PayPal Merchant Services has achieved Payment Card Industry (PCI) certification under the Visa Cardholder Information Security Program.

(CISP) and MasterCard Site Data Protection (SDP) program. In addition, PayPal has achieved the American Institute of Certified Public Accountant's (AICPA) Statement of Auditing Standards #70 (SAS70) certification. Each certification underscores a strong PayPal commitment to making security a central focus of its development efforts and protecting the safety and integrity of customer data In today's global economy, service organizations and providers must demonstrate that they have adequate controls and safeguards in place when they host or process customer data. To address these needs, Visa, MasterCard and the AICPA have established standards to protect cardholder information in all organizations that store, process or transmit data.

Visa CISP is a set of 12 industry-wide requirements designed to protect sensitive information from being compromised. As part of the certification process, PayPal employed an independent, Visa-qualified, auditor to perform a thorough inspection of the PayPal payment processing environment. This process included an intensive review of the procedures PayPal uses to classify, access, and store sensitive information. In addition, PayPal performed and in-depth analysis of network and system architecture, a complete assessment of IT policies and procedures, and an on-site inspection of physical data-center facilities.

Complying with MasterCard SDP involved a two-step process. PayPal completed a self-evaluation of its security procedures, with a detailed analysis of its Web infrastructure, to showcase PayPal's compliance with MasterCard standards. MasterCard then performed compliance testing, scanning PayPal Merchant Services solutions in a controlled environment to ascertain their viability.

The SAS70 compliance process involves a formal, in-depth report by a third party auditor that analyzes the design, implementation, and operational effectiveness of the controls that reside within a service organization. The SAS70 audit report allows service organizations to disclose their control activities and processes to customers, thus demonstrating adequate controls and safeguards are in place. The addition of Section 404 of the Sarbanes-Oxley Act make SAS70 audit reports even more important to the process of reporting effective internal controls.

See http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf.