PayPal Pro (ie card details taken on your site) or Hosted Paypal (ie the customer goes to Paypal's site)?

I suspect the former, in which case you can expect some comments to the effect that PPP is not PCI DSS compliant, in which case 3D/Maestro is the least of your problems.......

Search the forum for "PayPal Pro", "Cardinal Centinel" etc (use the Google powered site search, top right)

and this:

http://community.actinic.com/showthread.php?t=39542

for starters (and in particular Actinic's comments towards the end)

In summary, PPP is not PCI DSS compliant, Actinic do not recommend taking card details on the shop's own site (eg using PPP) and probably aren't racing to further its implementation by incorporating 3D.

Hi,

I'd appreciate a response to that also. All of a sudden we have lots of payments failing to be processed via PPP. VISA tell me that their debit card is a VISA Maestro and requires this 3d secure to be implemented.

Is this likely to be the cause of our problems?

Any help appreciated please ..

I think the upshot is that PPP has ceased to be an option for small/medium shops because of the PCI DSS issue, which I think applied from January 1st. This is not particularly an issue with Actinic, but is to do with small/medium merchants taking card details through their website (with the help of PPP in this case), which is effectively no longer acceptable unless you are willing/able to go through a complex process of PCI DSS compliance as a company.

Also, it appears you will not be able to implement 3D through PPP and Actinic, which for the moment will prevent you from accepting Maestro. In future this might prevent you from accepting Visa/MC too.

The general view seems to be that you should now move to a PSP that takes your customers' card details on their own website, having been passed from your website. This gets round both problems neatly. Hosted PayPal I think is an option here if you wish to stay with PayPal.

PS I am not Actinic support, the above is my view based on others' comments.

I would recommend not using PPP with Actinic. Use one of the other Paypal options instead.

Chris

Can I just say that Mark's post (#4) is the bext explanation of this complex issue I have ever seen. Everyone should book mark it for future ref.

So do I take it that you can no longer use Paypal as a merchant with Actinic.

So much for the Actinic / Paypal partnership.

Either that or one or both companies should get their a***s into gear and get this sorted before customers (us) walk. There are alternatives!!!!!

Macke

You can safely use Paypal but not PPP.

PCI compliance is a requirement of the merchant if you are capturing credit card details on your hosted website. If you read up well on PCI compliance you will see why it is almost impossible for a small or medium sized merchant to become PCI compliant regardless of Actinic or Paypal's intervention.

Alternatives are to continue using Paypal but not PPP and/or use an alternative PSP. Because credit card details are then captured on the PSP/Paypal server then you do not need to worry about PCI compliance at all.

There's no point in blaming Actinic or Paypal.

Very True, but I could never understand why Actinic bothered to intergrate PPP in the first place.

For small businesses it is never worth trying to get your own PCI compliance/server. For big business who process on their own server they arent going to use PPP. So where is the target market?

PayPal Pro PCI DSS

Thanks Jules

Paypal themselves point out the PCI DSS issue:

https://www.paypal.com/pcicompliance

In summary they are saying that to be compliant you need to use Web Payments Standard (what I have described as Hosted PayPal), or go through the steps presented in the bullet points, which are onerous to say the least:

* Build and maintain a secure network to protect payment card information
* Maintain a vulnerability management program
* Implement strong access control measures
* Regularly monitor and test networks
* Pass quarterly remove vulnerability scans
* And more …

If you are not compliant and card details are "stolen" by someone hacking into your office network or website, you risk facing significant fines (I think £25,000 per incident has been mentioned before).

There are no altrnatives.........

As has been stated on numerous occasions over the last couple of years (and even in this thread) Paypal is fine with Actinic sites, Paypal Pro is not - I don't really see too much of an issue....

So what is PPP? Is it Paypal Website Payments Pro?

Can I just take that off and set it up with Paypal only?

What difference will the consumer see?

Will I then be able to take Maestro payments?

This is all beyond me. All I want to do is sell, not sit around reading about PCI compliance etc.

macke

Unfortunately, as a seller, you need to be aware of these standards, just like you need to know that you have to pay tax each year.

Most/many sellers have PayPal (not pro) as a secondary PSP and use Actinic Payments, Sage Pay, etc to process credit cards.

There's nothing wrong with running a business with your head in the sand, you just have to make sure you don't moan when things hit the fan, that's all.

Sorry, joined this post a bit late, in fact joined the whole PCI compliance issue a bit late by the sound of it.

We still use PPP integrated on our site so buyers put the details in on our site and don't get taken away to a third party PSP (which is how I prefer it). We don't collect card details, they are just transferred securely (I assume encrypted as the checkout process is hosted on a secure server) to Paypal Pro who then process the card details, collect the money and return a confirmation. We never see or store the card details.

Now Paypal itself is PCI compliant, so am I right in saying that it is just us collecting and sending the data to Paypal that is not compliant? (and to get compliance for that is not easy).

If this is correct then am I right in saying that no one who hasn't undertaken the rigourous compliance process can collect card data on their site anymore?

If this is correct (which I hope it is, otherwise the last 4 hours have been a waster of time) then this is not a PayPal Pro issue at all, it's an issue for all users who have integrated the payment processing area on their own site, rather than re-directing to a third party. Or is the issue with PPP that this is the only provider that gives this functionality?

Sorry for numerous questionlike statements, please correct me or insult me where appropriate. I haven't had my head in the sand, I've simply never come across this issue before, I only came across it now because we wanted to implement 3D secure.