We often get asked if we support PayPal Pro with Your Members, the short answer is we don’t as to do so could cost our customers large fines and worse. This is a scary statement that immediately sends alarm bells to customers and potential customers some using other WordPress Membership plugins which do support it. In this article we are going to guide you through why using Direct Card gateways such as PayPal Pro can be expensive and if done incorrectly why you as the merchant are liable for substantial fines.
If you are using the inbuilt payment systems within Your Members including PayPal Pro Hosted then the following does not apply, for more details see Your Members and PCI-DSS Compliance.
If you handle card payments you are expected to do so in a secure manner, this has been defined in a specification called PCI-DSS this specification was created by the card issuers; Mastercard, Visa, Amex etc. The spec covers everything from business practices through to security on your network, your site and transmission of card data. PCI-DSS compliance can be an arduous process especially for small non technical businesses and while well written software like Your Members can help with compliance simply using it, or an SSL certificate does not make you compliant.
Points of failure in compliance
Their are several areas where a Your Members customer may find they fail compliance including:
- Their current hosting setup
- WordPress out the box & associated plugins
- SSL certificates and data security practices
- Their payment gateway provider*
- Their own business practices
*Your Members only ships with hosted gateways with provider with PCI-DSS level 1 certification so this is only if you add your own gateways
The two usual point of failure are WordPress itself and Hosting provider, it is worth noting while very secure WordPress was never designed to accept and store card details it has never been designed with PCI-DSS security or indeed any sort of security specification in mind. Out of the box WordPress is likely to fail the required PCI-DSS security scan, it also falls foul of good security practices, by not offering a security patch cycle. This means security patches are included in general release versions, so the only way to get the security patch is to ether line by line patch it yourself or update to the latest untested version which may be insecure. Their are several very good articles on hardening WordPress and securing the admin area and specific pages on the site over SSL. It is not impossible to secure WordPress to meet PCI-DSS standards but it is something only a competent system administrator with experience in security should do. In addition to the actual site your hosting providers hardware, and services should allow you to be compliant, when picking a host make sure their infrastructure is suitable for compliance often less scrupulous hosting companies will (rightly) declare they are PCI-DSS level 1 compliant, which they as a business maybe but that does not mean their hosting infrastructure is for you. If they themselves are not hosting card data on that infrastructure it could be it was never be tested.
So why don’t we support PayPal Pro?
Most people are unaware of the requirements and consequences, data breaches of credit or debit card data is taken very seriously, and the card issuers will pass down heavy fines to banks of merchants who breach them. The bank will in turn pass the fine directly on to the merchant, the same is true for PayPal.
As a company we try to educate customers about what their responsibilities are but it is inevitable some will ignore advice, so while we are covered legally for such circumstances we have to assume if we allowed direct gateways that a percentage of users would make mistakes and this could result in legal issues for them and they would attempt to drag us in. The issue then becomes one of economy as much as security for more information see our previous blog post on Direct Card Processing.
The good news Your Members does support PayPal Pro Hosted, which is available currently in the UK and soon to be available to US as well. PayPal Pro hosted works in a similar manner to the PayPal Standard Payments but with one major difference instead of sending the user to PayPal.com you can instead create an iframe this allows the credit card form to appear to be on your site and indeed means users can complete the payment flow without ever apparently leaving the site.
PayPal Pro Hosted still requires the payment form pages to be secured under SSL but vastly reduces the requirements of PCI-DSS compliance meaning other then getting the SSL setup it’s just like using any of the other Your Members payment gateways.
Using PayPal Pro or other Direct Payment Gateway
For those where Pro Hosted is not an option, Coding Futures the makers of Your Members can help in working towards PCI-DSS compliance with your site and business allowing other non hosted gateways to be used. This can only be done on a case by case bases, contact Glenn for a quote email@example.com