PayPal Handles PCI Compliance for SMB Ecommerce Merchants

While the phrase PCI compliance is enough to make a small business ecommerce merchant groan, the reality for merchants is that compliance is required in this day and age of online shopping -- regardless of the size of your online business.

PCI Compliance Explained

The Payment Card Industry Data Security Standard (PCI DSS) is designed to be a baseline minimum standard for credit card security. In a nutshell, PCI DSS is a security process to help you identify all parts of your business that are vulnerable to theft, ranging from how you dispose of paper records to how you transmit and store personally identifiable information online -- including your customers' credit card information.

To achieve PCI compliance, an online retailer must meet all PCI DSS requirements. Lee Castro, a senior marketing manager at PayPal said that when it comes to being in compliance with PCI regulations, a lot of responsibility falls to the merchant.

"Some of the responsibilities for merchants include building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability-management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy," he explained.

The problem most small business ecommerce site owners will face is putting the infrastructure into place to meet those requirements. The approach that merchants use in meeting these requirements is an important business consideration.

“Merchants can decide to build and maintain the infrastructure to meet these requirements themselves, or they can outsource that infrastructure by using a third party, like PayPal, that stores, transmits, and processes the data on their behalf.  The decision is certainly a key decision for the merchant, as it has implications in terms of overall cost and time investment,” Castro said.

Outsourcing PCI Security and Compliance to PayPal

Working to assist small business site owners and online merchants tackle PCI compliance, PayPal recently announced a significant update to PayPal Payflow Link that provides merchants with "PCI peace of mind" and buyers with a streamlined purchasing experience.

“Our recent PayPal Payflow update allows merchants peace of mind when it comes to PCI compliance management.  PayPal achieves this by offering hosted templates that ensure that sensitive cardholder data is stored, transmitted, and processed by PayPal, not the merchant,” said Castro. “As a result, merchants can stay focused on future business growth instead of website security.”

In this way, PayPal acts as a trusted third-party that stores, transmits, and processes credit card data on behalf of the merchant and also assumes the responsibility of keeping customers’ information safe and the transaction secure to meet PCI requirements.  As part of your ongoing PCI Compliance management you will need to periodically certify your compliance to PCI regulations, but by outsourcing the infrastructure, that certification workload is greatly reduced. 

Embedded Checkout Templates

One issue that merchants may face when outsourcing PCI Compliance is being able to offload the security and still provide a seamless transaction process for the customer. In most cases merchants want to provide customers with the level of PCI security, but also don’t want to let customers know that another player has entered the transaction process.

PayPal solves this problem with Payflow Link’s embedded checkout template so your customers do not have to leave your site during the checkout process to buy securely. This, according to PayPal, creates an efficient and secure transaction that meets key expectations of the shopping experience. 

“The element that stands out in terms of consumer preference is those sites that offer the most efficiency.  A key part of delivering that efficiency is having a streamlined shopping experience that doesn’t redirect the customer,” said Castro. “The seamless process means that the customer will be less likely to abandon the sale as a result of additional websites and windows to navigate.”

PayPal’s Payflow Link tool is available to merchants who want to conduct sales and transactions from their own website or online Web store.

Related PCI Compliance Articles

From beginner guides to expert tips, our selection of PCI compliance articles can help you to better manage your ecommerce business.

• Will PCI Outsourcing Kill Conversion Rates?
• 4 Ecommerce Regulations to Need to Know
• PCI Security: Small E-tailers Face Large Fines if Hacked
• The Tangled Web of PCI Compliance, Are You Ready?

Vangie Beal is a veteran online seller and frequent contributor to ECommerce-Guide.com. She is also managing editor of Webopedia.com. You can tweet with her online @AuroraGG.