Yes. Self-hosted.
Unfortunately PCI compliance is a bunch of hoops. It has things like requiring hashed passwords, forcing reset of passwords after certain periods, SSL encryption, and a slew of other things.
What he wants is called Paypal Direct Payment API method using SOAP. They have so many to choose from, but hopefully they won't give him a hard time about proving PCI compliance. Just tell them it is PCI comliant and get the account updated.