PCI compliance with Paypal Pro

I was under the impression, based on the explanation in your documentation, that SSL would be sufficient for covering PCI compliance concerns with embeded paypal pro forms. This is apparently not enough, according to
http://www.pcicomplianceguide.org/pcifaqs.php#10, http://www.quora.com/What-is-the-difference-between-an-SSL-certificate-being-PCI-compliant, etc.

Since Paypal Pro forms allow customers to input credit card info on the site itself, and not just the site of the payment gateway, the site that hosts the Paypal Pro forms needs to be PCI compliant.

I contacted my host and asked about options, and they basically recommended finding a way around the issue by using a payment gateway. Here is what they said:

“In order to integrate your site with a payment gateway, the payment gateway’s API would need to be used. Though many payment gateways provide an API to pass credit card information directly from your site’s code to the payment gateway, such an API could not be used with our hosting platform as this would mean that the credit card information would be captured and processed by our non-DSS compliant shared PHP servers. As an alternative, you can utilize a payment capture page provided by your payment gateway for the customer to enter in payment information such as with Authorize.Net’s Simple Checkout option, or you can have a customer enter data into a form on your site that would post to a payment collection page at the payment gateway then redirect to an order confirmation page as per the Direct Post Method option of Authorize.Net. The Direct Post Method is more seamless to the customer, though would be more difficult to implement. Both methods would result in a postback response being made to your site from the payment gateway with the results of the transaction so that your application can verify that the payment went through.”

Do the paypal pro forms with S2 Member use something like the “Direct Post Method” described here?

Is there a way to integrate S2 Member with a “payment capture page”? It seems that Paypal may offer something like this in their Paypal Advanced service, but I don’t think that is integrated with S2 Member.

I’ve tried every “easy” work around I can think of, including paypal Express, but that checkout process is really messy.

Thanks for great question. I’ll forward it to Jason, who’s the one that coded it and is more familiar with PCI. I’ll let you know when I hear back from him. :)

Thanks, Cristian. I have done a bit more research on this. PCI compliance seems to be the elephant in the room — at least in for small businesses that want to outsource hosting of ecommerce sites.

I found this discussion to be helpful:
http://www.sitepoint.com/forums/showthread.php?807314-Rackspace-Customers-cannot-host-shopping-carts-on-the-cloud

Rackspace CloudSites doesn’t allow the PCI scans.
Godaddy doesn’t either. They are pushing you to their shopping cart or to dedicated hardware: http://support.godaddy.com/groups/web-hosting/forum/topic/pci-compliance/ (The link is a bit old, but I think the situation is still the same.)

I went to FireHost and tried to configure a PCI compliant hosting option on their website, but that resulted in a solution that costs more that $800/month.

Also, regarding Paypal Advanced, on the service main page, the rollover for “Simplify PCI Compliance” says, “With this solution, the only remaining requirements are a greatly simplified Security Self-Assessment Questionnaire (SAQ) and Quarterly Security Scans.” — This does not simplify things at all.

Currently, I am waiting for a quote from Rackspace for a PCI compliant solution. I expect this will be expensive.

I can only assume that most small businesses hosting ecommerce sites are just ignoring this issue, which is causing the major hosts to ignore this issue as well, or push the “honest” small businesses toward expensive solutions.

I did have one small stroke of luck — it appears that Amazon Web Services is PCI Compliant, which means that theoretically, I could host WordPress on EC2 and successfully pass the scans…I think.

I know this is a complicated question. For now, could you confirm the following:

1) Does S2Member’s integration with Authorize.net utilize the Direct Post Method?
http://developer.authorize.net/api/howitworks/dpm/

If so, just switching the payment gateway seems to be the easiest (and cheapest) solution.

Thank-you for your patience.

Jason (Lead Developer) wrote an article on PCI compliance here:

Knowledge Base » PCI Compliance (Simplified)

As far as s2Member’s integrations with its payment gateways, they are all PCI compliant, and as long as your server is PCI compliant, s2Member will work just fine for you. :-)

1) Does S2Member’s integration with Authorize.net utilize the Direct Post Method?
http://developer.authorize.net/api/howitworks/dpm/

I do believe this is what s2Member integrates with.

If so, just switching the payment gateway seems to be the easiest (and cheapest) solution.

Payment gateways don’t really have much to do with being PCI compliant. Also, if you’re accepting credit cards directly on your site then you must be PCI compliant, no matter what Payment Gateway you’re using. PCI compliance is dependant on your hosting provider.

Great topic! PCI Compliance involves a lot more than most people realize. The guys at https://www.pcihost.com have a great video about it and offer a free consultation. Might be work a look.

Thanks so much for the response. Please also extend my thanks to Jason. The knowledge base article was quite extensive and quite helpful. I am glad to see that I am not the only one who spent his weekend thinking about PCI compliance. I am off to get quotes from Hostgator and Firehost. It is helpful to have the recommendations and to finally have a single, clearly-written explanation of what is required.

As an additional suggestion, it might be worth considering future integration with a service like recur.ly which, as I understand it, could eliminate the need for PCI-compliant hosting.

You guys are the best. I have been pleasantly surprised with the level of integration that S2Member provides and the level of support you offer. Keep up the good work…and thanks again.

Please also extend my thanks to Jason.

Will do. :-)

As an additional suggestion, it might be worth considering future integration with a service like recur.ly which, as I understand it, could eliminate the need for PCI-compliant hosting.

I’ll ask our development team about this. We’re looking at a couple new payment gateways for the next major version of s2Member, as well as making integrating new payment gateways easier.

You guys are the best. I have been pleasantly surprised with the level of integration that S2Member provides and the level of support you offer. Keep up the good work…and thanks again.

Thanks for the kudos!

Just a quick update on my PCI compliance adventures. Hope this is helpful for others:

1) Hostgator has been extremely helpful with getting everything set up, addressing PCI compliance issues on the server, etc. This is the most cost-effective PCI hosting solution I have found so far. I’ll update if I experience problems in the future, but so far so good.

2) We tried Trust Guard as our scanning vendor, but it took over three days for them to start a scan. In fact, I canceled the service after 3 days, since the scan had not yet run. I was imagining a nightmare scenario where I would have to wait a week or more for every scan, which could translate into months if there were problems/false positives to address. After my issues with Trust Guard, I contacted Trustwave. I couldn’t find a free trial or a cancellation policy, so I contacted their support prior to purchase. Support seemed friendly but would not answer questions about cancellation/free trial. In the end, I tried McAfee, which I thought would be expensive. Turns out there is a 90-day free trial and the cost of just the PCI scanning service is actually quite reasonable. We are still in the trial, so I have not yet paid for the service. I will update if things change. So far, I have been able to run scans on demand. Scans start immediately. They can also be scheduled for future dates and times. Support is friendly and quick. So far, I am very happy with their service.

Great! Thank you very much for your updates and sharing what you find helpful. :)