What you need to know about PCI DSS Compliance.

May 17 2019 | PayPal editorial staff

One of the biggest challenges facing small businesses is responsible and secure handling of customer data and payment transactions.
Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and PCI DSS. PCI DSS:
  • Requires any organization that handles card information to follow strict security practices designed to protect customer information.
  • Applies to all businesses that store, process, or transmit cardholder data.
  • Covers all payment channels, including retail sales at brick-and-mortar locations, mail and telephone orders, and ecommerce.
Penalties for noncompliance can be substantial, and small businesses don’t get any leniency. Following PCI DSS requirements offers the added benefit of helping to make sure your infrastructure is secure: the process can help you close any security loopholes in your business, providing greater protection over the long term. There are six main areas covered by PCI compliance:
1. Build and maintain a secure network.
Building a secure network can be more complicated than it seems, since your business is likely using complex, distributed, cloud-based networking to manage customer data and payment transactions. To comply with PCI DSS, any network that handles cardholder data must be segmented – that is, kept separate from other systems, such as internal email. The network must also maintain different firewall rule sets and configurations for databases housing credit cardholder information.
The same challenges exist for managing passwords of devices such as routers. Changing passwords often, and creating complex passwords, seem like easy security tasks – yet password mismanagement remains one of the most common ways that business’ networks are compromised.
2. Protect cardholder data.
PCI DSS requirements go into great detail about what constitutes cardholder data and how it must be protected when it leaves your business’s networks. One of the best strategies to protect cardholder data is to avoid storing it on your networks at all. If you must store it, reduce the number of places where information is stored and limit the number of points where it could be accessed.
In addition, data must be encrypted whenever it travels and wherever it is stored. This typically requires using strong cryptography, as well as tools to manage encryption keys and keep encryption up to date.
PCI DSS calls for using strong cryptography and security protocols, such as TLS, SSH, or IPSec to protect sensitive cardholder data during transmission over networks, such as the internet, wireless and cellular technologies, and satellite communications.   
3. Create a vulnerability management program.
Malware can wreak havoc by taking advantage of vulnerabilities in operating systems and software. Once they find a way into your network, attackers will look for software vulnerabilities and system misconfigurations to exploit.
To help prevent cyberattacks, your operating systems and other software must be kept up to date. Install every software patch as soon as it's available, as well as anti-malware signatures for any anti-virus software your business is running. For customized software, as well as software developed in-house or by a third party, PCI DSS requires secure development and coding techniques to be in place.
4. Implement strong access control measures.
The access control requirements of PCI DSS call for careful management of the people who have access to resources in your business. To comply with PCI DSS, your business should restrict access rights to sensitive data using the fewest privileges necessary for each user’s specific job function. You must also document these access controls via written policies, including the specific privileges you’re granting to users.
5. Monitor and test networks regularly.
Once you implement strong access controls, you’re ready to monitor your systems to make sure the controls are working. Establish processes that track access to system components, and create automated audit trails. You'll also need to monitor access to those audit trails, all system logins, and failed login attempts.
Finally, with all of these PCI DSS processes in place – access controls, systems monitoring, vulnerability management, secure coding practices, encryption, and properly segmented networks – make sure that all of these technologies and procedures are running smoothly. Network security controls need to be tested and updated frequently, along with the proper use of network, host, and intrusion prevention systems.
6. Develop an information security policy.
Finally, you must maintain a policy that addresses information security for employees and contractors. An effective security policy informs employees what is expected of them when it comes to protecting cardholder or other sensitive data. The policy also provides your IT department with clear security instructions and objectives. You’ll need to use this written policy to educate people when they’re hired, and to remind them of rules on an annual basis. You must also verify that the policy is available to all relevant users, including vendors, contractors, and business partners.
Lastly, if cardholder data is shared with service providers, you must create and maintain policies regarding how you manage these relationships and the service providers’ access to cardholder data.
Let PayPal help with data security.
PayPal uses the latest technologies to streamline transactions while implementing methods to help secure card data. If you use PayPal to process credit cards, your customers’ sensitive transaction data never touches your company's servers– helping reduce  your PCI DSS compliance requirements.
Learn more about PCI DSS.
For a more detailed look at the basics of PCI DSS compliance:
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

Was this content helpful?

Frequently asked questions.

PayPal has two gateway options that give you different levels of customization for your online checkout pages.

Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right on your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.

Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has no setup fee and a monthly fee of $25 USD.

There are optional features such as additional fraud protection, recurring billing, and buyer authentication. To see the pricing information, click here and then click Get Started Today.
"FATCA" is the Foreign Account Tax Compliance Act, which is a United States law designed to combat tax evasion by US persons (individuals or entities) that fail to report income related to non-US accounts. FATCA requires some of PayPal's non-US subsidiaries to collect information from their account holders to determine whether accounts are held by US persons (as defined by FATCA).

