Question about Gateway, Paypal API, and PCI scope

This forum is dedicated to answering AbleCommerce 7.0 questions about PCI certification and compliance.
Post Reply
User avatar
kupakia
Ensign (ENS)
Ensign (ENS)
Posts: 11
Joined: Wed Sep 17, 2008 7:36 am

Question about Gateway, Paypal API, and PCI scope

Post by kupakia » Mon Jun 01, 2009 4:23 pm

First allow me to explain our configuration. Currently we have a PayPal gateway setup with API key/password. We do not allow storage of credit card information. We have methods for Visa, MC, Discover, etc all using PayPal for the gateway. This all functions as is should, no problems there.

Originally, when I setup the system it was my understanding that using this setup as listed above would keep our servers out of PCI scope. Can anyone comment further on this and give me an insight as to how this is possible and what setup I can use to keep our servers out of scope. We do not technically store any credit card data nor (as far as I know) do we temporarily house the data. If anyone can help me, it would be greatly appreciated. I just need some facts.
Thank you,
KupaKia!

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Question about Gateway, Paypal API, and PCI scope

Post by Logan Rhodehamel » Mon Jun 01, 2009 4:47 pm

That doesn't sound quite right. Unless you completely offload the collection of cardholder data, you are going to fall under PCI.

Example 1 (falls under PCI)

Customer gives card info to merchant website
merchant server sends card data to processor
processor returns result code to merchant

Example 2 (can avoid PCI)

Customer completes order on merchant site
merchant forwards customer to hosted payment processor page
customer provides payment details to payment processor
payment processor notifies merchant of payment results
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Question about Gateway, Paypal API, and PCI scope

Post by Logan Rhodehamel » Mon Jun 01, 2009 4:52 pm

If you are a small (<20000 transactions / year) merchant, compliance with PCI is not too terrible. The biggest aspect is the quarterly scan. You can use something like this:

http://www.mcafeesecure.com/us/pci-intro.jsp
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

User avatar
kupakia
Ensign (ENS)
Ensign (ENS)
Posts: 11
Joined: Wed Sep 17, 2008 7:36 am

Re: Question about Gateway, Paypal API, and PCI scope

Post by kupakia » Mon Jun 01, 2009 5:12 pm

I think I fall uncomfortably under example #1. I am fine with the PCI scans, we have on box that currently is scanned and I do fine with it and I am up on keeping my systems as secure as possible. However, our PCI committee rightfully does not want this at all. So I need to get myself into example two, which presents me with some problems.

One problem may be unsolvable, I will have to look into it. My only concern is that since I use PayPal as my gateway; is there a way to get myself into that situation without forcing our customers to create a PayPal account? Any help would be greatly appreciated. Thank you kindly for your fast response as well, it is certainly nice to get such helpful answers.
Last edited by kupakia on Mon Jun 01, 2009 7:32 pm, edited 1 time in total.

User avatar
Logan Rhodehamel
Developer
Developer
Posts: 4116
Joined: Wed Dec 10, 2003 5:26 pm

Re: Question about Gateway, Paypal API, and PCI scope

Post by Logan Rhodehamel » Mon Jun 01, 2009 5:27 pm

Currently, PayPal is the only gateway supported by AbleCommerce that operates as you specify. The downside as you note is customers have to have a PayPal account to complete the purchase.

It would take some customizing but PayPal also has a product called PayFlow Link. This is a solution that uses a hosted payment page that can be customized. I do not believe this solution requires a paypal account for the customer. I also believe it would allow you to maintain the same merchant account via PayPal, but you would have to discuss that with their sales team directly. I know it uses the same PayPal Manager as the website payments pro that I think you have configured now.

The bottom line is you have to get responsibility for collection of cardholder data off of your server if you want to avoid PCI.
Cheers,
Logan
Image.com

If I do not respond to an unsolicited private message, it's not because I'm ignoring you. It's because the answer to your question is valuable to others. Try the new topic button.

User avatar
kupakia
Ensign (ENS)
Ensign (ENS)
Posts: 11
Joined: Wed Sep 17, 2008 7:36 am

Re: Question about Gateway, Paypal API, and PCI scope

Post by kupakia » Mon Jun 01, 2009 7:28 pm

Logan_AbleCommerce wrote:Currently, PayPal is the only gateway supported by AbleCommerce that operates as you specify. The downside as you note is customers have to have a PayPal account to complete the purchase.

It would take some customizing but PayPal also has a product called PayFlow Link. This is a solution that uses a hosted payment page that can be customized. I do not believe this solution requires a paypal account for the customer. I also believe it would allow you to maintain the same merchant account via PayPal, but you would have to discuss that with their sales team directly. I know it uses the same PayPal Manager as the website payments pro that I think you have configured now.

The bottom line is you have to get responsibility for collection of cardholder data off of your server if you want to avoid PCI.
That makes sense and I appreciate the time you took to answer my questions. I will explain this out and work on a solution tomorrow. Thank you again for the fast responses and helpful answers!!

User avatar
kupakia
Ensign (ENS)
Ensign (ENS)
Posts: 11
Joined: Wed Sep 17, 2008 7:36 am

Re: Question about Gateway, Paypal API, and PCI scope

Post by kupakia » Tue Jun 02, 2009 10:39 am

Logan_AbleCommerce wrote:It would take some customizing but PayPal also has a product called PayFlow Link. This is a solution that uses a hosted payment page that can be customized. I do not believe this solution requires a paypal account for the customer. I also believe it would allow you to maintain the same merchant account via PayPal, but you would have to discuss that with their sales team directly. I know it uses the same PayPal Manager as the website payments pro that I think you have configured now.
I hate to add to this thread since the original question has been answered. But, as it turns out, I do have another question. I talked to PayPal and were working on the PayPal Link change. I am waiting to talk with their support people about specifics. You mentioned above that "It would take some customizing". Are you referring to the custom set-up for the PayPal collection page, or are you referring to customizing AbleCommerce? I know you mentioned it would use the same PayPal manager as website payments pro. I was looking for reference material for this type of setup, but could not find much.
Thank you again!

Post Reply