The PayPal Problem: Will It Impact Retailers’ PCI Scope?

Written by Walter Conway
January 23rd, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Everyone understands that PCI DSS applies to payment transactions for the five major card brands: American Express, Discover, JCB, MasterCard and Visa. PayPal transactions, therefore, would not normally be considered to be in scope for PCI. Recent pilot programs by at least one major retailer and an announcement by a POS device vendor, however, have me questioning the conclusion that PayPal transactions will remain out of PCI scope.

The first question is, if a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? The follow-up question is, if the PayPal account is in scope, is it necessarily a big deal?

I read the recent StorefrontBacktalk piece about Home Depot letting shoppers pay in-store using PayPal: “On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.”

Separately, I saw where Ingenico launched a new PayPal offering. It enables PayPal users to make retail purchases (using Ingenico terminals, of course) by swiping their PayPal payment cards or entering the mobile phone number and PayPal PIN. Because many (although not all) PayPal accounts are tied to an underlying payment card, which is in scope for PCI, and because using such a PayPal account ultimately triggers a payment-card transaction, would PayPal in this case fit the PCI Council’s definition of a high-value token?

A high-value token is a new concept the PCI Council introduced and defined in its PCI DSS Tokenization Guidelines. Specifically, the Council defines a high-value token as one that “could potentially be ‘monetized’ or used to generate fraudulent transactions.” The guidance goes on to say: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data.”

PayPal accounts were not designed to be tokens. However, because a stolen or compromised PayPal account could be used to generate fraudulent transactions, that PayPal account appears to act like not just any old token but a high-value token. The PCI Council states that high-value tokens may be in scope for PCI and, at the least, they require “additional controls in place to detect and prevent attempted fraudulent activities.”

Let’s move on to the second question. If a retailer (or its acquirer or QSA) considers PayPal accounts to be high-value tokens, does it matter? For many merchants, the PayPal transactions will use the same devices, networks and procedures that are already in scope for PCI.

Therefore, there might be no significant impact of PayPal acceptance for a retailer with a PCI-compliant POS system. Things might get complicated when the merchant stores the cardholder data, in which case the PayPal account information may expand the scope of data to be protected.

I only have the questions right now. I’d like to hear what you—retailers, acquirers, processors, QSAs—think. Do you have any experience that can help shed some light on this topic? Either leave a comment or E-mail me at


7 Comments | Read The PayPal Problem: Will It Impact Retailers’ PCI Scope?

  1. Emma Jenkins Says:

    Walt, I think your closing paras are the most relevant – for the foreseeable future, retailers are not going to be transacting exclusively against PayPal accounts. Therefore, with the assumption that the payments are stored, transmitted and processed through the same systems as “regular” CHD, there will be no change in scope.

    Merchants will have to protect the PayPal payment information with the same rigour as PANs/CV2s/tokens, but this isn’t arduous because they are doing it right now. (Or should be.)


  2. Steve Gurney Says:

    This is the problem with the notion of the high value token wording in September’s guidelines. As you rightly point out an email address, mobile no. or even a name can be considered a high value token. Yet by their very nature these are all readily available in the public domain, so I find it hard for them to be considered as a high value token.

    Which leaves the PIN. It’s fair to consider this a high value token and therefore PayPal would be in scope. So methods like end to end encryption, tokenisation will be inevitable everywhere if Merchants want to minimise the impact of PCI compliance as solutions like PayPal are unlikely to.

  3. Philip Cohen Says:

    Being an extremely vocal critic of the “clunky” PayPal I will simply observe that, with respect to online transactions, PayPal effectively does no more than Visa is offering to do with its announced new online gateway, The real question is which of these two (or any others) would you happily trust to hold your personal banking and credit card details (including PIN), bearing in mind that Visa/MasterCard already have access to these details for their POS operations? Which then begs the question that I have not yet heard answered. Will Visa be including in their system the additional ability for online payers to source funds via a “debit” transaction from their banking account, rather than only by a credit card transaction as has been the case in the past because of the PIN requirement for such a “debit” transaction? After all, what’s the difference between a PIN, that Visa/MasterCard already hold, and a password required to access a secure online payments gateway?

  4. Rob Sadowski Says:

    The PayPal user information is much more “high value” because it can be used across merchants to initiate transactions. If I have it or gain access to it via a merchant compromise, there is nothing to stop me from using it at another merchant.

    A properly designed tokenization system should have rules that prohibit tokens obtained from one merchant to be used at another merchant and/or prohibit initiating transactions unless the PAN and authentication data has been previously received by that merchant.

    Implemented properly, tokens retain their “high value” to the merchant but not to a fraudulent actor.

  5. Walt Conway Says:

    Thanks to all for the great comments!

    Emma, we both agree that merchants should protect PayPal data with the same rigor that they protect cardholder data for PCI. Let’s hope everyone does. Especially given the later comments.

    Steve and Rob, your insights into the parallels with tokenization should have every merchant thinking. In particular, Rob’s points out that a PayPal “token” can be used at multiple merchants where a “regular” token could be used only at one merchant. That aspect/risk had escaped me. Thanks for the insight, and for reinforcing that whether or not PayPal is officially in PCI scope, merchants should be advised to protect the PayPal account, PIN, and other data as though they were subject to PCI.

    And that advice goes for whether your QSA tells you to do it or not.

  6. Richard Haag Says:

    @pcohen, I am not sure I have understood statement regarding PINs correctly, but in general, Visa and MasterCard do not “have your pin”, the issuing entity(Bank) does. Also a big difference with PINs(at least in the debit world) is that they should only be entered into an encrypting PIN Pad. The feeling goes that if I steal a card with a valid PIN I can go to an unattended device(ATM) and pull out money w/o having to present a legitimate card to a person. I suppose you could make the same case(which you did) regarding an online transaction w/ a password.

  7. Jay Gould Says:

    PayPal’s plan of POS attack is to entice merchants with below-cost credit and debit card processing, which is an offer no retailer will refuse. The company will subsidize its losses from the card transactions with the very high-margin profits it enjoys when its users fund the sales amount from their bank accounts.

    On the other hand, whether the consumers will be won over is another question altogether. If it is to stand a chance, PayPal will need to make the checkout process as uneventful as possible. As it is, the customer is asked to enter his or her cell phone number, in addition to a PIN, before the transaction can be completed. That’s unnecessary and excessive. I would never give my cell phone number to a merchant (or PayPal) to protect myself against spam, whatever assurances to the contrary they may give me. And I’m far from alone.

    Still, given the amazing deal that retailers get out of it, I like PayPal’s chances.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.