How do I get about making my site PCI compliant? I actually have no desire to store credit card numbers in a database, just to use PayPal website payments professional so that my customers can pay with a credit card without leaving my site.

It's been 4-5 years since I did any PCI compliance, but I always found the PCI site to be useful. I'd download SAQ A (https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions) and read that. It should be very simple in your situation.

Dave

If you are using Paypal and following their best practices when you develop your code they will handle all the PCI compliance for you. One of the benefits of using a system like theirs. :)

So I was thinking the only thing I needed to do was install an SSL to encrypt the data in the form posted to a script on my site, and I would then pass it to PayPal....no storage. That's the only thing that's being done with any credit card information.

In that same vein, what's the deal with SSL? I posted another thread on it in this forum, but no responses as of yet. I've seen that I can get a godaddy SSL certificate that will display a lock in the browser for $15 a year, but other places that offer extended validation certificates that will turn the address bar green offer them from anywhere between $199 to almost $700 a year.

Is it all in a name? e.g. VeriSign is more expensive than a just as good but lesser known company? Do EV certificates really make a difference in terms of customers perceptions on this site? Personally, as long as I see a lock icon and HTTPS, I feel secure enough to submit my credit card information to that site.

Thoughts and opinions? Your help is greatly appreciated.