PayPal Community

Thank you DPCreations,

I only mentioned our non-profit status as background information to indicate that this inquiry is for an organization and not an individual.  Our organization has a non-profit account with PayPal.  

I do not plan to "integrate" PayPal into our account.  What I plan is what every other one of my membership art association has done, which is to continue on to PayPal once the renewing or new member indicates they wish to pay.  I do NOT want any access to credit card information; I only want the name and contact information of the payer to update the organization membership database.

How is your developer invovled in the integraton?

Excactly how will credit card data be added and where will it be stored?

The original developer quit after implementing a the Stripe Chekcout solution.

I am now the developer.

The short answer is "not on our website".  How does PayPal handle any transaction?  

Here is an example of how one of our peer ornanizations is using PayPal.  I doubt they are worrying about PCI Compliance.  My question is, should they be?

http://www.calistogaartcenter.org/memberships/

Using the PayPal donate button should not be a problem as it takes the customer to the PayPal website.

You should discuss the issue witht he organisation compliance officer.

You could also reasarch PCI DSS to learn the requirements so you can help educate the organization.

Since I have a merchant account with FirstData  I need to go through the certifiction process each year; the cost is about $65 and First Data requires it.  We do not store any customer credit card information, but we still need the certification.

It's not a simple issue.

Thank you, 

I understand that it is not a simple issue.  Some reading I've done points to up to 260 sub-requreiments necessary to be in total compliance.  

That is good information about your account with FirstData. I wonder what that certification actually guarantees, since there are citations on the internet that companies supposedly "in compliance" have been fined anyway, even where no data breach can be verified to have occured.  Do you think they would back you in the case of a CC data breach?

It's also a concern that I could not find any recent q's on this in the PayPal community.

Since PayPal is the merchant, smple members do not need any certification so there are no general discussions.

With FirstData non-compliance means higher transaction fees.  With my FirstData account I use their device for POS card use and the procoess does not go throuigh my computer system.  I'm using the FirstData device onlne.  With that setup, the certification is just a lengthy questionaire and statement of complicance.  It's the lowest level.

If I were using my own computer system and the credit card data went through the computer, then compliance would be much more stringent as the equipment would also have to be certified.

Part of the certification is the understanding of what data can be stored, or not stored, on paper.  We cannot store customer credit card data on paper, in general.  The area must also be secured.

You can actually find some certification requirements and questionnaires online.  I think there are some with the main PCI DSS startards site, but I don''t remember where it is.