PCI Compliant is a requirement by the Credit Card Associations for all merchants that accept and process credit card data over the internet. You may be required to meet Payment Card Industry (PCI) standards within your business to complete your processing needs.
To find more information about PCI Compliance here are a few resources –
I am not certain that what you are saying here is correct.
We are being irritated by Business Support harping on about PCI and sending us emails with Paypal web links which are wrong. We know all about PCI Compliance btw as we also have a BoS/FirstData Merchant Account.
If you now look at Website Payments Pro page https://www.paypal-business.co.uk/pci-compliance/
then you will see that Paypal has introduced a new terminology "Website Payments Pro Hosted" for which Paypal covers PCI compliance. No one from Paypal Business Support has mentioned this change but they are happy, like you, to utter the magic PCI Compliance standard mantra phrases (let's not divert here to discuss why the banking industry had to find a way to keep their profits and dump the responsibility on traders).
So what exactly is Website Payments Pro Hosted ?
One would expect that if you click on the link on that page then all would be revealed but surprise, surprise ! One is taken to exactly the same page as Website Payments Pro.
Is Paypal run by amateurs ? I can't imagine that is the case but the impression I have is .. yes, it is :-)
First I have almost threatening emails from Business Support with links that don't work and now one finds a new product definition again with links that don't work.
To my mind if one has the original Website Payments Pro then the payment is not hosted by us and all of the transaction takes place chez Paypal before the client is returned to our site. It is clear that if you have Virtual Terminal (standard issue with Website Payments Pro) then you handle card data directly and must then be PCI compliant. So why offer it ?
Seems like PP need to be educated first to be able to talk to their customers - do you know the answer ?
If you're signed up for Website Payments Pro, you can use both the DoDirectPayment API call as well as Website Payments Pro Hosted.
Website Payments Pro (DoDirectPayment) will obviously require more stringent controls than Website Payments Pro Hosted. However, with both you must meet at least a minimum set of checks.
I believe you're still in contact with my colleagues on this; as this issue is specific to your situation, let's continue this discussion off thread.
RobG - appreciate your thoughts.
Well for now, no one has replied from Business Support. I was hoping that I would get some positive help (viz. someone telling me what & how I can do to sort this out). So far it has been negative help. I asked for Virtual Terminal (a real PCI risk) to be terminated - they did that promptly.
You say that both Website Payments Pro (DoDirectPayment) and Website Payments Pro Hosted must "meet at least a minimum set of checks."
This is not what is written or offered on the website ... under Website Payments Pro Hosted, Paypal says "PCI Compliance handled by Paypal" whereas for the Website Payments Pro there is a clear line crossed to "PCI Compliance handled by You" .. as a Levle 4 "risk" that latter PCI is an annual SAQ plus a third party port scan 4 times a year.
This is a little like the proverbial "blood-from-stone" ... who knows what "Website Payments Pro Hosted" means ?
PS. Whilst I am happy to "continue this discussion off thread" that requires your colleagues to engage with us. So far no sign.