PayPal Online Payment Services Agreement
Last Update: 10 October 2024
This PayPal Online Payment Services Agreement (“Agreement”) (formerly referred to as the PayPal Online Card Payment Services Agreement) contains the terms of a contract between you (also referred to as the “Merchant”) and PayPal (Europe) S.àr.l. et Cie, S.C.A. (“PayPal” or “we”).
PayPal is licensed as a Luxembourg credit institution and is under the prudential supervision of the Luxembourg supervisory authority, the Commission de Surveillance du Secteur Financier (the “CSSF”). The CSSF has its registered office in L-1150 Luxembourg.
About this Agreement
This Agreement applies to you if you are registered with PayPal as resident of Portugal.
By integrating or using any of the Products or Online Payment Services you agree to be bound by the terms of this Agreement. If you are offered and choose to use any Product, Online Payment Service or functionality (including technology) mentioned in this Agreement, the terms in this Agreement relating to that Product, Online Payment Service or functionality apply.
The Products are:
- Website Payments Pro - a suite of functionality consisting of Express Checkout, Direct Payments API, Virtual Terminal. Optional additional services includes the Recurring Payments Tool and Fraud Protection Tools;
- Advanced Credit and Debit Card Payments - a suite of functionality consisting of Advanced Credit and Debit Card Payments APIs. We may also offer you as optional additional services any of the following:
- any Website Payments Pro functionality,
- the Vaulting Tool,
- the Account Updater Service,
- Fraud Protection Tools,
- Chargeback Protection
- Virtual Terminal – the Virtual Terminal functionality as a standalone Product.
- SEPA Direct Debit – a service which enables you to accept SEPA Direct Debit payments under SEPA Direct Debit’s consumer scheme called SDD Core.
Each of the Products includes one or more Online Payment Services. The Online Payment Services are:
- Direct Payments API - Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder.
- Advanced Credit and Debit Card Payments API - Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder, as an alternative to the Direct Payments API.
- Virtual Terminal - Functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given to you by the cardholder.
- SEPA Direct Debit – Functionality provided by PayPal to enable you to accept SEPA Direct Debit payments.
The User Agreement for the PayPal Service (which we call here the User Agreement), the Commercial Entity Agreements and the Privacy Statement form part of this Agreement. See section 1 for more provisions relating to how these other legal documents apply.
We may amend, delete or add to this Agreement in line with the Change process set out in the User Agreement. If you do not agree with any Change, you may terminate this Agreement as set out in section 11 of this Agreement.
1. How our other legal documents apply
1.1 Legal Agreements
You can find this Agreement, the User Agreement, the Commercial Entity Agreements and the Privacy Statement on the Legal Agreements page by clicking the Legal link at the bottom of a PayPal web page.
1.2 User Agreement
The User Agreement forms part of this Agreement. As much as possible, this Agreement and the User Agreement should be interpreted as a consistent whole. Where a conflict of interpretation arises, this Agreement overrides the User Agreement to the extent of the conflict, except in relation to your use of any of the Products or individual Online Payment Services as part of our PayPal Complete Payments product as set out in the User Agreement.
Capitalised words which are not defined in this Agreement are defined in that User Agreement. The definition of “Services” and “Agreement” in the User Agreement, when read together with these terms, includes the Products and this Agreement.
The User Agreement includes important provisions which:
1.2.1 Permit PayPal to take a Reserve to secure your obligation to pay Chargebacks, Reversals and fees;
1.2.2 Obligate you to follow PayPal’s Acceptable Use Policy in your use of PayPal;
1.2.3 Give legal effect to PayPal’s Privacy Statement, which governs our use and disclosure of your information and that of Shared Customers; and
1.2.4 Permit PayPal to restrict a payment or your PayPal Account in circumstances listed in the User Agreement.
You are responsible for Chargebacks, Reversals and other invalidated payments as provided in the User Agreement, regardless of how you use and configure your Product, including its fraud filtering technology and similar preventive tools (if any). Those tools can be useful in detecting fraud and avoiding payment failures, but they do not affect your responsibility and liability pursuant to the User Agreement for Chargebacks, Reversals and payments which are otherwise invalidated.
1.3 Commercial Entity Agreement
1.4 By agreeing to be bound by this Agreement, you also agree to the Commercial Entity Agreements. These are your direct agreements with the Acquiring Institutions, PayPal’s banking partners, who enable you to receive card payments and card-funded PayPal payments. Privacy Statement
You confirm that you have read, consented and agreed to PayPal’s Privacy Statement, which explains the information that we collect about you and your online business. In particular, you agree and consent that PayPal may obtain from a third party your credit history and financial information about your ability to perform your obligations under this Agreement; the PayPal Privacy Statement lists the companies involved in this exchange of credit-related information. PayPal will review your credit and other risk factors of your Account (reversals and chargebacks, customer complaints, claims etc.) on an ongoing basis, and we may also review your website and the products for sale on it.
PayPal will store, use and disclose all information that we have about you in conformity with PayPal’s Privacy Statement.
1.5 Third-Party Terms for Advanced Credit and Debit Card Payment Add-on Features
If you choose to integrate eligible third-party wallets as Advanced Credit and Debit Card Payment (defined below) add-on features, you also agree to the following applicable third-party terms:
Apple Pay Platform Web Merchant Terms and Conditions
Google Pay API Terms of Service
You acknowledge and agree that the third-party features and terms are provided, updated and noticed solely by the relevant third party (not PayPal), and that PayPal will under no circumstances be responsible or liable for any damages, losses, or costs whatsoever suffered or incurred by you resulting from any use of such third-party features or acceptable of such third-party terms.
2. Setting up and activating your Product
2.1 To obtain and use your Product, you must first do all of the following:
2.1.1 Complete the online application and approval process for your Product, open a PayPal Business Account (if you do not already have one), and follow the instructions set out in PayPal’s online process to access and use your Product.
2.1.2 Integrate your Product into the payment process of your website, if your Product is Website Payments Pro or Advanced Credit and Debit Card Payments. You are not required to integrate your Product into the payment process of your website if you only access and use Virtual Terminal. PayPal is not responsible for any problems that could occur by integrating your Product into your 'live' website.
2.1.3 Activate your Product by using it in a ‘live’ payment transaction for the first time.
If your Product is Website Payments Pro or Advanced Credit and Debit Card Payments, we may allow you to integrate and use the Direct Payments API or Advanced Credit and Debit Card Payments API– as a PayPal Hosted Integration or Self Hosted Integration.
We may set either Hosting Option as your default option for integrating the Direct Payments API or Advanced Credit and Debit Card Payments API into the payment process of your website.
2.2 Required use of Express Checkout
If we offer you Express Checkout functionality as part of your Product and you choose to use that Product, you must implement PayPal Express Checkout as part of your website integration. In implementing Express Checkout, you agree that your website:
2.2.1 Includes a PayPal Express Checkout button either: (A) before you request the shipping/billing address and other financial information from your customers or (B) on the same page that you collect such information if you only use one page for your checkout process.
2.2.2 Offers PayPal as a payment option together with the other payment options you offer for Express Checkout. The PayPal logo must be displayed with equal or greater prominence as the logos for your other payment options.
2.2.3 Provides your customers with the option of not storing their personal information, including their email address, shipping/billing address, and financial information, as part of the checkout process.
2.3 Cancellation
We may terminate your access to and/or use of any or all Products and / or terminate this Agreement at any time before the Activation Date by notifying you.
Part I – Product-specific terms for Online Card Payment Services
3. Choice of Fee Structure
3.1 Choice of Interchange Plus Fee Structure and Blended Pricing Fee Structure
You may choose the fee structure applicable to you for your receipt of card payments through any of the Online Card Payment Services (including via Direct Payment API, Advanced Credit and Debit Card Payments API and/or Virtual Terminal) by the methods or procedures that PayPal may make available to you. If you do not make an election, you will stay on your existing fee structure.
