What you need to know about PCI DSS Compliance.

May 17 2019 | PayPal editorial staff

One of the biggest challenges facing small businesses is responsible and secure handling of customer data and payment transactions.
Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and PCI DSS. PCI DSS:
  • Requires any organization that handles card information to follow strict security practices designed to protect customer information.
  • Applies to all businesses that store, process, or transmit cardholder data.
  • Covers all payment channels, including retail sales at brick-and-mortar locations, mail and telephone orders, and ecommerce.
Penalties for noncompliance can be substantial, and small businesses don’t get any leniency. Following PCI DSS requirements offers the added benefit of helping to make sure your infrastructure is secure: the process can help you close any security loopholes in your business, providing greater protection over the long term. There are six main areas covered by PCI compliance:
1. Build and maintain a secure network.
Building a secure network can be more complicated than it seems, since your business is likely using complex, distributed, cloud-based networking to manage customer data and payment transactions. To comply with PCI DSS, any network that handles cardholder data must be segmented – that is, kept separate from other systems, such as internal email. The network must also maintain different firewall rule sets and configurations for databases housing credit cardholder information.
The same challenges exist for managing passwords of devices such as routers. Changing passwords often, and creating complex passwords, seem like easy security tasks – yet password mismanagement remains one of the most common ways that business’ networks are compromised.
2. Protect cardholder data.
PCI DSS requirements go into great detail about what constitutes cardholder data and how it must be protected when it leaves your business’s networks. One of the best strategies to protect cardholder data is to avoid storing it on your networks at all. If you must store it, reduce the number of places where information is stored and limit the number of points where it could be accessed.
In addition, data must be encrypted whenever it travels and wherever it is stored. This typically requires using strong cryptography, as well as tools to manage encryption keys and keep encryption up to date.
PCI DSS calls for using strong cryptography and security protocols, such as TLS, SSH, or IPSec to protect sensitive cardholder data during transmission over networks, such as the internet, wireless and cellular technologies, and satellite communications.   
3. Create a vulnerability management program.
Malware can wreak havoc by taking advantage of vulnerabilities in operating systems and software. Once they find a way into your network, attackers will look for software vulnerabilities and system misconfigurations to exploit.
To help prevent cyberattacks, your operating systems and other software must be kept up to date. Install every software patch as soon as it's available, as well as anti-malware signatures for any anti-virus software your business is running. For customized software, as well as software developed in-house or by a third party, PCI DSS requires secure development and coding techniques to be in place.
4. Implement strong access control measures.
The access control requirements of PCI DSS call for careful management of the people who have access to resources in your business. To comply with PCI DSS, your business should restrict access rights to sensitive data using the fewest privileges necessary for each user’s specific job function. You must also document these access controls via written policies, including the specific privileges you’re granting to users.
5. Monitor and test networks regularly.
Once you implement strong access controls, you’re ready to monitor your systems to make sure the controls are working. Establish processes that track access to system components, and create automated audit trails. You'll also need to monitor access to those audit trails, all system logins, and failed login attempts.
Finally, with all of these PCI DSS processes in place – access controls, systems monitoring, vulnerability management, secure coding practices, encryption, and properly segmented networks – make sure that all of these technologies and procedures are running smoothly. Network security controls need to be tested and updated frequently, along with the proper use of network, host, and intrusion prevention systems.
6. Develop an information security policy.
Finally, you must maintain a policy that addresses information security for employees and contractors. An effective security policy informs employees what is expected of them when it comes to protecting cardholder or other sensitive data. The policy also provides your IT department with clear security instructions and objectives. You’ll need to use this written policy to educate people when they’re hired, and to remind them of rules on an annual basis. You must also verify that the policy is available to all relevant users, including vendors, contractors, and business partners.
Lastly, if cardholder data is shared with service providers, you must create and maintain policies regarding how you manage these relationships and the service providers’ access to cardholder data.
Let PayPal help with data security.
PayPal uses the latest technologies to streamline transactions while implementing methods to help secure card data. If you use PayPal to process credit cards, your customers’ sensitive transaction data never touches your company's servers– helping reduce  your PCI DSS compliance requirements.
Learn more about PCI DSS.
For a more detailed look at the basics of PCI DSS compliance:
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

Was this content helpful?

Frequently asked questions.

