PCI compliance

What is PCI DSS and who needs to comply?


Consumers are becoming increasingly aware of the dangers of identity theft and PCI compliance shows you have secure procedures in place that keeps their payment information safe and secure. Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements that all businesses who handle credit or debit card payments must comply with. It provides business best practice guidelines to establish a "minimum security standard".

The PCI Security Standards require all merchants, regardless of size or number of transactions, who accept, store, transmit or process any cardholder data to comply with PCI DSS. The requirements, for the majority of merchants, are an Annual PCI Self Assessment Questionnaire and a Quarterly Network Scan.


  • Can PayPal take care of PCI for me?
    As a merchant accepting card payments you are required to comply with PCI DSS. As a service provider, PayPal is also required to comply with PCI DSS. The majority of our products can form part of your PCI DSS compliance solution by easing the burden of PCI compliance for you, however, for some of our products you are responsible for ensuring you are compliant.

    PCI compliance handled by PayPal

    With Website Payments Standard, Online InvoicingExpress Checkout and Website Payments Pro Hosted, PayPal handles the payment card information on your behalf and so greatly eases the burden of PCI compliance.

    PCI compliance handled by you

    If you use Website Payments Pro it means that you handle card data directly and will need to ensure you are PCI compliant. You can use one of our PCI compliant partners or register with Trustwave to help you become compliant. If you use Virtual Terminal, we strongly recommend you become compliant as part of your security best practice.

  • How do I comply?
    We know compliance can be daunting, especially for smaller businesses, so we've teamed up with our partners to help you through the process. If you're not yet using Website Payments Pro but plan to, the easiest way to make sure you're PCI compliant is to go through a PCI compliant partner or Trustwave. If you're already using Website Payments Pro, your next steps will depend on how you integrated:

    Did you integrate Website Payments Pro API direct with PayPal?

    Get in touch with us to discuss your options or register with our partner Trustwave who can set you up with a PCI compliance solution:

    Did you integrate Website Payments Pro API via a cart partner?

    You'll need to contact your shopping cart provider to find out how to become PCI compliant with them or call our Business Support team to discuss your options:

  • Why comply?
    PCI DSS is a mandatory industry regulation. Becoming compliant can help your business and avoid future problems with data security.

    How PCI DSS can help your business:

    • Identify risks in the way you store or transmit customer data
    • Set a clear path of action to address any data security risks
    • Make sure your service providers do not put your data security at risk
    • Show your customers that you take data security seriously

    How PCI DSS can help you avoid problems:

    • Reduce the risk of liabilities such as the cost of any fraud on compromised card accounts
    • If your security is breached, legal and investigation costs can be substantial
    • Protect your reputation and build trust with your customers
    • Prevent disruption to your business
  • What happens if my business doesn't comply?
    From a PayPal perspective, your Website Payments Pro account may be limited and eventually suspended. You can also be fined by the card schemes (MasterCard, Visa etc) when a data breach occurs.

Get help with PCI compliance

See our list of PCI compliant partners or register with Trustwave.