PCI compliance

  • Holoman1337

    (@holoman1337)


    10 years ago

    Hi

    I have s2member pro and was planning on integrating a checkout and pro-form onto my website. However, after reading Paypals guidelines, it seems in order to do so I would have to jump through a lot of hoops to be PCI compliant.

    So I want to leave all that to Paypal and have them handle card details etc, but I still want to use the Paypal pro form rather than the button so that people can register at the same time as paying and the checkout process is smoother.

    My question is, if I use the pro-form, but remove all options except Paypal, does this (as I believe it does) mean I do not have to be PCI compliant?

    https://www.ads-software.com/plugins/s2member/

Viewing 4 replies - 1 through 4 (of 4 total)
  • KTS915

    (@kts915)

    If you use the Pro form with regular PayPal rather than PayPal Pro, you do not have to be PCI compliant. You don’t need to delete the other payment methods, because they would still be handled on the PayPal website.

    More important to me, though, is to refute the idea that “I would have to jump through a lot of hoops to be PCI compliant.” That’s just not true.

    Most of what’s necessary for PCI compliance has almost certainly already been put in place by your payment processor (in your case, PayPal) or host.

    The extra bit you need to provide is SSL, which you should be able to purchase through your host quite easily. If your host offers SSL via SNI, it should be pretty inexpensive.

    In fact, if you use Stripe, then even SSL isn’t actually required, although I’d still recommend it because users expect to see the padlock sign when they enter credit card details.

    Thread Starter Holoman1337

    (@holoman1337)

    Sorry but I’m not sure we are talking about the same thing. Direct payment is not allowed without Paypal Pro, the s2member pro-form collects the credit card info, not Paypal. I get the following error when trying to use the pro-form with a credit card without a Paypal Pro account

    “DPRP is disabled for this Merchant”

    Also if the user is inputting their credit card information on your website itself, being PCI compliant is not just about SSL, the entire server the website is hosted on has to be compliant, which most webhost’s servers aren’t. It needs regular security scanning as well as having websites on the same server separate and secure. Most webshosts have multiple websites hosted on the same server.

    What I want is for a user to have no choice but to input their credit card info after being directed to Paypal’s PCI compliant site, relieving me of the obligation for PCI compliance.

    At the moment though I’m not sure just deleting the other options does that, and I also have the problem that the Paypal option in the pro-form doesn’t allow someone to pay by credit card without creating a Paypal account.

    KTS915

    (@kts915)

    Last time I used the Pro form with regular PayPal, the user could pay using a credit card, provided that, when directed to PayPal, s/he selected to pay as a “guest”.

    As for the rest, this is partly a matter of choosing your host wisely, and partly a question of distinguishing fact from perception.

    For Stripe, for example, it appears that the user is entering his or her credentials on your website. But that isn’t actually what’s happening. The data is being transmitted direct to the Stripe servers.

    Thread Starter Holoman1337

    (@holoman1337)

    Ah I think I found the problem, it is a recurring subscription and Paypal does not allow the ‘optional account’ feature to be turned on unless its a one-off payment. So everyone will have to sign up to Paypal, dont like that at all.

    I’ll look into Stripe, could be a better alternative.

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘PCI compliance’ is closed to new replies.

Tags