What you need to know about PCI DSS Compliance.
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and PCI DSS. PCI DSS:
- Requires any organization that handles card information to follow strict security practices designed to protect customer information.
- Applies to all businesses that store, process, or transmit cardholder data.
- Covers all payment channels, including retail sales at brick-and-mortar locations, mail and telephone orders, and ecommerce.
Penalties for noncompliance can be substantial, and small businesses don’t get any leniency. Following PCI DSS requirements offers the added benefit of helping to make sure your infrastructure is secure: the process can help you close any security loopholes in your business, providing greater protection over the long term. There are six main areas covered by PCI compliance:
The same challenges exist for managing passwords of devices such as routers. Changing passwords often, and creating complex passwords, seem like easy security tasks – yet password mismanagement remains one of the most common ways that business’ networks are compromised.
In addition, data must be encrypted whenever it travels and wherever it is stored. This typically requires using strong cryptography, as well as tools to manage encryption keys and keep encryption up to date.
PCI DSS calls for using strong cryptography and security protocols, such as TLS, SSH, or IPSec to protect sensitive cardholder data during transmission over networks, such as the internet, wireless and cellular technologies, and satellite communications.
To help prevent cyberattacks, your operating systems and other software must be kept up to date. Install every software patch as soon as it's available, as well as anti-malware signatures for any anti-virus software your business is running. For customized software, as well as software developed in-house or by a third party, PCI DSS requires secure development and coding techniques to be in place.
Finally, with all of these PCI DSS processes in place – access controls, systems monitoring, vulnerability management, secure coding practices, encryption, and properly segmented networks – make sure that all of these technologies and procedures are running smoothly. Network security controls need to be tested and updated frequently, along with the proper use of network, host, and intrusion prevention systems.
Lastly, if cardholder data is shared with service providers, you must create and maintain policies regarding how you manage these relationships and the service providers’ access to cardholder data.
Let PayPal help with data security.
PayPal uses the latest technologies to streamline transactions while implementing methods to help secure card data. If you use PayPal to process credit cards, your customers’ sensitive transaction data never touches your company's servers– helping reduce your PCI DSS compliance requirements.
Learn more about PCI DSS.
For a more detailed look at the basics of PCI DSS compliance:
- Visit the PCI Security Standards Council website for a full look at PCI DSS compliance security standards and responsibilities, including training and documents.
- Also, read the PCI DSS Quick Reference Guide from the PCI Security Standards Council to understand the technical and operation requirements of the PCI DSS standard.
Frequently asked questions.
Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right on your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.
Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has no setup fee and a monthly fee of $25 USD.
There are optional features such as additional fraud protection, recurring billing, and buyer authentication. To see the pricing information, click here and then click Get Started Today.
From time to time, PayPal compliance must review accounts toensure they comply with our User Agreement and global regulatory obligations. In some cases, this means we need to remove bank accounts to comply with these regulations. If your bank account was removed please add a new bank.
Agreements between the US and many foreign jurisdictions govern the exchange of account holder information to address local bank secrecy and privacy issues that may be impacted as a result of the FATCA's requirements. Information provided to the U.S. Internal Revenue Service ("IRS") or local regulatory agencies pursuant to FATCA are also covered by PayPal's Privacy Statement.
Reasons for Account Limitations
There are several reasons why your account may be limited. Here are some examples:
- Regulatory requirements
- Acceptable Use Policy
- Unauthorized use
- We believe someone accessed your PayPal account without your authorization  >
- Your bank informs us that there have been unauthorized transfers between your PayPal account and your bank account  >
- Your debit or credit card issuer alerts us that someone may have used your card without your permission
- Higher-risk activity
- You received an unusually high number of claims and chargebacks from your buyers, which is an indication of poor seller performance  >
- You started selling an entirely new type of product, such as a higher-cost item like jewelery  >
- Your typical sales volume increased rapidly, which is out of nature with your usual sales patterns
- Inactive account