My compnay uses Paypal as a service and we need to have a copy the PayPals Attestation Of Compliance certificate. Anyone know the contact where i can get it from?
We called the number on there and the person who answered had never heard of PCI DSS. Which is slightly worrying as they are the help line and to not know about something as crucial as PCI DSS is obviously a training issue and and completely useless to me.
I have sent an email, sent feedback and no response.
There really should be a link to request the certificate for merchants who use the service as it is a PCI DSS requirement for a merchant to hold a copy of all service providers AOC's
If you have a merchant account, you, as the merchant, need to comply with PCI security standands and you nee to complete a PCI security assessment each year to to get your certificate. Users of PayPal services are NOT merchants and do not need to comply with PCI standards. PayPal is the merchant and PayPal needs to comply with the security standards; that's all.
If you want to have your own certicates, then it's best to have a merchant account with a processor such as FirstData.
If you have a merchant account, you, as the merchant, need to comply with PCI security standands and you nee to complete a PCI security assessment each year to to get your certificate. Users of PayPal services are NOT merchants and do not need to comply with PCI standards. PayPal is the merchant and PayPal needs to comply with the security standards; that's all.
If you want to have your own certicates, then it's best to have a merchant account with a processor such as FirstData.
This is absolutely false information and should be disregarded.
"Users of PayPal services are NOT merchants and do not need to comply with PCI standards."
Are you serious?! In the context of the conversation, that is *so* wrong.
The PCI DSS covers people, process, and technology. So if the entity has individuals accepting cardholder data via telephone, or *any* other workflow that involves CHD, then you have just advised the organization to break the law. Congratulations.
There is some confusion among online businesses over how PayPal payment acceptance relates to PCI compliance. You may have heard that by using PayPal, your business is not subject to the PCI DSS.
The truth is, even accepting PayPal payments requires you to be PCI compliant. In this scenario, it is helpful to think of PayPal as a payment processor. Even though they are ultimately storing, processing and transmitting the cardholder data, as a merchant your business is the one accepting that information. Therefore, your online environment can have the ability to affect the security of the payment process/transaction.
The good news? Using a PCI-compliant third party service provider (PayPal, Auth.net, etc.) can limit your scope of compliance. And, if your e-commerce business accepts less than 300,000 card payments per year, then you can self-assess your compliance rather than hire a PCI QSA.
