I've been set on by VikingCloud, who Paypal says is handling the necessary PCI Data Compliance for those who take credit cards.

I only use Paypal with my store, so I never see credit cards. This is one of the primary reasons I use Paypal.

In my discussions with them, they are not budging on the need to scan my ecommerce templates site, I guess because they do not believe me. They call it it "ASV scanning" and I have no idea what it is or if the ecommerce templates software will pass it.

They sent me to paypal to get them to withdraw the compliance need, but I haven't been able to get anybody at paypal to talk to me.

Is there anything on this at ecommerce templates that I can point VikingCloud to, that would explain that I don't have a way to see credit card data?

TIA.

see this thread
https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=116108

I think it may be nonsense, but I would speak directly to Paypal and not Viking.

David

Thanks. For what it's worth, I think it's a real thing.

Super-annoying that I can't figure out how to get paypal on the phone.

This is 100% legit, took me forever to find it when i had to go thru it. here is the main link to paypals page regarding the PCI requirements and why.

https://www.paypal.com/us/brc/article/pci-dss-compliance-basics

In addition you will see lower on the page (about half way down) a text that says Click below to learn more about how PayPal can help with PCI Compliance first link for paypal merchants, second link for braintree merchants

I dont use braintree so when i clicked the first link it too me to this link

https://www.paypal-trustcenter.com/?tcuUid=d6555b59-7a30-482c-9cc8-69f7ba36e4f7

which pretty much verified VikingCloud


i should point out, there were no costs involved with this

As alway i recommend to you go thru the links yourselves and read, educate, and verify the links are from legitimate url sources.

The 'VikingCloud' emails seemed suspect because 1) PayPal constantly floods us with loan offers and other useless third-party spam, 2) those latest emails link to a secondary domain registered a year ago ('paypal-trustcenter.com'), suggesting PayPal doesn't care enough to integrate, and 3) unlike the painful TLS and SHA-256 overhauls of 2016, the 'VikingCloud' emails state no specific technical requirement or deadlines.

We use the current PayPal Checkout v2 and we never store payment card data, so the PayPal PCI compliance page https://www.paypal.com/us/brc/article/pci-dss-compliance-basics mostly states basic requirements (antivirus, firewall, etc.) that any sane merchant would follow.

The exceptions are requirements for frequent 'PEN' testing, and formal documentation of all policies, procedures, access logs, systems, and software. Having worked at larger companies that performed those tasks, this seems impractical for those of us not currently in the Fortune 500.

Our support reps at webhost ServeLink did confirm that they're PCI compliant, and suggested that we visit that VikingCloud link for a look.

However they also seemed to suggest that any third-party PEN testing and ongoing, formal documentation of every security procedure for outside review - at their organization or ours - would be very costly.

We use Servelink as well, but we are required to have the documentation on hand if they ask for them. If you are only using paypay checkout on their system the download and have on hand their attestations. if you are using the card input on your webstore like we are then you will also need to get ahold of Servelink and have them supply you a copy of theirs as well. Either way you are required to have them on hand.

Points 1 thru 11 are almost always on the host and processor side.

12. Document policies and procedures
Maintain updated documentation of all policies, procedures, access logs, systems, and software involved in these PCI DSS compliance requirements. A PCI audit or assessment, for example, will check for documentation such as employee manuals, policies and procedures, vendor agreements, and data security response plans.

Almost everyone using ECT will need this from their host and from their payment processor.

If you are accepting credit cards in store and use card machines the same would apply for your network and the payment gateway. We just choose to handle all of the scanning and attestations ourselves as we do both and they are not tied together. but with just our webstore using (paypal and servelink) we just created the VikinCloud account and upload their attestations . but we have them on hand for inspections if ever requested.

1. When you mentioned that 'we are required to have the documentation on hand if they ask for them,' what organizations might ask? Has PayPal asked for this in the past?

2. It's hard to imagine a scenario where an attacker builds a tool to steal individual transactions' data from Ecommerce Templates shopping carts, and then breaches different merchants' office networks so that they can upload that malware to the various stores.

My impression is that it's far more likely for fraudsters to attack the webhost or payment processor.

True?

I believe all of this is directed at the company that actually sees credit cards. Either on their site or when using a terminal to capture the card data.

In my case, I never see the credit card or data from it. I don't physically see them, and all my card transactions are handed over to paypal by ect.

Try as I may, I can't find a way to talk to paypal about this, and it's a joke when their PCI documentation says to use the contact us link on paypal.com.

I've shelved it until paypal contacts me advising they can no longer work with my store. I'm hoping that grants me a way to talk to somebody.

Philip, we are 100% in agreement.

In the past, whenever PayPal required that we take action the emails came from paypal@paypal.com, were deadly serious, and stated very explicit deadlines and actions. Below is one screen capture.

Those 'VikingCloud' emails definitely smell like third-party vendor Spam.