Explain it to me like I'm 5... Paypal pro requirements

Discussion in 'Payments processing' started by playpianoking, Oct 20, 2012.

  1. playpianoking

    playpianoking Member

    Joined:
    Dec 7, 2011
    Messages:
    67
    Here's the deal, I love aMember, but the only downfall right now for me is the lack of ability to accept credit cards directly on my site, without having to take risk and become PCI compliant. Paypal standard is a joke and is not for serious membership sites, as you lose all of the potential customers who don't feel like signing up for a paypal account, which they must have if you plan on having recurring billing.

    aMember's competitor digital access pass claims to have paypal pro working with their in-house shopping cart and the only requirement for the website owner is to have SSL installed on the checkout page.

    So is anyone seriously using paypal pro with amember without using a 3rd party shopping cart that takes the user off-site? If so, what are the requirements you had to go through, and how difficult/costly was it?
  2. mporter9

    mporter9 Member

    Joined:
    Aug 25, 2012
    Messages:
    83
    I'm very interested in all of this as well so hopefully we'll get some good responses. Right now I am using Stripe to accept my membership payments and when you go to the stripe plugin's page inside the admin panel it displays the same "compliance/security" message(which I pasted below) that Paypal Pro does.

    It worries me because I know you can obviously get away with processing payments, but still I'm trying to run a legitimate business here. What happens when I ramp up volume and Stripe shuts me off because amember isn't fully compliant?

    In the error message amember clearly says "We will start certification process once we get 4.2.0 branch released and stable" and we are already ob version 4.2.11

    Hopefully the amember team can get this finished soon because it would make me feel a lot better about the stability of my membership site.

    PS. Here's the full error message you get:

    "WARNING! Every application processing credit card information, must be certified as PA-DSS compliant, and every website processing credit cards must be certified as PCI-DSS compliant.
    aMember Pro is not yet certified as PA-DSS compliant. We will start certification process once we get 4.2.0 branch released and stable. This plugins is provided solely for TESTING purproses Use it for anything else but testing at your own risk."
  3. playpianoking

    playpianoking Member

    Joined:
    Dec 7, 2011
    Messages:
    67
    I didn't know amember had a stripe plugin. Is this only in the newest amember version? Would you prefer paypal pro over stripe though?

    Meanwhile, yes I'd still like answers about if anyone is using paypal pro on-site. :)
  4. mporter9

    mporter9 Member

    Joined:
    Aug 25, 2012
    Messages:
    83
    Search here on the forums and you will find the stripe plugin.

    And I would prefer to collect payments via snail mail instead of paypal. Paypal is notorious for freezing funds and lots of other fun BS that can kill your business.
  5. playpianoking

    playpianoking Member

    Joined:
    Dec 7, 2011
    Messages:
    67
    Do you have SSL installed on your site? That's a definite need, but I'm with you in not understanding what the deal is when it comes to the other compliance needs. But thus far, you've been accepting stripe recurring payments successfully? I may look into this.
  6. mporter9

    mporter9 Member

    Joined:
    Aug 25, 2012
    Messages:
    83
    Yes I have SSL installed on all payment and login pages.

    I think the whole deal with compliance is that it can be very frustrating, time consuming, and confusing when it comes to getting something 100% compliant.

    And no, I have not done any recurring payments with Stripe. I have only done one time sales.
  7. alex

    alex Administrator Staff Member

    Joined:
    Jan 24, 2004
    Messages:
    6,020
    SSL in fact is only 10% of compliance. SSL only protects channel from customer to your website, so no-one can intercept customer's credit card info. How do you think, will ISP between your client and your webserver do it? I cannot believe that they will!

    There is another side of problem. One can hack your website, read all submitted credit cards and resend it somewhere. Or steal saved credit card details if that is stored. It may be even not your website hacked if you are on shared webhosting, hackers will anyway get chance to access secure data.

    So PCI comliance is a complex process, and its goal is to assure you have enough competence and applied enough efforts to make your webserver unbreakable, and un-hackable. From my point of view, no sites on shared webhosting can pass the PCI certification, and PCI certification is not for small websites at all.

    P.S. Another attack vector is virus on customers PC stealing credit card details they enter on websites, but hopefully it is not our problem to deal with! :)
  8. mporter9

    mporter9 Member

    Joined:
    Aug 25, 2012
    Messages:
    83
    Alex,

    Any idea when the Stripe and PayPal plugins will be fully compliant?
  9. playpianoking

    playpianoking Member

    Joined:
    Dec 7, 2011
    Messages:
    67
    So realistically then Alex, is anyone on aMember using paypal pro correctly and legitimately? I've setup everything successfully (I think) and did a test sign-up and it goes to my https:// secure checkout and I entered my cc details and it worked. So what else is there to compliance since paypal pro is storing the cc details for re-bill and not me? Since I'll have ~2,000 transactions a year, I think the only thing I'm supposed to do is a simple self-assessment questionnaire, right?
  10. thehpmc

    thehpmc Member

    Joined:
    Aug 24, 2006
    Messages:
    901
    Not if you are intending to store card information on your site which your various posts seem to indicate.
  11. mporter9

    mporter9 Member

    Joined:
    Aug 25, 2012
    Messages:
    83
    From what I understand there is a lot more to it. I've read stories about people passing that should have NEVER passed and then also people who have to jump through all of these hoops when they should be fine. I think it all just depends on who is verifying you and your site etc. Search online I'm sure you'll find some tips on how to better prepare yourself.

    I won't be storing CC's so I'm really not that worried and I probably won't do anything about it unless my merchant account bitches or something else major happens.
  12. playpianoking

    playpianoking Member

    Joined:
    Dec 7, 2011
    Messages:
    67
    I am not intending to store cc info on my site. My site has SSL and when payment details go through, it goes straight to paypal pro, and they store the info for future re-billing - not me.

    With that said, am I a little closer to compliance?

Share This Page