Paypal Vault - compliance

Question

To do Paypal stored credit card payments, does the app requires to go through any PCI or QSS compliance certification process?

Note: I am using Paypal vault to store credit card info with paypal.

Answer 1

If you are using PayPal Vault then you're good to go. Just make sure you aren't saving any credit card details in your database, in log files, or anywhere else.

If you follow those procedures and for any reason you do have to apply for some sort of PCI compliance (usually not the case) then you'll be able to pass quickly and easily with their low-price method.

You shouldn't need to worry about that at all, though, unless you're doing something with hardware maybe or if you're dealing with a particular company that requires it.

Answer 2

If you are passing details to the PayPal Vault (REST API) via HTTPS, the credit card numbers are in the request. Although this is SSL (TLS actually) secured, as the end user is entering credit card details directly on your website before they are passed to PayPal, you would need to go through PCI compliance, SAQ C or even SAQ D I believe.

https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

Have you considered a Braintree integration for this?

Braintree have a fully PCI compliant client side piece (and a very good vault solution.) They are also a PayPal company, and you can also vault PayPal accounts if you need to do that.

They have a quick "drop-in" UI solution: https://www.braintreepayments.com/en-ie/products-and-features/drop-in-ui

or if you need something a bit more custom they have a product called "hosted fields"

both are fully PCI compliant to SAQ A so this may be the best solution for you if you want to avoid going through the more difficult PCI compliance audits.