PayPal OFAC Sanctions, PCI DSS & Vendor Risk Report
Before you share customer data with PayPal, your compliance team needs documented proof they can be trusted. ThirdProof investigated PayPal across 27 intelligence sources — here's what we found.
- SOC 2 Status
- PayPal has not had a SOC 2 claim detected on their trust page.
- Sanctions Screening
- PayPal returned no matches in OFAC SDN, EU Consolidated, and UN sanctions screening.
- Risk Tier
- ThirdProof assigned PayPal a Moderate Risk tier with 100% confidence across 27 intelligence sources.
27 sources checked. Every investigation delivers two audit-ready artifacts: a risk report and an auto-filled security questionnaire — built from independent evidence, not vendor self-attestation.
Get PayPal's Full Report Free →Certification & Compliance Status
Need a complete vendor security questionnaire?
Run a full ThirdProof investigation to get 133 security questions auto-filled with source evidence — ready for your next audit or vendor onboarding review.
Get PayPal's Full Report Free →Assessment Preview — 23 Sources Queried
Run your own investigation to see the full evidence chain, compliance assessment, and recommended actions.
Get PayPal's Full Report Free →Executive Summary Preview
PayPal (paypal.com) is a globally recognized payment processing platform assessed at Risk Tier 3 (Moderate Risk), reflecting a combination of strong foundational security controls and a series of confirmed security incidents and active legal proceedings that require careful attention from procurement and risk teams.
This is an excerpt. Run your own investigation to see the full assessment. Get PayPal's Full Report Free →
Key Findings for PayPal
| Severity | Finding | Source |
|---|---|---|
| critical | Active regulatory enforcement action | Adverse Media Scan |
| info | TLS certificate renewal approaching | Domain Analysis |
| info | Clean domain reputation | Threat Intelligence |
| low | Threat intelligence pulses detected | Threat Intelligence (OTX) |
4 total findings. Get PayPal's Full Report Free →
Recommended Actions
- Request PayPal's current SOC 2 Type II report and bridge letter directly from your PayPal account manager or compliance contact — check https://www.paypal.com/us/compliancereports/faqs first, as PayPal's compliance page may have a request mechanism. Ask for a report dated within the last 12 months and confirm it covers the specific PayPal services in scope for your integration.
- Request a written statement from PayPal's legal or compliance team on the status of the three active 2026 class action lawsuits and any ongoing obligations from the January 2025 NYDFS $2M cybersecurity fine — specifically, whether remediation commitments from the NYDFS consent order are complete and what controls were implemented post-incident.
- Review PayPal's Data Processing Addendum (https://www.paypal.com/us/legalhub/paypal/dpa-business-management) and ensure your organization has executed a current version. Confirm contractual provisions for breach notification timelines, as PayPal's DPA commits to 'written notice without undue delay' — negotiate a specific timeframe (e.g., 72 hours) if your regulatory obligations require it.
Intelligence Sources Queried for PayPal
ThirdProof uses a deterministic rules engine to assign risk tiers. AI writes the narrative — rules drive the decision.
What a ThirdProof assessment covers↓
Sanctions Screening
Is PayPal on any OFAC, EU, or UN sanctions list? Are any officers or affiliates flagged?
Cyber Risk Assessment
What is PayPal's security posture? Threat intelligence scanning, known vulnerabilities, and security header analysis.
Business Registration
Is PayPal a legitimately registered business entity? Corporate status, jurisdiction, and officer verification.
Adverse Media Analysis
Has PayPal appeared in negative news coverage? Data breaches, lawsuits, regulatory actions, and complaints.
Domain & Infrastructure
Is PayPal's website secure? TLS configuration, DNS hygiene, security headers, and domain age analysis.
Company Intelligence
What are PayPal's firmographics? Employee count, industry classification, technology stack, and corporate structure.
Trust & Compliance Verification
Does PayPal claim SOC 2, ISO 27001, HITRUST, or FedRAMP? ThirdProof scans trust pages for certification claims and cross-references the FedRAMP public registry for independent verification.
