Recurring debit/credit card payments via PayPal without PCI compliance

Question

Developing a site that requires monthly subscriptions via PayPal. If a buyer has an account this is no problem via ExpressCheckout. The client has a (UK-based) Pro account though and wants to provide the option of payment by card.

As far as I can work out from the 'Website Payments Pro Integration Guide' this requires setting up a dual payment option on my site, giving the user the option of paying 'via Paypal' (ie ExpressCheckout) or by card, at which point my site would provide a PCI compliant card capture form that would submit to PayPal using DirectPayment. Going through PCI compliance isn't really an option. It seems weird that PayPal doesn't offer a hosted solution for this, or am I just being stupid?

TL;DR: Is it possible to process recurring card payments via PayPal in the UK using a PayPal hosted card capture form?

Site is bespoke PHP.

Answer 1

The PayPal API allows for recurring payments with Direct Payment:

Recurring payments with Direct Payment enables a recurring payment to be associated with a debit or credit card.

[...]

The CreateRecurringPaymentsProfile response contains a Profile ID, which is an encoded string that uniquely identifies the recurring payments profile.

PayPal holds the account number and other pertinent information (including billing frequency) while your application stores the Profile ID.

PCI compliance is never an option. It is always a requirement. However, the rules for compliance are far less stringent (including forgoing auditing) for companies that don't perform a high volume of transactions per year.