The basics of PCI DSS compliance.

Jan 08 2019 | PayPal editorial staff

One of the biggest challenges facing small businesses is responsible and secure handling of customer data and payment transactions.
Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.
 
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and PCI DSS. PCI DSS:
  • Requires any organization that handles card information to follow strict security practices designed to protect customer information.
  • Applies to all businesses that store, process, or transmit cardholder data.
  • Covers all payment channels, including retail sales at brick-and-mortar locations, mail and telephone orders, and ecommerce.
 
Penalties for noncompliance can be substantial, and small businesses don’t get any leniency. Following PCI DSS requirements offers the added benefit of helping to make sure your infrastructure is secure: the process can help you close any security loopholes in your business, providing greater protection over the long term. There are six main areas covered by PCI compliance:
 
1. Build and maintain a secure network.
Building a secure network can be more complicated than it seems, since your business is likely using complex, distributed, cloud-based networking to manage customer data and payment transactions. To comply with PCI DSS, any network that handles cardholder data must be segmented – that is, kept separate from other systems, such as internal email. The network must also maintain different firewall rule sets and configurations for databases housing credit cardholder information.
 
The same challenges exist for managing passwords of devices such as routers. Changing passwords often, and creating complex passwords, seem like easy security tasks – yet password mismanagement remains one of the most common ways that business’ networks are compromised.
 
2. Protect cardholder data.
PCI DSS requirements go into great detail about what constitutes cardholder data and how it must be protected when it leaves your business’s networks. One of the best strategies to protect cardholder data is to avoid storing it on your networks at all. If you must store it, reduce the number of places where information is stored and limit the number of points where it could be accessed.
 
In addition, data must be encrypted whenever it travels and wherever it is stored. This typically requires using strong cryptography, as well as tools to manage encryption keys and keep encryption up to date.
 
PCI DSS calls for using strong cryptography and security protocols, such as TLS, SSH, or IPSec to protect sensitive cardholder data during transmission over networks, such as the internet, wireless and cellular technologies, and satellite communications.   
 
3. Create a vulnerability management program.
Malware can wreak havoc by taking advantage of vulnerabilities in operating systems and software. Once they find a way into your network, attackers will look for software vulnerabilities and system misconfigurations to exploit.
 
To help prevent cyberattacks, your operating systems and other software must be kept up to date. Install every software patch as soon as it's available, as well as anti-malware signatures for any anti-virus software your business is running. For customized software, as well as software developed in-house or by a third party, PCI DSS requires secure development and coding techniques to be in place.
 
4. Implement strong access control measures.
The access control requirements of PCI DSS call for careful management of the people who have access to resources in your business. To comply with PCI DSS, your business should restrict access rights to sensitive data using the fewest privileges necessary for each user’s specific job function. You must also document these access controls via written policies, including the specific privileges you’re granting to users.
 
5. Monitor and test networks regularly.
Once you implement strong access controls, you’re ready to monitor your systems to make sure the controls are working. Establish processes that track access to system components, and create automated audit trails. You'll also need to monitor access to those audit trails, all system logins, and failed login attempts.
 
Finally, with all of these PCI DSS processes in place – access controls, systems monitoring, vulnerability management, secure coding practices, encryption, and properly segmented networks – make sure that all of these technologies and procedures are running smoothly. Network security controls need to be tested and updated frequently, along with the proper use of network, host, and intrusion prevention systems.
 
6. Develop an information security policy.
Finally, you must maintain a policy that addresses information security for employees and contractors. An effective security policy informs employees what is expected of them when it comes to protecting cardholder or other sensitive data. The policy also provides your IT department with clear security instructions and objectives. You’ll need to use this written policy to educate people when they’re hired, and to remind them of rules on an annual basis. You must also verify that the policy is available to all relevant users, including vendors, contractors, and business partners.
 
Lastly, if cardholder data is shared with service providers, you must create and maintain policies regarding how you manage these relationships and the service providers’ access to cardholder data.
 
Let PayPal help with data security.
PayPal uses the latest technologies to streamline transactions while implementing methods to help secure card data. If you use PayPal to process credit cards, your customers’ sensitive transaction data never touches your company's servers– helping reduce  your PCI DSS compliance requirements.
 
Learn more about PCI DSS.
For a more detailed look at the basics of PCI DSS compliance:
 
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

Frequently asked questions.

In order to complete an SAQ, we recommend you enroll with a Qualified Security Assessor (QSA).  At PayPal Powered by Braintree, we strive to make your compliance validation process as easy as possible, and have therefore covered the cost associated with validating PCI DSS compliance through SecurityMetrics, our independent QSA partner. If you need help filling out the SAQ, PayPal Powered by Braintree will also cover the cost of technical support provided directly by SecurityMetrics. However, you may choose to validate compliance through a QSA other than SecurityMetrics.

Within 30 days of signing up with PayPal powered by Braintree, you will receive an email explaining how to create your account with SecurityMetrics. You will have to create a SecurityMetrics account to enroll -- this is separate from your existing PayPal or Braintree log in and is subject to the SecurityMetrics terms of use.

How do I start the SAQ process with SecurityMetrics?

We will send you an email within 30 days of signing up that will include all of the information you need to enroll in SecurityMetrics. You may wish to add the email address PPpbBTMerchantPCI@paypal.com to your email whitelist to ensure you receive it in your inbox. If you don’t receive the email within the 30-day window, you can email us at the same address for further assistance.
Once you have the email, follow these steps to enroll with SecurityMetrics:
  1. Go to the SecurityMetrics PayPal powered by Braintree page.
  2. Click Sign Up and enter the email address associated with your PayPal powered by Braintree account.
  3. Verify your email address.
  4. Review and accept the Terms of Use.
  5. Continue through the wizard and complete the questionnaire about your credit card processing.

