A few of my clients have recently been requested by PayPal to go through the PCI compliance process, despite their web site not handling or processing any customer or payment details. They all use Checkfront as their booking system which is entirely third party hosted and uses PayPal as the payment processor.
In other words, the customer’s web site really takes no part in the booking or payment process. And yet PayPal insist on PCI compliance. I’ve discovered that there is little mileage in explaining this to PayPal – they won’t budge on their position.
So what can you do? Unfortunately, the only option I’ve found to keep PayPal happy is to go through the TrustWave compliance process that PayPal recommend. Be prepared to lose about an hour of your life filling in the form, and should your business not actually meet the standards for PCI compliance then you might have a few DAYS of work to become compliant as you set up firewall rules, write security policy and harden your IT infrastructure against hackers.
Interestingly much of the PCI requirements overlap with the requirements for the new Cyber Essentials Certificate being promoted by the Government so it might be worth seeing if you can get a £1,500 Cyber Essentials grant to help you. Contact us to help you achieve your Cyber Essentials Certification.
What really gets me annoyed is when you start the process of PayPal / TrustWave PCI Compliance, you get to this screen early on:
The field “Other Details” is pre-filled and you can’t change it. It states that “customer do enter credit cards directly on your web site“. In ALL cases this is NOT TRUE for my clients that have been asked to do PCI Compliance by PayPal. So when I phoned TrustWave to ask how I could change this field so I could answer all questions honestly (and have to answer many fewer questions later on!) I was told that PayPal insist the question is “locked” forcing everyone to fill in the full questionaire. Oh, and so pay a full fee to Trustwave.
It all seems a bit like collusion to me, and is certainly an unnecessary burden on SMEs.
What do you think?