I have tried calling PayPal themselves, and the rep on the phone didn't even know Payflow Link could work this way, so I don't trust his advice. All my searching has encountered mixed answers.
I am building an ecommerce site using Payflow Link, where the CC processing is handled on Paypal hosted pages. However, I am consider implementing the advanced integration method, whereby customers input all the CC info on a form hosted by my server, but the form gets POST'ed over SSL directly to Paypal's servers. Using this method, I can maintain the branding of my site except for the required Paypal reciept page.
The CC information, using this method, should never touch my servers. Are they required to be PCI compliant? From a technical standpoint, I can't see why it should, but from a legal standpoint, I get lost in the jargon of the PCI-DSS documents. The site does roughly 1000 transactions a year.
I'm exploring the same issue. From talking to our PCI compliance vendor, it sounds like MikeH is incorrect. Because we're hosting the form on our web site, the server itself needs to be PCI compliant. That's because the form could be hacked if the server is not secure.
I see two options:
Keep the form on our site. Make the server secure (our web host does not currently pass the PCI scan, they are working on it). Fill in the much longer and detailed SAQ Validation Type 5 (Questionnaire D).
Use Payflow Link's credit card capture form. Won't need to worry about the server, can then use the much shorter SAQ Validation Type 1 (Questionnaire A). But, we lose branding and may lose sales because the Payflow Link pages look so different.
The SAQ D is ugly :-(
Using the model you are proposing, you do indeed have to be PCI-compliant, but at a much less restrictive level than you would if the data touched your server.
For details, goto https://www.pcisecuritystandards.org/saq/instructions_dss.shtml and click on the link for SAQ Validation Type 1 (Questionnaire A). This will tell you exactly what parts of the PCI DSS you must implement as a merchant with all cardholder functions outsourced.
Hope this helps!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With