The PayPal Problem: Will It Impact Retailers’ PCI Scope?

Written by Walter Conway
January 23rd, 2012

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Everyone understands that PCI DSS applies to payment transactions for the five major card brands: American Express, Discover, JCB, MasterCard and Visa. PayPal transactions, therefore, would not normally be considered to be in scope for PCI. Recent pilot programs by at least one major retailer and an announcement by a POS device vendor, however, have me questioning the conclusion that PayPal transactions will remain out of PCI scope.

The first question is, if a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? The follow-up question is, if the PayPal account is in scope, is it necessarily a big deal?

I read the recent StorefrontBacktalk piece about Home Depot letting shoppers pay in-store using PayPal: “On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.”

Separately, I saw where Ingenico launched a new PayPal offering. It enables PayPal users to make retail purchases (using Ingenico terminals, of course) by swiping their PayPal payment cards or entering the mobile phone number and PayPal PIN. Because many (although not all) PayPal accounts are tied to an underlying payment card, which is in scope for PCI, and because using such a PayPal account ultimately triggers a payment-card transaction, would PayPal in this case fit the PCI Council’s definition of a high-value token?

A high-value token is a new concept the PCI Council introduced and defined in its PCI DSS Tokenization Guidelines. Specifically, the Council defines a high-value token as one that “could potentially be ‘monetized’ or used to generate fraudulent transactions.” The guidance goes on to say: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data.”

PayPal accounts were not designed to be tokens. However, because a stolen or compromised PayPal account could be used to generate fraudulent transactions, that PayPal account appears to act like not just any old token but a high-value token. The PCI Council states that high-value tokens may be in scope for PCI and, at the least, they require “additional controls in place to detect and prevent attempted fraudulent activities.”

Let’s move on to the second question. If a retailer (or its acquirer or QSA) considers PayPal accounts to be high-value tokens, does it matter? For many merchants, the PayPal transactions will use the same devices, networks and procedures that are already in scope for PCI.

Therefore, there might be no significant impact of PayPal acceptance for a retailer with a PCI-compliant POS system. Things might get complicated when the merchant stores the cardholder data, in which case the PayPal account information may expand the scope of data to be protected.

I only have the questions right now. I’d like to hear what you—retailers, acquirers, processors, QSAs—think. Do you have any experience that can help shed some light on this topic? Either leave a comment or E-mail me at


7 Comments | Read The PayPal Problem: Will It Impact Retailers’ PCI Scope?

  1. Emma Jenkins Says:

    Walt, I think your closing paras are the most relevant – for the foreseeable future, retailers are not going to be transacting exclusively against PayPal accounts. Therefore, with the assumption that the payments are stored, transmitted and processed through the same systems as “regular” CHD, there will be no change in scope.

    Merchants will have to protect the PayPal payment information with the same rigour as PANs/CV2s/tokens, but this isn’t arduous because they are doing it right now. (Or should be.)


  2. Steve Gurney Says:

    This is the problem with the notion of the high value token wording in September’s guidelines. As you rightly point out an email address, mobile no. or even a name can be considered a high value token. Yet by their very nature these are all readily available in the public domain, so I find it hard for them to be considered as a high value token.

    Which leaves the PIN. It’s fair to consider this a high value token and therefore PayPal would be in scope. So methods like end to end encryption, tokenisation will be inevitable everywhere if Merchants want to minimise the impact of PCI compliance as solutions like PayPal are unlikely to.

  3. Philip Cohen Says:

    Being an extremely vocal critic of the “clunky” PayPal I will simply observe that, with respect to online transactions, PayPal effectively does no more than Visa is offering to do with its announced new online gateway, The real question is which of these two (or any others) would you happily trust to hold your personal banking and credit card details (including PIN), bearing in mind that Visa/MasterCard already have access to these details for their POS operations? Which then begs the question that I have not yet heard answered. Will Visa be including in their system the additional ability for online payers to source funds via a “debit” transaction from their banking account, rather than only by a credit card transaction as has been the case in the past because of the PIN requirement for such a “debit” transaction? After all, what’s the difference between a PIN, that Visa/MasterCard already hold, and a password required to access a secure online payments gateway?

  4. Rob Sadowski Says:

    The PayPal user information is much more “high value” because it can be used across merchants to initiate transactions. If I have it or gain access to it via a merchant compromise, there is nothing to stop me from using it at another merchant.

    A properly designed tokenization system should have rules that prohibit tokens obtained from one merchant to be used at another merchant and/or prohibit initiating transactions unless the PAN and authentication data has been previously received by that merchant.

    Implemented properly, tokens retain their “high value” to the merchant but not to a fraudulent actor.

  5. Walt Conway Says:

    Thanks to all for the great comments!

    Emma, we both agree that merchants should protect PayPal data with the same rigor that they protect cardholder data for PCI. Let’s hope everyone does. Especially given the later comments.

    Steve and Rob, your insights into the parallels with tokenization should have every merchant thinking. In particular, Rob’s points out that a PayPal “token” can be used at multiple merchants where a “regular” token could be used only at one merchant. That aspect/risk had escaped me. Thanks for the insight, and for reinforcing that whether or not PayPal is officially in PCI scope, merchants should be advised to protect the PayPal account, PIN, and other data as though they were subject to PCI.

    And that advice goes for whether your QSA tells you to do it or not.

  6. Richard Haag Says:

    @pcohen, I am not sure I have understood statement regarding PINs correctly, but in general, Visa and MasterCard do not “have your pin”, the issuing entity(Bank) does. Also a big difference with PINs(at least in the debit world) is that they should only be entered into an encrypting PIN Pad. The feeling goes that if I steal a card with a valid PIN I can go to an unattended device(ATM) and pull out money w/o having to present a legitimate card to a person. I suppose you could make the same case(which you did) regarding an online transaction w/ a password.

  7. Jay Gould Says:

    PayPal’s plan of POS attack is to entice merchants with below-cost credit and debit card processing, which is an offer no retailer will refuse. The company will subsidize its losses from the card transactions with the very high-margin profits it enjoys when its users fund the sales amount from their bank accounts.

    On the other hand, whether the consumers will be won over is another question altogether. If it is to stand a chance, PayPal will need to make the checkout process as uneventful as possible. As it is, the customer is asked to enter his or her cell phone number, in addition to a PIN, before the transaction can be completed. That’s unnecessary and excessive. I would never give my cell phone number to a merchant (or PayPal) to protect myself against spam, whatever assurances to the contrary they may give me. And I’m far from alone.

    Still, given the amazing deal that retailers get out of it, I like PayPal’s chances.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.