PCI Compliance/PayPal API

Question

So after MUCH research online, I'm coming to the one place I know someone will be able to help me!

We have a site that WILL accept credit card payments via PayPal's Classic API. More specifically, we'll be accepting credit cards for recurring payments. I know I have to be PCI compliant, and after speaking to PayPal today, I have been told (in writing) that:

"Once your account has processed over 20 transaction in the last 3 weeks (or 100 in a year), you will be able to register with Trustwave to become PCI compliant."

AND that I

"do not need to prove your compliance before reaching these levels"

Not sure what it is, but something doesn't sit right with me. Mainly, that I think I should be PCI compliant from the get-go. I think what they're saying is that I won't need to prove anything until then, but that I should be PCI compliant.

If anyone could give me a bit of guidance on this, it would be great. Here's a little bit more about our situation:

1. We will not store ANY customer card details on any system we run.
2. We send the details to the PayPal API by a regular old HTML POST form.
3. Recurring payments don't allow for a hosted solution by Paypal, so we are required to do it via our own form.

I'm sure I'm missing something here, but know that someone here will have had experience/be able to point me in the right direction!

Cheers guys!

Answer 1

You do indeed fall under PCI requirements immediately as a web page in your environment captures card-holder data and then transmits (the key term) it to PayPal. PCI/DSS does not have a volume threshold below which it does not apply.

Perhaps the thing that doesn't feel right is that they are happy to brush off any and all responsibility for your PCI compliancy by presenting the option of signing up with "Trustwave" whom I guess will present you with a SAQ to fill in and then take care of your quarterly scans.