Paypal Vault - compliance

Question

To do Paypal stored credit card payments, does the app requires to go through any PCI or QSS compliance certification process?

Note: I am using Paypal vault to store credit card info with paypal.

score 0 · Accepted Answer · answered Sep 08 '16 at 05:36

0

If you are using PayPal Vault then you're good to go. Just make sure you aren't saving any credit card details in your database, in log files, or anywhere else.

If you follow those procedures and for any reason you do have to apply for some sort of PCI compliance (usually not the case) then you'll be able to pass quickly and easily with their low-price method.

You shouldn't need to worry about that at all, though, unless you're doing something with hardware maybe or if you're dealing with a particular company that requires it.

answered Sep 08 '16 at 05:36

Drew Angell

25,968
5
32
51

Okay Thank you. But the issue we are facing is, while trying to do a payment using stored credit card, getting UNAUTHORIZED_Payment error (HTTP 401) from paypal. With sandbox , it works well. What could be the issue? Please throw your insights on this. – jagadeesh m Sep 08 '16 at 16:21
Do we needs to sign-up for Paypal Payments Pro ? Or Should be QSA certified ? – jagadeesh m Sep 08 '16 at 16:32
Payments Pro doesn't use "vault". Payments Pro would call it reference transactions, which is essentially the same thing, but it works a little differently. Basically it's just a different API you'd be using. "Vault" works with the REST API and does not require Pro. – Drew Angell Sep 08 '16 at 22:16

score 0 · Answer 2 · answered Sep 08 '16 at 09:51

If you are passing details to the PayPal Vault (REST API) via HTTPS, the credit card numbers are in the request. Although this is SSL (TLS actually) secured, as the end user is entering credit card details directly on your website before they are passed to PayPal, you would need to go through PCI compliance, SAQ C or even SAQ D I believe.

https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

Have you considered a Braintree integration for this?

Braintree have a fully PCI compliant client side piece (and a very good vault solution.) They are also a PayPal company, and you can also vault PayPal accounts if you need to do that.

They have a quick "drop-in" UI solution: https://www.braintreepayments.com/en-ie/products-and-features/drop-in-ui

or if you need something a bit more custom they have a product called "hosted fields"

both are fully PCI compliant to SAQ A so this may be the best solution for you if you want to avoid going through the more difficult PCI compliance audits.

I don't think, we need to be PCI compliant if we use Vault and this is the main reason behind vault feature from paypal. — jagadeesh m, Sep 08 '16 at 16:24
I disagree (read the data security standards PDF above) Also, you'll NEED PayPal Pro if you want to do anything with credit cards on the PayPal REST stack (including vault). https://developer.paypal.com/docs/integration/direct/rest-api-payment-country-currency-support/#direct-credit-card-payments you'll probably need to be approved by PayPal for "Reference Transactions" as well. Have fun! — PeteL, Sep 12 '16 at 11:26

Paypal Vault - compliance

2 Answers2