For months we've been getting emails from an unknown vendor called VikingCloud with the domain securetrust.com, having subject lines like "Your PCI compliance status requires attention".

We assumed that these were one of the many junk emails we get from "partners" of services we've used like Google, Amazon, and Dunn and Bradstreet. These emails always seem to evoke the name of the bigger company to try and sell useless add-on services.

However this week we received an email from paypal@paypal.com with the subject "PayPal PCI Compliance – Review Important Updates" that seems to demand we create an account with VikingCloud to evaluate our PCI compliance.

We certainly do not want to engage with VikingCloud if possible.

And, I'd understood that the newest ECT-PayPal integration isn't subject to this sort of PCI audit since our systems never retain payment card numbers.

However the PayPal email has this vague warning:

"As a business accepting credit cards online who touches, stores, or transmits card details, you are required to meet specific payment card security standards to ensure your business has the right controls in place to reduce your risk of a cyber incident. "

Can anyone shed light on this?

Thanks in advance for your help with this.

Not that I trust reddit as a reliable source, but some of the consensus here is it's a scam or ignore it.
I would call Paypal direct and ask them.
https://www.reddit.com/r/paypal/comments/1eht2po/is_the_vikingcloudpaypal_annual_pci_certification/?rdt=62035

David

Dave, thanks for this.

I found a PayPal Community thread on this subject too: https://www.paypal-community.com/t5/Security-and-Fraud/Emails-from-Securetrust-which-claims-to-be-a-Paypal-company/m-p/3190636.

Like the Reddit posts, merchants in that PayPal Community thread are suspicious of the 'VikingCloud' emails and doubt there's any action required, but nobody is sure.

Over the years we've seen some jarring 'action required' emails from PayPal - for example the required TLS and SHA-256 security changes of 6/2016. Those always stated specific technical details and explicit deadlines for action.

The fact that those 'VikingCloud' emails have vague requirements with no explicit deadline makes them seem very suspect.

- Can anyone suggest some other way to confirm that this is marketing Spam - as opposed to a looming threat that could shut us down?

Again, this is much appreciated.

For what it's worth, we're still receiving exactly one email per month from the suspicious-looking <paypal@managepci.com> address, with the subject line: "Action required: validate your PCI compliance."

We’ve never clicked the embedded link, which misleadingly appears to be from PayPal but actually points to that managepci.com domain.

Has anyone else seen any updates on this?

Here's my experience so far: I have also been getting the same repeated emails from paypal.managepci.com. I contacted PayPal directly (phishing@paypal.com) to see if this is a legit Paypal thing or a scam. Never got an answer.

I ignored the repeated emails until this past week after I had problems completing several "card not present" transactions. A display window opened on my computer screen notifying me that a verification code has been texted to the customer's phone. This code has to be typed into a box in a display window to verify the transaction is legit. You can imagine how well that went. https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=116397

Needless to say, I haven't been having a good week. The affected customers, all of whom happen to be longtime clients, are puzzled, unhappy, and in one case, quite angry. I'm likewise.

I contacted Paypal customer service. Their tech support rep says to log onto Paypal and use their "virtual terminal" system on the PP website to run the payment, rather than use my e-store checkout. If this is the "new normal" for "card not present" transactions, I'm going to be in a world of hurt.

Anyways I happened to get one of those PCI compliance emails today. In desperation, I logged onto the PCI compliance report website and slogged through their LONG online assessment. I feel even more confused and angry than when I started.

None of the questions required me to disclose sensitive information, so that was fine. But in the end, they basically told me I'm going to have to do a quarterly security scan and fix whatever problems happen to be detected.

I agreed to have a scan done today, which (of course!) resulted in a failing grade and a list of security concerns I am supposed to address. Problem is I don't have the background knowledge to understand what these so-called problems are, nor how one might fix them. It's way, way above my pay grade.

So far I'm not seeing any signs they're wanting me to spend money for them to "fix" the problems; thank goodness for that. But jumping through their hoops today hasn't resulted in anything that makes sense to me or is useful for solving my problems. I'm going back to ignoring this and recommend others do likewise.

Classic Bells, Postville, Iowa, USA, https://classicbells.com/

So happy I quit Paypal several years ago.
They took away everything that made them better than all the others.
After processing 20 million dollars over course of a decade, they decided to start holding my funds, with never any issue or significant chargebacks.
They took my grandfathered 1.5% cash back debit card and rolled it back to 1% without telling me.
Now I earn 2% with Capital one spark.
I pay square about 2.4% vs 3%+ for Paypal.
Square has served us well.
Just my personal opinion and should not reflect on ECT's opinion of Paypal.

David

Hi DeeAnna
I answered more about this on your other post but I think this is really to do with the 3DS challenge which is becoming more and more of a requirement in the card industry in general and not just with PayPal. I heard about Dave's problems and it's a shame really as I'm not sure why it happened and PayPal don't withhold funds for us and I generally find them the best payment processing system by a long way.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

I've used Paypal for a long time -- best guess is well over 15 years. PP has made some major false steps, especially in early years. That has earned them a lingering reputation for being arbitrary, unresponsive, and heavy handed. Even in current times, I get chastised by some customers because they hate PP.

Given my long and generally positive experience with PP, I'm not ready to switch away from PP without good reason. But I do think PP didn't do themselves any favors in their early days.

Vince wrote: "...I think this is really to do with the 3DS challenge which is becoming more and more of a requirement in the card industry in general and not just with PayPal..."

After going round and round with this issue, I believe you are probably right. Unfortunately, the policy is not only preventing fraud but it is also preventing people from doing legitimate "card not present" transactions.

What concerns me is I don't see the credit card companies (nor PP for that matter) offering effective solutions for business people like me who do use "card not present" transactions.

Classic Bells, Postville, Iowa, USA, https://classicbells.com/

DeeAnna, we’ve also had good service from PayPal over the past few years.

Our only recent support requests have been billing issues with the PayPal–ShipStation integration, where UPS repeatedly charges bogus adjustments.

Aside from that, we haven’t had any real problems lately.

That said, whenever we log in PayPal won’t let us reach our account page until we dismiss the same screen asking if we want to borrow money—for what feels like the 10,000th time. That shameless, time-wasting promotion makes us skeptical that any PayPal "partner" message (like the repeated VikingCloud emails) is legitimate.

Hi Paul, those loans are legit.
I did several with Paypal and a few with Square.
It's an easy way to raise cash for a large purchase and pay a percentage of your sales each day.
As long as your profits allow for it, it's easy and quick.

David

Dave, glad to hear those loans worked well for you. You were clearly more tolerant of PayPal's marketing than I am.

After 16 years of sending them transaction fees, the idea of also paying them interest just rubs me the wrong way.

You're going to pay interest on any loan.
I think 200k cost me about 15k and I had the money in 24 hours.
Used the 200k to make way more than 15k.
Loan was paid back in about 9 months.
It was a pinch on the daily payback but I don't like to carry long term debt it I can avoid it.

David