PayPal provides an online payment service that facilitates payment for all types of e-commerce businesses and organizations. It is a widely known, and accepted form of payment in the industry. The online payment service is PCI Compliant and achieved PCI DSS compliance certification under various programs and standards.
However, there is often confusion about its compliance status as businesses believe that although having availed a third-party payment service they are still required to be PCI DSS Compliant.
So to set things clear, although PayPal is PCI Compliant, yet Merchants availing their services are also required to ensure compliance with PCI DSS. This is simply because even though PayPal stores processes and transmits the cardholder data, but as a Merchant, your business is the one accepting that information.
Your online environment from where the transaction occurs can affect the security of the payment process/transaction. So, it is equally important that your online environment is secure and for those reasons, Merchants are also required to be PCI DSS Compliant.
Although availing of the third-party services limits the scope of compliance but, that does not mean the merchants are not subject to PCI DSS. In this scenario, both PayPal as a payment processor and Merchants are required to be PCI DSS Compliant.