Payflow Gateway Security and PCI Compliance

It is your responsibility to adhere to PCI compliance standards to protect personal information and implement security safeguards on your website when processing payment card transactions.

Gateway solutions make available a secure token and hosted checkout pages to help you meet PCI compliance. Hosted pages are optional to PayPal Payments Pro and Payflow Pro users. If you do not use a secure token or hosted pages, you must provide your own means of meeting compliance requirements.

Note: PayPal Payments Advanced and Payflow Link merchants are required to use hosted pages.

The Secure Token

The secure token stores request transaction data on the Gateway server. This eliminates the need to resend the parameter data for display in a hosted checkout page where the data might be subject to compromise.

Hosted Checkout Pages

The Gateway enables the use of hosted checkout pages, which help you achieve PCI compliance. The hosted checkout pages enable you to pass transaction data securely to the server and to collect credit card acceptance data.

Note: You are required to use hosted pages with PayPal Payments Advanced and Payflow Link.

The following figure shows the transaction flow when using hosted pages and a secure token.

Figure legend:

  1. The customer clicks Buy to purchase merchandise on your website.
  2. You request a secure token by passing a token ID to the Gateway server.
  3. The Gateway server returns the secure token and your token ID to your website.
  4. You submit the secure token and token ID in an HTTP post to pages hosted on the Gateway server and redirect the customer's browser to the hosted pages.
  5. The Gateway server uses the secure token to retrieve the amount and other transaction data. The customer submits their credit card number, expiration date, and other sensitive data directly to the host pages rather than to your website, easing your PCI compliance requirements.
  6. The Gateway processes the payment through the payment processing network.
  7. The Gateway server transparently returns the customer to the location on your website that you specified in the request to obtain a secure token. You display the results to the customer on your website.

Note: If you do not get a response from the Gateway server, submit an Inquiry transaction, passing in the secure token to see if the transaction has completed. For details, see Submit Inquiry Transactions.

PCI Compliance Without Hosted Pages - Transparent Redirect

PayPal Payments Pro and Payflow Pro merchants who want PCI compliance while maintaining full control over designing and hosting checkout pages on their website can use Transparent Redirect. Transparent Redirect posts payment details silently to the Gateway server, so this sensitive information never goes through the merchant's website.

Implementing Transparent Redirect is very similar to implementing hosted pages. It differs only in the steps shown in boldface below:

  • The customer clicks Buy to purchase merchandise on your website.

  • You request a secure token by passing a secure token ID to the Gateway server. In the request, you pass the name-value pair, SILENTTRAN=TRUE. This name-value pair prevents the hosted pages from displaying.

  • The Gateway server returns the secure token and your token ID to your website.

  • You display the credit card fields to the customer in a checkout page on your website.

  • The customer enters their credit card number, expiration date, and other sensitive data into the credit card fields and clicks Submit. The browser posts the payment data directly to the Gateway server, avoiding your website and easing your PCI compliance requirements.

    Note: To ensure that the post goes from the browser directly to PayPal and not back to your website, you should add scripting.

  • The Gateway processes the payment through the payment processing network.

  • The Gateway server transparently sends the customer to the location on your website that you specified in the request to obtain a secure token. You display the results to the customer on your website.

Passing data to ensure PCI Compliance

Due to on-going changes related to PCI Compliance, all data listed below should be sent in the appropriate Payflow parameters provided in this guide and should not be included in any free-form parameter; such as USER1, or any parameter not designated for the data.

PCI Data:

  • Credit Card Number (ACCT)
  • Expiration Date (EXPDATE)
  • CSC/CVV2 (3-4 digit number on credit card)
  • Driver's License Number (DL)
  • Social Security Number (SS)

If this data is found outside of the appropriate parameters, it is deleted from the request. For example, sending the credit card data in the RETURNURL field causes everything to be dropped except RETURNURL=https://example.com/mysite/Details?:

RETURNURL=https://example.com/mysite/Details?ACCT=4111111111111111&`EXPDATE`=0221&CVV2=12