Your third party card processor (paypal, etc) may require you to pass a quarterly PCI scan. Your Magento CE will have no problems (unless you’ve made modifications that are picked up by the scan). This is up to the third party processor and you would want to check with each of them to see if it is something they require.
This scan will also scan the hosting server that you are on for problems. You may need to work with your hosting provider to resolve those issues.
Lastly, you may or may not be required to fill out SAQ A (Self Assessment Questionnaire) - here’s the document;
If it’s a redirect to a hosted payment page with a gateway (customer enters card details onto Google Checkout’s secure pages for instance) then you need not worry.
All of the gateways you mention offer this, however I know PayPal (Pro) also has an API version where your server accepts the card details, then fires them off to PayPal to be processed, keeping your customer on your site all the way through for a more seamless process where customer journey and checkout flow are concerned.
If they are all hosted then so long as your business trades solely online, never coming into contact with card details (more crucially storing them, no matter for how short a time) then you are technically out of the scope of PCI. It can’t apply if you don’t touch card details.
Of course if you accept MOTO orders or process card details manually within the business, then unfortunately PCI is nowhere near as simple as the above… the more you process (the more card details you ‘touch’) the higher the level of certification you need… and it’s not cheap to jump through those hoops and get certified.
It’s all worth mentioning as many ecommerce software providers are finding their users absorbing huge costs to certify to a level which is often too high, often through misinterpretation. There’s an article here which simplifies PCI compliance a little where ecommerce businesses are concerned.
Migla and others looking into PayPal PCI Compliance:
Magento’s community edition store is not PCI compliant, however, because you will be using a 3rd party payment processor like Paypal, you won’t be accessing card numbers, making you exempt from PCI DSS. Paypal states, “PayPal is not responsible for PCI Compliance if you store, transmit, or process payment card information…All card data must be stored, transmitted, and processed by PayPal and not by the merchant” (Paypal PCI Compliance).
If your webstore will be taking credit card numbers or sensitive data, storing it, and then shooting that over to a 3rd party for payment processing then you have some PCI compliance liability. Paypal is considered a level 4 PCI-DSS validation type if you are handling credit card numbers and processing payment through PayPal. In this case, Tokenization and Point-to-Point Encryption could be good solutions. This is where the card number becomes encrypted and transmitted to a PCI DSS compliant storage facility. The encrypted card number is also transmitted to the 3rd party for processing. This makes it virtually impossible for hackers to read the actual card number and covers your PCI compliance responsibility.
