PayPal Community

Frank - that reference is what got me started on this whole thing haha! Worst case if in fact they do scan the "frontend" it is probably a general security scan ... SQL injection, XSS etc (like you said) ... of the "frontend" site. Honestly something that everyone practising eCom should probably be doing anyway! Your logic does make sense though ... like I say the "frontend" site, if not secured", could FUBAR the whole compliance purpose 🙂 it's just a matter of where to draw the line.   ... View more

I guess the quesiton is ... can someone at Paypal check with PanOptic (the Paypal PCI partner) to see what they say with regard to Frank's very valid XSS scripting attack question and what their current practices are.  ... View more

The part that is still not 100% clarified officially by Paypal I guess is the part where you mention ... in relation to hosted paypal options that "while the form is PayPal hosted, there are still requirements to fill out a Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans."  From what I gathered from the two specialist I spoke with (and I pushed my question specifically on this matter several times) the SAQ and scans refer to the business practices and network and IP rather than the website BECAUSE in this case the paypal hosted service negates the need for scanning the "frontend" website. At least that is what a compliance paypal person and a scanning specialist told me over the phone separately.   Frank what is your input on that, in an official capacity? ... View more

OK so if it puts anyone elses mind at rest here is the breakdown (and thanks again Frank for you input):   I spoke with a security specialist that does the PCI testing as well as a Paypal PCI Compliance person who both advised the same thing in regard to whether or not your website has to be PCI compliant. Here are the results:   1) As long as you use a PCI Compliant 3rd party (hosted or otherwise) to transmit, process or store cc info then the "frontend" site if you will ... eg Steve's soccer shop (not the cc form but everything before that in checkout) ... doesn't have to be PCI compliant. If you house the form itself on your website then you will have to be PCI compliant as the cc info does touch your server if only for a split second.   2) Nowadays there are several respected hosting companies making shared PCI compliant hosting available. As such it doesn't hurt to use one of them as a nice peace-of-mind backup as opposed to using your current host that perhaps is a little behind the times. And before anyone goes shouting about how shared server can't be PCI compliant just go the the PCI authority and see that they do in fact reference the ability to make shared hosting PCI compliant, it's just a little harder to do for the hosting companies (https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf) which means that hosting companies that claim to have shared PCI compliant hosting are legit. In a worst case where for some reason the shared hosting fails, there are now virtual and managed dedicated servers available for very reasonable prices now (where they used to be $400 per month you can now get full customizable hosting for $30 per month). Furthermore many of these PCI aware hosting companies are offering active PCI testing support services should a PCI testing company flag anything unusual.   3) If you think about the logic of this too - say you have a fishing store website that processes credit cards via a simple link to Paypal Payments Standard (the most basic hyperlink only hosted Paypal option) but you also have some random friend (unconnected business wise) who happens to simply hyperlink their website to your Paypal Standard link too with a line next to it "Give my friend some money". Does this mean THEIR site has to reside on a PCI compliant server and be PCI compliant for your business JUST because of that link? Of course not. So to me it's logical that only the one handling the cc data would be required to be PCI compliant.   4) Lastly as an unrelated note: Just because the  hosted solution takes care of everything including SSL, it's doesn't hurt to add your own SSL, for 2 reasons: A) Because users might want their username, address and password secured with an SSL (not just cc data) B) Because many users actually feel safer and actively look for the SSL cert or URL reference in the address bar.    Now you might say well somebody could just hack my frontend site and swap out the Paypal iframe code for something that looks identical ... but for that matter if we were stupid enough someone could place a cardboard cutout in front of your monitor and say draw your cc number here with a pen. Where do you draw the line in terms of how secure any interface is. The reality is, if you do steps 1) and 2) above, you have done pretty much all you can do so that when a PCI test comes knocking you have covered yourself as best you can. ... View more

Thanks Frank 🙂   I wonder then if the scan is looking for server vulnerabilities or is simply verifying every 3 months that the code used to iframe the hosted Paypal solution is in fact a verified Paypal connection and not an "evil iframe" 🙂 inserted as a result of a successful hack 🙂 ... I guess this is a question for one of the authorized PCI scanning companies. I'll let you know what I find out. To some degree it would seem a little silly that the Steve soccer server would have to be as tightly shut down as the cc form hosting PCI compliant server as that would essentially negate the whole purpose of hosted Paypal solutions :).   Dave  ... View more