In order to complete an SAQ, we recommend you enroll with a Qualified Security Assessor (QSA).  At PayPal Powered by Braintree, we strive to make your compliance validation process as easy as possible, and have therefore covered the cost associated with validating PCI DSS compliance through SecurityMetrics, our independent QSA partner. If you need help filling out the SAQ, PayPal Powered by Braintree will also cover the cost of technical support provided directly by SecurityMetrics. However, you may choose to validate compliance through a QSA other than SecurityMetrics.

Within 30 days of signing up with PayPal powered by Braintree, you will receive an email explaining how to create your account with SecurityMetrics. You will have to create a SecurityMetrics account to enroll -- this is separate from your existing PayPal or Braintree log in and is subject to the SecurityMetrics terms of use.

How do I start the SAQ process with SecurityMetrics?

We will send you an email within 30 days of signing up that will include all of the information you need to enroll in SecurityMetrics. You may wish to add the email address PPpbBTMerchantPCI@paypal.com to your email whitelist to ensure you receive it in your inbox. If you don’t receive the email within the 30-day window, you can email us at the same address for further assistance.
Once you have the email, follow these steps to enroll with SecurityMetrics:
  1. Go to the SecurityMetrics PayPal powered by Braintree page.
  2. Click Sign Up and enter the email address associated with your PayPal powered by Braintree account.
  3. Verify your email address.
  4. Review and accept the Terms of Use.
  5. Continue through the wizard and complete the questionnaire about your credit card processing.

What if I’ve already validated my compliance with a different QSA partner, do I still need to enroll with SecurityMetrics?

If you choose to validate compliance through a QSA other than SecurityMetrics, please provide proof of validation no later than 60 days from the date of this notice by sending your Attestation of Compliance (AOC) to PPpbBTMerchantPCI@paypal.com.
To be PCI compliant, organizations must follow set standards for securing payment information throughout a transaction, as mandated by the PCI Council. The Payment Card Industry Data Security Standard (PCI DSS) is a complex set of requirements designed to ensure that all organizations that process, store, or transmit credit card information maintain a secure environment.
What’s changing?
The Payment Card Industry Security Standards Council (PCI) issued a new security standard that must be implemented by June 26, 2018. By this date, all entities must stop using Secure Sockets Layer (SSL)/ early Transport Layer Security (TLS) as a security control in their systems and completely transition to a secure version of TLS encryption protocols, such as TLS 1.2. You can read more about the security standards on the PCI website.

When does the upgrade need to be completed by?
Action required by June 26, 2018.
If your PayPal integration uses an older encryption protocol, you must upgrade your PayPal integration(s) to the TLS 1.2 cryptographic protocol by June 26, 2018.

How do I upgrade to TLS 1.2?
Here's how to upgrade and test your system:
  1. Visit our security website to view the requirements.
  2. If your website is hosted by a third-party, work with your web hosting company or ecommerce software provider. *Otherwise, please contact your in-house web programmer or system administrator to make these updates.
  3. Use our testing environment to confirm that your servers support the latest security standards. The testing environment will present a ‘PayPal_Connection_OK’ message if you’ve completed the server update correctly. Note that you must test your API using your server, not your web browser.
*Note for merchants using a downloaded shopping cart: Whoever hosts the connection to PayPal is required to meet the PCI-DSS encryption requirements. We encourage you to contact your web host or a developer to evaluate your compliance with our encryption requirements, and then take the appropriate steps to address any potential vulnerabilities.

Testing periods
Before June 26, 2018, PayPal will conduct weekly test to emulate the upgraded security experience. The testing dates are published on our security website.

These tests will help you understand the areas of your integration that still require security protocol upgrades. If your systems have been upgraded to support TLS 1.2, you shouldn’t be impacted during the testing periods. However, if your system integrations aren’t upgraded, you may experience interruptions to PayPal services, such as payment processing and reporting. Please be advised that each testing period could last several hours.

Make the necessary security protocol upgrades now to make sure you’re ready before the June 26, 2018 deadline. If you need additional support, please contact your web hosting company, ecommerce software provider, in-house web programmer, or system administrator.

What happens if I don't upgrade to TLS 1.2?
If you don't upgrade your integration by June 26, 2018, you may not be able to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business Account.

PayPal has two gateway options that give you different levels of customization for your online checkout pages.

Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right in your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.

Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has a $99 setup fee and a monthly fee of $25.

There are optional features such as additional fraud protection, recurring billing and buyer authentication. Click here to see pricing.