简体繁体 English

Paypal支付专业版和pci合规性

[英]Paypal payments pro and pci compliance

原文 2012-09-09 21:14:30 7 2 php/ paypal

I've tried sifting through all the discussions online about PCI compliance when using PayPal payments pro, but there's no clear answer. 在使用PayPal支付专业版时，我已尝试在线查看有关PCI合规性的所有讨论，但没有明确的答案。 Other than having SSL, since I'm not storing cardholder information (I'm only transmitting it), what do I need to do to be pci compliant? 除了拥有SSL之外，由于我不存储持卡人信息（我只是传输它），我需要做什么才能符合pci标准？ I've implemented direct payment, express checkout, and recurring billing. 我已实施直接付款，快速结帐和定期结算。

2 个解决方案

PCI compliance is determined by passing a PCI audit. PCI合规性通过PCI审核确定。 A service can advertise itself as PCI compliant only if it's passed the initial audit and any periodic audits. 只有在通过初始审核和任何定期审核时，服务才能将自己宣传为PCI兼容。

Any service can adhere to the PCI guidelines - and should - but adherence and compliance are two different things. 任何服务都可以遵守PCI准则 - 并且应该 - 但遵守和合规是两回事。

A more direct answer to the question: 更直接的回答问题：

PayPal stores and manages all customer payment information so they shoulder the majority of the burden that comes with adhering to the PCI guidelines. PayPal存储和管理所有客户支付信息，因此他们承担了遵守PCI准则所带来的大部分负担。 In your case, at a minimum you should: 在您的情况下，您至少应该：

Make sure that no financial data is stored on your server (not even in a session cookie). 确保您的服务器上没有存储任何财务数据（甚至不在会话cookie中）。
Collect customer data and transmit it to PayPal in a secure manner. 收集客户数据并以安全的方式将其传输到PayPal。 This usually means using SSL for all customer financial data transmitted to your server, and when re-transmitting this data to PayPal's API. 这通常意味着将SSL用于传输到服务器的所有客户财务数据，以及将此数据重新传输到PayPal的API时。
Keep your software/infrastructure up to date to protect against zero-day exploits and other vulnerabilities. 使您的软件/基础架构保持最新，以防止零日攻击和其他漏洞。

There are a variety of modes you can run Paypal Payments Pro in. If you're using their Hosted Pages or Transparent Redirect or Express Checkout features, you should have an easy time passing any PCI compliance requirements that PayPal imposes on you. 您可以使用各种模式运行Paypal Payments Pro。如果您使用的是托管页面或透明重定向或快速结账功能，您应该可以轻松地通过PayPal对您施加的任何PCI合规性要求。

If you're using their direct payment options (where your site has the credit card numbers themselves), you will have to go through an extensive process which I highly recommend. 如果您使用的是直接付款方式（您的网站本身有信用卡号码），则必须经过我强烈推荐的广泛流程。 If you are collecting credit card #s directly, you might consider using Braintree instead of PayPal because their API is much friendlier and has straightforward documentation and they'll do much of the PCI compliance work for you. 如果您直接收集信用卡#s，您可能会考虑使用Braintree而不是PayPal，因为他们的API更友好且文档简单，他们将为您完成大部分PCI合规工作。

If you do need to use a PCI Compliance consulting company, http://www.panopticsecurity.com/paypal/ has a reasonable rate and they are pretty responsive to questions. 如果您确实需要使用PCI合规性咨询公司， http：//www.panopticsecurity.com/paypal/具有合理的费率，并且他们对问题非常敏感。