Study Guide
Table Of Contents
- PayPal Certified Developer Program Study Guide
- Contents
- List of Tables
- Online Payment Processing
- Internet Security and Fraud Prevention
- Why Every Business Should Be Concerned About Internet Fraud
- Liability for Internet Fraud
- Internet Fraud: What It Is and How It Happens
- Who Is at Risk for Online Fraud
- Reducing Exposure to Fraud
- What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud
- What PayPal Is Doing to Protect Your Business Against Fraud
- Disclosure and Compliance
- PayPal Fraud Protection Services
- Review Questions
- Getting Started With Account Setup
- API Credentials
- Name-Value Pair (NVP) API
- Express Checkout
- Direct Payment API
- Transactions
- Sandbox Testing
- Answers to Review Questions
- General Reference Information
- Glossary
- Index
Internet Security and Fraud Prevention
Disclosure and Compliance
2
32 March 2008 PayPal Certified Developer Program Study Guide
While validating that you’re in compliance with the PCI standard is a requirement, it’s also an
opportunity. Finding and fixing compliance gaps before your audit keeps your company
running smoothly and your reputation intact. It provides you with tangible proof that you can
communicate to your customers on how well you’re protecting them.
The quickest and easiest way to meet PCI compliance standards is to outsource the job. A
number of PayPal payment solutions are hosted, relieving the online merchant of the
compliance responsibility. The PayPal Gateway payment solution, which allows the merchant
to handle credit data, does require compliance and validation by the merchants themselves.
The compliance level of each merchant is the responsibility of the merchant’s acquiring bank
(a bank that provides credit card merchant accounts and is responsible for submitting credit
card purchase information to the credit card associations). The four merchant levels are based
on annual credit card transaction volume.
TABLE 2.2 PCI Data Security Standard
Standards Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords
and other security parameters.
Protect Cardholder Data 3. Protect stored data.
4. Encrypt transmission of cardholder data and sensitive
information across public networks.
Maintain a Vulnerability Management Program 5. Use and regularly update antivirus software.
6. Develop and maintain secure systems and applications.
Implement Strong-Access Control Measures 7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy 12. Maintain a policy that addresses information security.
T
ABLE 2.3 Merchant Levels for PCI Compliance
Level Description
Level 1 Any merchant – regardless of acceptance channel – processing over 6 million credit card
transactions per year.
Any merchant that has suffered a hack or an attack that resulted in an account data compromise.
Any merchant identified by any card association as Level 1.
Level 2 Any merchant processing 150,000 to 6 million e-commerce transactions per year.
Level 3 Any merchant processing 20,000 to 150,000 e-commerce transactions per year.