Announcement

Collapse
No announcement yet.

PayPal Pro Hosted Solution

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    PayPal Pro Hosted Solution

    We currently, and for many years, use SagePay solely, on our websites, and on SagePay have various payment options including PayPal, and use Global Payments (HSBC) to receive the money and pay their fees. Our fees for SagePay and Global Payments seem reasonable, but PayPal is much more expensive. PayPal have approached us to get us to change to using PayPal Pro Hosted Solution (with Express Checkout option) instead of SagePay and Global Payments, which will reduce the PayPal fees significantly. We have pci compliance based on not capturing/handling/accessing/storing anybody's payment details anywhere.

    However, with this solution the customer would appear to input their card details on our website (if not selecting PayPal). This would mean that our current compliance will be wrong, and we would need to have our website, computers and office systems audited annually, which I believe can be very expensive, more than the savings of changing to this solution.

    Does anybody have any opinions and/or knowledge about this?

    Sarah
    Tags: None
    #2
    You're right to worry about the PCI compliance. To quote the paypal pro website:

    If you use Pro API it means that you handle card data directly on your website, so you will need to ensure you are PCI compliant. We can support you through this process if you’d like us to.

    If you’d rather ease the PCI compliance process, we’re happy to host your checkout instead. You will still get Pro, but with our hosted solution. You can choose when you’re integrating Pro.
    The daft thing is I had an actinic salesperson calling me yesterday who tried to sell me paypal pro and didn't understand this, Insisted I'd be able to take payments without the customer leaving my site and that this would be PCI compliant.

    Anyway, you could use PayPal Pro but using their hosted solution in which case it's just like any other PSP. personally, I'd recommend using paypal standard together with another psp. That way you always give customers an option and have an alternative method that works should one start giving you problems.

    Mike
    -----------------------------------------

    First Tackle - Fly Fishing and Game Angling

    -----------------------------------------

    Comment

      #3
      It is PCI Compliant

      I have had a conversation with PayPal and have been assured that it is 100% compliant and my current certification does not need to change. They use an iframe; the customer will think that they are on our website, but the part where they enter their card details is actually a window onto the PayPal site, for which they are compliant. I will need to ssl the Checkout, which I was thinking of doing anyway to help with Google ranking.

      However, has anybody had experience of using PayPal Pro Hosted Solution, and have any feedback?

      Sarah

      Comment

        #4
        Reply to Mike

        Your reply came through while I was doing mine to myself.

        It is the Hosted Solution I am talking about (see thread subject). It is compliant, being a window on our site to the PayPal site.

        The very big advantage of changing to this is the reduction in the PayPal fees. They are yet to give a final quote, but it looks like a significant reduction. The fees for credit and debit cards will be about the same as present, but the PayPal fees will be much less, so overall much less.

        When SagePay have had a problem where customers cannot pay, which is rare, I have temporarally (can't spell) changed our Checkout to ordinary PayPal as better than nothing. The number of times that we have had to do this are very few, and brief, so not worth worrying about. We should still be able to do this if necessary.

        Sarah

        Comment

          #5
          the PayPal fees will be much less,
          Presumably only because at the moment you're paying both the psp and paypal fees for paypal transactions.

          If you just offered customers the option of using paypal standard then I assume the cost would be the same.

          As I customer I feel much happier to be transferred to a PSP for entering card details. I have a natural distrust for businesses that want to take the card details on their own website.

          Regarding PCI compliance with iframes you should read section 3.4.3 of this

          https://www.pcisecuritystandards.org...Guidelines.pdf

          I can't copy and paste from this but, in a nutshell, it says these shared implementations do not allow you to outsource PCI DSS responsibility and recommends you implement applicable PCI DSS controls to ensure the security of the website.

          From what I understand, it's saying that an iframe of a compliant page alone isn't sufficient to ensure PCI compliance and therefor you have to have the controls and procedures in place to make sure the end result is still compliant.

          Mike
          -----------------------------------------

          First Tackle - Fly Fishing and Game Angling

          -----------------------------------------

          Comment

            #6
            Is Cheaper

            Hi Mike. Thanks for replying. The quote from PayPal (not yet finalised) is much less than I am paying at present on PayPal, separate from the 10p a transaction I am paying on SagePay. I have considered it worth the 10p to have the extra security and Third Man checks. If changing to PayPal as the psp, there will still be Third Man checks. From what I can understand from the document that you linked to (thank you), it is more of a problem if the iFrame involves an additional third party, which it will not, and that my current pci SAQ A is still valid, as long as I make certain precautions. PayPal have advised that I use ssl for that part of the website, which is probably at least part of the precautions. Also, with Sellerdeck, we upload the website many times per day, which I imagine helps, as it would overwrite anybody hacking our site.

            Has anybody had experience of using this PayPal Pro Hosted Solution and PCI compliance?

            Sarah

            Comment

            Previous template Next
            Working...
            X