PCI Compliance

[AndyC]

Hey All

I am using PayPal and Braintree for my payments.. I am not storing any card details only a reference number in regards to the transaction and of course PayPal ... Do I really need to be PCI Compliant ,or is SSL enough.

More of a curiosity than anything else as I am failing on 5 minor  items at the moment  

[AndyC]

Bring this up again as never got a answer

I now use both Nochex and PayPal so do I really still need to be PCI compliant. I am being chased to get my site compliant.They say I have to be , but I have have read I don't have to be if I use off site payments like PayPal

thanks

[datakick]

If you don't collect card info on your website, then it's not necessary to be PCI compliant. If you, however, have some card info input form on your site, then you should be. For example, stripe module let you include card form directly on your checkout page. It's better to disable this option and just redirect your customers to stripe website. 

[haylau]

46 minutes ago, AndyC said:

Bring this up again as never got a answer

I now use both Nochex and PayPal so do I really still need to be PCI compliant. I am being chased to get my site compliant.They say I have to be , but I have have read I don't have to be if I use off site payments like PayPal

thanks

Who is chasing? Who says you have to be?

[AndyC]

The PCI company Security Metrics because my Briantree is failing and as I have changed to off site options... I had to have them when I was taking money direct from my website with Braintree (PayPal) which I understand.. Now that I don't I shouldn't really need it

Edited May 18, 2020 by AndyC

[haylau]

I hate those reports, I make most of it up 🙂

The only reason we need it is because we use the PayPal virtual terminal system to take card payments over the phone. Otherwise you don't need it. If you only ever take payments via the website and the customers are directed to the PayPal / nochex site then it is not needed. 

PayPal and Nochex will let you know if they need it - perhaps be proactive and talk to them directly as they know your account status

[veganline]

Elavon had or has a system like Security Metrics.
I had to keep trying answers until they passed the test, then work out how to do what I had said in the answers, mainly about storing of card numbers in case I needed to give a refund. Putting old phone notebooks full of card details in the paper recycling bin outside where I live was the wrong answer. Nowadays I don't bother with Elavon but am still careful about card numbers.

Taking the odd payment over the phone and typing it into Stripe via https://dashboard.stripe.com/payments | NEW has not got me arrested and Stripe don't require a PCI test. 

Online-only payments via Paypal have never led me to need a PCI test.

Edited May 19, 2020 by veganline
added security tip about the wrong answer

[AndyC]

Yes it is the same thing, took me ages to pass my 1 as my hosting (sitegound) had to do all sorts of changes took them ages to figure out what needed doing   .. Yep PayPal have their own PCI as you are in theory going to their website to pay.. All we end up is with a reference number