Saturday, January 28, 2012

Is PayPal in Scope for PCI...Maybe!

Everybody knows that PCI only applies to card transactions on the five major card brands (Amex, Discover, JCB, MasterCard, and Visa), right? Well, maybe not. There might be situations where PayPal transaction could be included in your PCI scope. Read on to see what I mean.

Many (although not all) PayPal accounts link back to an underlying payment card. Therefore, the PayPal transaction in many cases will trigger a transaction on the underlying Visa, MasterCard, or whatever. This situation looks to me a lot like a "high-value token" as defined by the PCI Council in their Tokenization Guidance document. Specifically, a high-value token is one that "could potentially be 'monetized' or used to generate fraudulent transactions." That definition sure sounds like a PayPal transaction to me.

The Council's guidance goes on to suggest that tokens "that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data."

Combining these two thoughts -- that PayPal might be considered high-value tokens, and that high-value tokens are in scope for PCI -- leads me to ask the question: When are PayPal transactions in scope?

I explored this topic in more detail in my regular column at exploring the circumstances under which I as a QSA might consider PayPal transactions to be in scope for PCI. Like all my columns at StorefrontBacktalk, this one is free so you can click here to have a look (at least for the week or so after it is published). You might also want to read a follow-up column with more details on the Home Depot pilot program.

How will this affect your campus? I don't know. Right now, I'm mainly posing the question and I'd appreciate any feedback. There are some good comments on my column (be sure to read those, too) that generally support the concept that these transactions might be in scope.

If you have campus merchants that take PayPal, you might want to give this idea a thought when you consider your PCI scoping and compliance validation. You also should include it in your PCI training for campus merchants.

No comments:

Post a Comment