What you need to know about PCI DSS Compliance.

May 17 2019 | PayPal editorial staff

One of the biggest challenges facing small businesses is responsible and secure handling of customer data and payment transactions.
Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and PCI DSS. PCI DSS:
  • Requires any organization that handles card information to follow strict security practices designed to protect customer information.
  • Applies to all businesses that store, process, or transmit cardholder data.
  • Covers all payment channels, including retail sales at brick-and-mortar locations, mail and telephone orders, and ecommerce.
Penalties for noncompliance can be substantial, and small businesses don’t get any leniency. Following PCI DSS requirements offers the added benefit of helping to make sure your infrastructure is secure: the process can help you close any security loopholes in your business, providing greater protection over the long term. There are six main areas covered by PCI compliance:
1. Build and maintain a secure network.
Building a secure network can be more complicated than it seems, since your business is likely using complex, distributed, cloud-based networking to manage customer data and payment transactions. To comply with PCI DSS, any network that handles cardholder data must be segmented – that is, kept separate from other systems, such as internal email. The network must also maintain different firewall rule sets and configurations for databases housing credit cardholder information.
The same challenges exist for managing passwords of devices such as routers. Changing passwords often, and creating complex passwords, seem like easy security tasks – yet password mismanagement remains one of the most common ways that business’ networks are compromised.
2. Protect cardholder data.
PCI DSS requirements go into great detail about what constitutes cardholder data and how it must be protected when it leaves your business’s networks. One of the best strategies to protect cardholder data is to avoid storing it on your networks at all. If you must store it, reduce the number of places where information is stored and limit the number of points where it could be accessed.
In addition, data must be encrypted whenever it travels and wherever it is stored. This typically requires using strong cryptography, as well as tools to manage encryption keys and keep encryption up to date.
PCI DSS calls for using strong cryptography and security protocols, such as TLS, SSH, or IPSec to protect sensitive cardholder data during transmission over networks, such as the internet, wireless and cellular technologies, and satellite communications.   
3. Create a vulnerability management program.
Malware can wreak havoc by taking advantage of vulnerabilities in operating systems and software. Once they find a way into your network, attackers will look for software vulnerabilities and system misconfigurations to exploit.
To help prevent cyberattacks, your operating systems and other software must be kept up to date. Install every software patch as soon as it's available, as well as anti-malware signatures for any anti-virus software your business is running. For customized software, as well as software developed in-house or by a third party, PCI DSS requires secure development and coding techniques to be in place.
4. Implement strong access control measures.
The access control requirements of PCI DSS call for careful management of the people who have access to resources in your business. To comply with PCI DSS, your business should restrict access rights to sensitive data using the fewest privileges necessary for each user’s specific job function. You must also document these access controls via written policies, including the specific privileges you’re granting to users.
5. Monitor and test networks regularly.
Once you implement strong access controls, you’re ready to monitor your systems to make sure the controls are working. Establish processes that track access to system components, and create automated audit trails. You'll also need to monitor access to those audit trails, all system logins, and failed login attempts.
Finally, with all of these PCI DSS processes in place – access controls, systems monitoring, vulnerability management, secure coding practices, encryption, and properly segmented networks – make sure that all of these technologies and procedures are running smoothly. Network security controls need to be tested and updated frequently, along with the proper use of network, host, and intrusion prevention systems.
6. Develop an information security policy.
Finally, you must maintain a policy that addresses information security for employees and contractors. An effective security policy informs employees what is expected of them when it comes to protecting cardholder or other sensitive data. The policy also provides your IT department with clear security instructions and objectives. You’ll need to use this written policy to educate people when they’re hired, and to remind them of rules on an annual basis. You must also verify that the policy is available to all relevant users, including vendors, contractors, and business partners.
Lastly, if cardholder data is shared with service providers, you must create and maintain policies regarding how you manage these relationships and the service providers’ access to cardholder data.
Let PayPal help with data security.
PayPal uses the latest technologies to streamline transactions while implementing methods to help secure card data. If you use PayPal to process credit cards, your customers’ sensitive transaction data never touches your company's servers– helping reduce  your PCI DSS compliance requirements.
Learn more about PCI DSS.
For a more detailed look at the basics of PCI DSS compliance:
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

Was this content helpful?

Frequently asked questions.

PayPal has two gateway options that give you different levels of customization for your online checkout pages.

Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right on your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.

Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has no setup fee and a monthly fee of $25 USD.

There are optional features such as additional fraud protection, recurring billing, and buyer authentication. To see the pricing information, click here and then click Get Started Today.

From time to time, PayPal compliance must review accounts toensure they comply with our User Agreement and global regulatory obligations. In some cases, this means we need to remove bank accounts to comply with these regulations. If your bank account was removed please add a new bank.

"FATCA" is the Foreign Account Tax Compliance Act, which is a United States law designed to combat tax evasion by US persons (individuals or entities) that fail to report income related to non-US accounts. FATCA requires some of PayPal's non-US subsidiaries to collect information from their account holders to determine whether accounts are held by US persons (as defined by FATCA).

Agreements between the US and many foreign jurisdictions govern the exchange of account holder information to address local bank secrecy and privacy issues that may be impacted as a result of the FATCA's requirements. Information provided to the U.S. Internal Revenue Service ("IRS") or local regulatory agencies pursuant to FATCA are also covered by PayPal's Privacy Statement.
If your account is limited, we'll send you an email with the reason for that limitation. For your convenience, we always list the steps to remove the limitation in the Resolution Center under Steps to Remove Limitation.

Reasons for Account Limitations
There are several reasons why your account may be limited. Here are some examples:
  • Regulatory requirements
Your account could be limited in order to comply with regulatory requirements. For example, requesting certain products, like a debit card, can trigger federal and state laws, and we may limit your account while we work together to satisfy those requirements.
  • Acceptable Use Policy
Likewise, if you’re not in compliance with our Acceptable Use Policy, you’ll find that your account has been limited. Selling banned items such as prescription drugs or guns is an example of a violation of the Acceptable Use Policy.
  • Unauthorized use
We may limit your PayPal account to protect you from potential losses and review any fraudulent activity if:
  • We believe someone accessed your PayPal account without your authorization
  • Your bank informs us that there have been unauthorized transfers between your PayPal account and your bank account
  • Your debit or credit card issuer alerts us that someone may have used your card without your permission
  • Higher-risk activity
Another reason why your account could be limited is seller performance indicating your account is high risk. Examples include:
  • You received an unusually high number of claims and chargebacks from your buyers, which is an indication of poor seller performance
  • You started selling an entirely new type of product, such as a higher-cost item like jewelery
  • Your typical sales volume increased rapidly, which is out of nature with your usual sales patterns
In these cases, your account may be limited while we do a review.
  • Inactive account
We may also limit your PayPal account if you haven’t used it much since you signed up. To restore full access to your account, log in and provide a Proof of Identity (such as Driver’s license Copy, State ID copy etc.). Go to your Notifications center to upload documents.

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies