Paypal API with no PCI Compliance

StackOverflow https://stackoverflow.com/questions/22940978

  •  29-06-2023
  •  | 
  •  

Question

It is clear from various discussions that if I accept the credit card on my site and call Paypal API to pass the CC to Paypal, I have to be PCI compliant as well.

In our solution, user uses forms on our web page to submit credit card information. We then take these credit cards information, send them to Paypal, and receives an ID from paypal that we can store in the database. In future transactions, user does not need to enter the credit card information again. We simply send that ID to paypal in place of the credit card information.

To avoid the PCI nightmare, we want to rely of Paypal toodls/widgest to collect this credit card information in a way that we simply receive the corresponding IDs. The question is, does Paypal have such a widget? What are my options?

Was it helpful?

Solution

Your site will still need to undergo PCI compliance, either with a SAQ A or SAQ A EP, depending on how the application sends the data to Paypal.

Per the PCI Council:

SAQ A: All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI DSS validated third-party service provider(s)

SAQ A-EP: Each element of the payment page(s) delivered to the consumer’s browser originates from either the merchant’s website or a PCI DSS compliant service provider(s)

Overall, the concern is to ensure that the site that is performing the redirect is secure. There is a chance that the site is modified so that the iFrame, direct POST, or other means could be sent to a malicious site.

OTHER TIPS

Have you considered using PayPal Advanced? This account type will allow you to capture the Credit Cards on your site 'within an iFrame' and PayPal will handle all the PCI compliance. The PayPal Advanced account will run you only $5.00 a month vs the $30.00 a month for a Pro account and without the concerns of PCI compliance.

As for using the Transaction ID for future purchases, this feature is known as Reference Transactions and can also be added to your account.

You could also try Braintree. As of December 2013, they're a subsidiary of PayPal.

Paypal has several different APIs you can use. They are listed here:

https://devtools-paypal.com/tryit

I think their Adaptive Payments option might work for you:

https://devtools-paypal.com/guide/ap_simple_payment?interactive=ON&env=sandbox

In this model you would have the customer go through your purchasing process, pick the product, quantity, etc. You determine the price then you follow the PayPal Adaptive Payments API (Specifically the "Simple Payment" function) to send payment details to PayPal including the price you calculate on your side. The user is then redirected to PayPal website where they can enter their credit card information or PayPal account details and accept the charge. They are then redirected back to you along with the payment details and you carry on.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top