Posted - 12/22/2025 : 09:33:19
There are several previous threads - and some apparent confusion - about PCI requirements and the need for expensive, ongoing third-party penetration testing for stores that use the PayPal Advanced Checkout option in the cart’s PayPal Settings.
I am very skeptical of the recurring "VikingCloud" emails with the subject "Your PCI compliance status requires attention". These read like PayPal partner spam intended to extract recurring fees from merchants, rather than legitimate compliance notices.
PayPal’s current documentation ([url]https://developer.paypal.com/studio/checkout/advanced[/url]) uses the term "Advanced Checkout" in the URL, while the page itself refers to "PayPal Expanded Checkout".
That page says:
"PayPal Card Fields is a PCI DSS service provider. Use the Card Fields integration to comply with PCI compliance when collecting card information from buyers."
So my questions are:
1 - Is the "PayPal Expanded Checkout" described on that page the integration currently used by the latest PayPal implementation in ECT?
2 - If so, doesn’t PayPal’s documentation indicate that PCI exposure for the store owner should be minimal, and effectively handled by PayPal?
I am trying to reconcile PayPal’s published guidance with those persistent "VikingCloud" emails I have ignored so far, which claim that recurring PCI audits and expensive third-party scanning are required.
Edited by - pauld on 12/22/2025 10:07:20
|