What if I’ve already validated my compliance with a different QSA partner, do I still need to enroll with SecurityMetrics?

If you choose to validate compliance through a QSA other than SecurityMetrics, please provide proof of validation no later than 60 days from the date of this notice by sending your Attestation of Compliance (AOC) to PPpbBTMerchantPCI@paypal.com.
 
What’s changing?
The Payment Card Industry Security Standards Council (PCI) issued a new security standard that must be implemented by June 26, 2018. By this date, all entities must stop using Secure Sockets Layer (SSL)/ early Transport Layer Security (TLS) as a security control in their systems and completely transition to a secure version of TLS encryption protocols, such as TLS 1.2. You can read more about the security standards on the PCI website.

When does the upgrade need to be completed by?
Action required by June 26, 2018.
If your PayPal integration uses an older encryption protocol, you must upgrade your PayPal integration(s) to the TLS 1.2 cryptographic protocol by June 26, 2018.

How do I upgrade to TLS 1.2?
Here's how to upgrade and test your system:
  1. Visit our security website to view the requirements.
  2. If your website is hosted by a third-party, work with your web hosting company or ecommerce software provider. *Otherwise, please contact your in-house web programmer or system administrator to make these updates.
  3. Use our testing environment to confirm that your servers support the latest security standards. The testing environment will present a ‘PayPal_Connection_OK’ message if you’ve completed the server update correctly. Note that you must test your API using your server, not your web browser.
*Note for merchants using a downloaded shopping cart: Whoever hosts the connection to PayPal is required to meet the PCI-DSS encryption requirements. We encourage you to contact your web host or a developer to evaluate your compliance with our encryption requirements, and then take the appropriate steps to address any potential vulnerabilities.

Testing periods
Before June 26, 2018, PayPal will conduct weekly test to emulate the upgraded security experience. The testing dates are published on our security website.

These tests will help you understand the areas of your integration that still require security protocol upgrades. If your systems have been upgraded to support TLS 1.2, you shouldn’t be impacted during the testing periods. However, if your system integrations aren’t upgraded, you may experience interruptions to PayPal services, such as payment processing and reporting. Please be advised that each testing period could last several hours.

Make the necessary security protocol upgrades now to make sure you’re ready before the June 26, 2018 deadline. If you need additional support, please contact your web hosting company, ecommerce software provider, in-house web programmer, or system administrator.

What happens if I don't upgrade to TLS 1.2?
If you don't upgrade your integration by June 26, 2018, you may not be able to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business Account.

 
PayPal has two gateway options that give you different levels of customization for your online checkout pages.

Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right in your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.

Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has a $99 setup fee and a monthly fee of $25.

There are optional features such as additional fraud protection, recurring billing and buyer authentication. Click here to see pricing.
Whether you're getting ready to start a business, advance your small business, or grow an online business, PayPal has a product for you. From complex business products to simple solutions for your business, we’ve got you covered.

Here’s more information on the different business products PayPal offers.

PayPal Payments Standard: PayPal Payments Standard is loaded with everything you need to get paid online, including a checkout experience that’s already optimized across devices.

PayPal Payments Advanced: PayPal Payments Advanced is an all-in-one payment-processing system that lets you accept payments online, offline, or on the go. PayPal Payments Advanced lets customers using a credit or debit card check out directly on your website.

PayPal Payments Pro: PayPal Payments Pro gives you the flexibility and payment processing security to build a professional-grade ecommerce site. It can be configured to suite your business needs – and works across devices. Plus, because it’s from PayPal, you can tap into over 184+ million active customer accounts around the globe.

Payflow Payment Gateway: A payment gateway links your website to your processing network and merchant account. Like most gateways, Payflow Payment Gateway handles all major credit and debit cards. What makes our gateway different is the low rates and incremental sales boost from offering PayPal and PayPal Credit payment options on your site.

PayPal Here: One app, many ways to get paid. Choose your reader for accepting card payments, then with the PayPal Here app, you can issue receipts, manually enter card payments, track cash and check payments and send invoices.

PayPal Checkout: Add PayPal as a payment option to your checkout page - or use it as a stand-alone solution. You’ll open the door to over 169 million active PayPal users who look for and use this fast, easy, and secure way to pay.

Virtual Terminal: You can use Virtual Terminal wherever you have Internet access—at your office, at a trade show, even at the airport. To take a credit card order, simply log in to your PayPal account and enter the payment details into the secure Virtual Terminal order form. We’ll process the payment and send you a confirmation.  

PayPal powered by Braintree PayPal powered by Braintree makes it easy to accept payments through your Partner store. Our payment gateway is similar to the credit card terminal you swipe your card through at the grocery store—we'll make sure your customer's payment information gets to the right places and doesn't fall into the wrong hands.
 
 PayPal Payments StandardPayPal Payments ProPayflowPayPal powered by BraintreePayPal Checkout (formerly known as Express Checkout
Monthly Fee
(See all Merchant fees)
$0$30$0$0$0
 
Design and Host your own
check out pages for full control
 (if allowed by your partner site) 
Accept Credit Cards via phone,
fax and mail (VT)
  
Accept credit and debit cards
(your buyers don't need a PayPal account)

(Must have a 3rd party processor)
Accept PayPal payments
Send Invoices online for fast payment 
Accept payments in 25 currencies
from 202 countries
  
Simplified PCI compliance♦**
No long-term contracts, setup,
withdrawal or cancellation fees
Nonprofit discount available
for PayPal transactions
  
Toll-free phone support
Offer special financing on
purchases $99 and up
♦*** (only through PayPal Standard or Checkout)
  






























*Configurable
**Requires use of the hosted templates in PayPal Payments Pro.