Agreements between the US and many foreign jurisdictions govern the exchange of account holder information to address local bank secrecy and privacy issues that may be impacted as a result of the FATCA's requirements. Information provided to the U.S. Internal Revenue Service ("IRS") or local regulatory agencies pursuant to FATCA are also covered by PayPal's Privacy Statement.
If your account is limited, we'll send you an email with the reason for that limitation. For your convenience, we always list the steps to remove the limitation in the Resolution Center under Steps to Remove Limitation.

Reasons for Account Limitations
There are several reasons why your account may be limited. Here are some examples:
  • Regulatory requirements
Your account could be limited in order to comply with regulatory requirements. For example, requesting certain products, like a debit card, can trigger federal and state laws, and we may limit your account while we work together to satisfy those requirements.
  • Acceptable Use Policy
Likewise, if you’re not in compliance with our Acceptable Use Policy, you’ll find that your account has been limited. Selling banned items such as prescription drugs or guns is an example of a violation of the Acceptable Use Policy.
  • Unauthorized use
We may limit your PayPal account to protect you from potential losses and review any fraudulent activity if:
  • We believe someone accessed your PayPal account without your authorization
  • Your bank informs us that there have been unauthorized transfers between your PayPal account and your bank account
  • Your debit or credit card issuer alerts us that someone may have used your card without your permission
  • Higher-risk activity
Another reason why your account could be limited is seller performance indicating your account is high risk. Examples include:
  • You received an unusually high number of claims and chargebacks from your buyers, which is an indication of poor seller performance
  • You started selling an entirely new type of product, such as a higher-cost item like jewelery
  • Your typical sales volume increased rapidly, which is out of nature with your usual sales patterns
In these cases, your account may be limited while we do a review.
  • Inactive account
We may also limit your PayPal account if you haven’t used it much since you signed up. To restore full access to your account, log in and provide a Proof of Identity (such as Driver’s license Copy, State ID copy etc.). Go to your Notifications center to upload documents.
PayPal is required by the U.S. Internal Revenue Service (IRS) to report information about account holders who receive payments for goods and services in excess of certain transaction and payment volume thresholds. This information must be provided for U.S. PayPal accounts and may also be required for account holders outside of the United States (if the holder of a non-U.S. account is a U.S. person).

In order to satisfy these reporting obligations (including filing Forms 1099-K when necessary), PayPal must collect information from our customers (like their TIN and name).

U.S. citizen or other U.S. person/entity

Customers who exceed the reporting thresholds set by the IRS ($20,000 USD and 200 transactions) will be asked to confirm their U.S. taxpayer status and to provide their U.S. taxpayer identification number (SSN, EIN, ITIN) and name.

When you need to confirm your U.S. taxpayer status, we’ll let you know by email and by notifications that you’ll see when you log in to your PayPal account. Click the link provided in the email or in the notification and enter the requested information.

The information you provide will be compared to the information on file with the IRS. If it doesn’t match, you’ll be able to review and edit the information up to three times. If the information cannot be verified, you’ll be asked to also provide your address and certify your information. (This is the same information collected in the IRS Form W-9.)
If you have multiple PayPal accounts, you’ll need to confirm your taxpayer status for each account.

If the IRS has notified you that you are currently subject to backup withholding, don’t submit your information online. Instead, contact PayPal Customer Service for assistance with confirming your taxpayer information at 1-888-221-1161 (1-402-935-2050 if calling from outside the U.S.).

Non-U.S. person/entity
Customers who exceed the reporting thresholds ($20,000 USD and 200 transactions) set by the IRS will be asked to confirm their U.S. taxpayer status. If you are not a U.S. citizen or U.S. entity, you’ll be asked to certify that you’re not subject to U.S. income tax in our online form.

When you need to confirm your U.S. taxpayer status, we’ll let you know by email and by notifications that you’ll see when you log in to your PayPal account. Click the link provided in the email or in the notification and enter the requested information.

If the account owner becomes a U.S. person or entity or becomes subject to U.S. income tax, the account owner will notify PayPal within 30 days.

State of Vermont and Massachusetts residents

In Vermont and Massachusetts, the reporting thresholds have changed with respect to tax years beginning with 2017, and PayPal is required to report all transactions greater than $600 USD (for Vermont) or $600 USD or greater (for Massachusetts) (instead of $20,000 and more than 200 transactions). All customers in Vermont or Massachusetts who meet the applicable threshold have been requested to provide their TIN and a pre-warning (Compliance-US IRS Verifications) has been placed on their account.

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies