2

I currently manage a few of my client's websites on a couple shared hosting providers "A2Hosting" and "Interserver". My client wants to make a simple webstore and accept payments from said webstore. I was going to implement this by passing off the transaction to PayPal, letting them handle the entire checkout part and handle all credit card information.

Will this be PCI Compliant (SAQ-A I hope) on my end? I currently have the website SSL locked down with "Let's Encrypt". I will be storing no user payment information in the databases and will not be touching any payment information on my server (handing it off to PayPal entirely).

Do I have to file anything for this? Or will simply attaining an AoC from PayPal be enough to cover this?

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
JJWillMC
  • 23
  • 3

1 Answers1

2

At a minimum you would need to fill out the SAQ A or SAQ A-EP. PayPal appears to have a partnership with a QSA, SecurityMetrics, and also covers the cost:

How do I complete a Self-Assessment Questionnaire (SAQ) to validate PCI compliance for my PayPal powered by Braintree account?

If you accept cards, however, there is no way to escape some amount of PCI compliance, and SAQ A/A-EP are the lightest.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I will work with Paypal on getting that form filled out. Sounds like I should be able to become PCI compliant even with a shared hosting provider as long as I fill this form for SAQ-A (or EP) – JJWillMC Jun 03 '19 at 18:28