SPECIAL OFFER: Only $69 for access to everything in OSTraining for 1 year! You save $75!  1
Join today and get access to 1,000's of books and videos. Learn WordPress, Drupal, Magento, Joomla and more! Sign up today!

PCI Compliancy

6 years 4 months ago - 6 years 4 months ago #112858 by Madcockney
PCI Compliancy was created by Madcockney
Apologies if I have put this in the wrong section of the forum.

I was comparing what Arvixe offer and what is offered by a Siteground for shared hosting. (My test sites are on Arvixe, while a club's production site is on SG.) One of the things that was different was PCI compliancy which SG is and Arvixe isn't, the latter recommending VPS for that. The club has the ability to sell club merchandise via the website using standard Paypal account. This means that there are no credit card or debit card transactions on the site and no records as such are held on the site or by club officials other than what was ordered and where it has to be sent to.

Now there appears to be a lot of differing views on this from many different PCI compliancy organisations, and even those that specialise in this appear to say that there are many views on what and what is not required in this situation. I researched the USA, EU and the UK. (Hosted in Europe the club is in the UK.) From what I can find out including what is on the Paypal UK site is that as this is not "Paypal Express" then the exposure is very limited as they, Paypal, look after everything. What we may need to do is fill in the annual self certification certificate and submit. But who to, at what cost, and where do you obtain the form from? Not that we are talking many transactions, possibly a hundred or so transactions this way a year.

Has anybody had any experience of this that they can share?

Please Log in to join the conversation.

6 years 4 months ago - 6 years 4 months ago #112874 by Nick
Replied by Nick on topic PCI Compliancy
Hi Madcockney,

As far as I'm aware, in the US, using standard Paypal doesn't require any PCI certification, since Paypal handles that all on their end:
www.paypal.com/gd/cgi-bin/webscr?cmd=xpt...omplianceDSS-outside

In your situation, I'd recommend going through www.paypal.com/uk/webapps/mpp/pci and evaluating it based on your situation.

As usual, it's best to consult a lawyer if you have any concerns. Unfortunately, we can't be of much help, since our advice doesn't constitute as legal advice.

Kind regards,
Nick

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

6 years 4 months ago #112890 by Madcockney
Replied by Madcockney on topic PCI Compliancy
Hi Nick,

Thanks for the response. My initial thought was the same as yours, but looking further into it and I am not as certain. I had already seen those Paypal documents, and the UK one is less helpful than the USA one. The UK document says it eases the burden, whereas the US one provides more information.

You would think that as Paypal are handling the transaction then you have offloaded all your responsibilities as far as PCI is involved. After all when you click the Paypal button you are either taken to their site or this happens in a iFrame on your site though to all sense and purposes the transaction is on Paypal's site. But there has been debates, etc on this elsewhere. After all you can also get one of the gateway companies to do the same and it appears that you still have to be registered for that. I think that this is one of those things that we will have to assume that the club doesn't until somebody proves otherwise.

This is a bit like the debate of should your whole site be protected by SSL, just the shop including the payment area, just the payment area, or not necessary as Paypal handle the actual payments. (Though an SSL certificate and encryption does not completely safe guard you I do feel that it is necessary to ensure a certain level of protection.)

Please Log in to join the conversation.

6 years 4 months ago #112892 by Nick
Replied by Nick on topic PCI Compliancy
Hi Madcockney,

You're welcome!

I think you're on track with your reasoning.

As to SSL, I prefer full site SSL, that way all interactions are for sure encrypted. Also, it has an SEO benefit, plus it's easier to debug.

Kind regards,
Nick

Follow us on Twitter - twitter.com/OSTraining
Like us on Facebook - facebook.com/ostraining

Please Log in to join the conversation.

Join today and get access to 1,000's of books and videos. Learn WordPress, Drupal, Magento, Joomla and more! Sign up today!