Everybody knows that PCI only applies to card transactions on the five major card brands (Amex, Discover, JCB, MasterCard, and Visa), right? Well, maybe not. There might be situations where PayPal transaction could be included in your PCI scope. Read on to see what I mean.
Many (although not all) PayPal accounts link back to an underlying payment card. Therefore, the PayPal transaction in many cases will trigger a transaction on the underlying Visa, MasterCard, or whatever. This situation looks to me a lot like a "high-value token" as defined by the PCI Council in their Tokenization Guidance document. Specifically, a high-value token is one that "could potentially be 'monetized' or used to generate fraudulent transactions." That definition sure sounds like a PayPal transaction to me.
The Council's guidance goes on to suggest that tokens "that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data."
Combining these two thoughts -- that PayPal might be considered high-value tokens, and that high-value tokens are in scope for PCI -- leads me to ask the question: When are PayPal transactions in scope?
How will this affect your campus? I don't know. Right now, I'm mainly posing the question and I'd appreciate any feedback. There are some good comments on my column (be sure to read those, too) that generally support the concept that these transactions might be in scope.
If you have campus merchants that take PayPal, you might want to give this idea a thought when you consider your PCI scoping and compliance validation. You also should include it in your PCI training for campus merchants.