Supply Chain & Subprocessor Discovery
Who does PayPal depend on? ThirdProof discovers subprocessors from vendor-published pages and runs sanctions screening and safe browsing checks against each one.
Regulatory & Financial Filings
Has PayPal appeared in SEC enforcement filings? Is it associated with any FDIC bank failures? ThirdProof searches regulatory databases with entity verification to confirm attribution.
Full methodology, rule engine, and AI disclosure: /methodology
Why Sanctions & AML Screening Matters for PayPal
PayPal processes payments across 200+ markets and holds money transmitter licenses in all 50 US states alongside regulatory authorizations in the EU, UK, and APAC. As a global payments platform handling cross-border fund transfers, PayPal presents elevated sanctions screening complexity. Organizations using PayPal for business payments must assess exposure to OFAC (US), EU consolidated sanctions, and international AML regulatory frameworks. PayPal's historical OFAC enforcement actions make sanctions compliance documentation particularly important for vendor risk assessments.
PayPal Security & Compliance Posture
ThirdProof investigated PayPal across 27 intelligence sources and assigned a Moderate Risk (Tier 3) rating with 90% confidence. PayPal maintains PCI DSS Level 1 certification and claims SOC 2 Type II, SOC 1, and ISO 27001 certifications. Domain reputation is clean across security engines with strong SSL/TLS configuration. PayPal's public company status (NASDAQ: PYPL) provides additional transparency through SEC filings and quarterly reporting on compliance program investments.
Key Compliance Considerations for PayPal
Organizations evaluating PayPal should consider: (1) PCI DSS Requirement 12.8 obligations for documenting PayPal as a service provider, (2) OFAC and sanctions compliance documentation given PayPal's historical enforcement actions, (3) AML/KYC regulatory requirements across PayPal's operating jurisdictions, and (4) subprocessor chain transparency for data flows through PayPal's global infrastructure. ThirdProof's assessment covers all of these dimensions in a single automated assessment.
Evaluate PayPal for Your Vendor Program
Your first 5 PayPal assessments are free — no credit card, no vendor participation required. ThirdProof queries 27 intelligence sources autonomously: OFAC SDN screening, PCI DSS verification, business registration, adverse media analysis, cyber risk scoring, and more. Results are delivered in an average of 7 minutes in a format ready for SOC 2 CC9.2, PCI DSS 12.8, and AML compliance evidence packages.
Seeing this in an audit? ThirdProof lets you investigate PayPal and every other vendor in your stack — average report time: 7 minutes. Get PayPal's Full Report Free →
Frequently asked about PayPal
Does PayPal have SOC 2 Type II?+
Is PayPal on the OFAC sanctions list?+
What is PayPal's vendor risk tier?+
Is PayPal OFAC sanctioned?+
Does PayPal have SOC 2 certification?+
Is PayPal PCI DSS compliant?+
Is PayPal safe for business payments?+
Can I get an auto-filled security questionnaire for PayPal?+
Is PayPal safe to use as a vendor?+
Does PayPal have SOC 2 certification?+
Is PayPal FedRAMP authorized?+
Has PayPal had any data breaches?+
Is PayPal on any sanctions lists?+
How do I assess PayPal for vendor risk?+
How long does a ThirdProof assessment take?+
Is ThirdProof free?+
Can I use a ThirdProof report as SOC 2 audit evidence?+
How is ThirdProof different from a security questionnaire?+
Also investigate these vendors
PayPal is in your vendor stack. Can you prove you assessed them?
SOC 2 CC9.2, HIPAA, PCI-DSS, and CMMC all require documented vendor due diligence — not just knowing the answer, but having audit-ready evidence you verified it. Most compliance teams can't produce that documentation on demand.
ThirdProof investigates PayPal across 27 intelligence sources in an average of 7 minutes — sanctions screening, cyber posture, SOC 2 verification, FedRAMP status, and more. Every investigation produces two deliverables: an audit-ready risk report and an auto-filled security questionnaire your prospects and auditors expect to see.
Replaces $600–$900 in manual compliance consulting time per vendor assessed.