You may choose your fee structure for future transactions only, not for past transactions. This means that if you opt to be charged under the Interchange Plus Fee Structure, the respective Interchange Plus Fee Structure will apply to the use of both our Online Card Payment Services and PayPal Here.
Interchange Fees are set by Visa and MasterCard. They vary for different types of cards (for example by categories and brand). PayPal shall always charge you the Interchange Fee as set by Visa and MasterCard and as passed on by its Acquirer. Single Interchange Fees may change from time to time. For more information on Interchange Fees, please see MasterCard’s and Visa’s website as well as our simplified overview.
If you opt to be charged under the Interchange Plus Fee Structure you agree that when PayPal receives a card payment for you through any of the Online Card Payment Services, PayPal may hold those funds in the Reserve Account portion of your PayPal Account before they reach the Payment Account portion of your PayPal Account. You instruct PayPal to pay those funds to your Payment Account only on the Business Day on which PayPal receives the information about the interchange fee applicable to the card payment. While the funds are held in your Reserve Account, the transaction will appear to you as “Pending” in your Account details. PayPal does not consider that the proceeds of the card payment in your Reserve Account are at your disposal until PayPal has received the information on the applicable interchange fee from our Processor (which can be within the next Business Day following the day on which the card payment was initiated by the card holder).
3.2 Additional terms for Interchange Plus Plus Fee Structure
Where available, you may also opt to be charged under the Interchange Plus Plus Fee Structure (“IC++”). If you opt to be charged under the Interchange Plus Plus Fee Structure, then the following terms will apply to you:
3.2.1 Gross Settlement. PayPal will invoice you on a monthly basis (“Fee Invoice”) for all fees, charges, or other amounts accrued in connection with your use of the Online Card Payment Services (“Gross Settlement”).
3.2.2 Currency Conversion. (a) PayPal may allow you to choose the currency in which Fee Invoice will be billed (“Fee Invoice Currency”). If you have accepted transactions in currencies other than the Fee Invoice Currency, then PayPal will convert those currencies into the Fee Invoice Currency at the time of the Fee Invoice generation. (b) PayPal may allow you to pay the Fee Invoice in the denominated currency of the linked bank account you nominate for debiting amounts owed to PayPal (“Linked Bank Account Currency”). If the Fee Invoice Currency is different from the Linked Bank Account Currency, PayPal will convert the amount of the Fee Invoice into the Linked Bank Account Currency at the time of debiting. If PayPal converts currency under this section, it will be completed at an exchange rate that we set for the relevant currency exchange. The exchange rate is based on the rates available in the wholesale currency markets or, if required by law or regulation, at the relevant governmental reference rate(s) on the conversion date or the prior business day.
3.2.3 You authorise PayPal to debit your linked bank account, and set-off from such bank account, any amounts to PayPal under this Agreement and under the terms of any mandate (e.g. bank direct debit) used by the provider of that bank account to set up and maintain that authority. If necessary, you also authorise PayPal to credit your account to correct erroneous debits and for fees, charges, or other amounts arising from your use of Online Card Payment Services. You agree to provide PayPal with all necessary bank account information and grant PayPal permission to debit, set-off, or credit amounts due from your bank account on a date notified by PayPal or, if this payment fails, on a further date(s) as notified by PayPal (“Debit Authorisation”). You certify that the bank account information you provide to PayPal belongs to you.
3.2.4 If both debit attempts fail, PayPal may:
- deduct these amounts from your PayPal account balance;
- engage in collection efforts to recover the amount due from you; or
- take any or all other actions as provided herein or in the User Agreement.
3.2.5 You may deactivate IC++ at any time in your PayPal account settings. However, PayPal may continue to debit, credit or set-off from your linked bank account any amounts due for the last month.
3.2.6 You understand that deactivating IC++ does not terminate, cancel, reduce, or otherwise affect the obligations you owe to PayPal, under this Agreement, the User Agreement or any other agreements with PayPal.
4. Information Security; Data Protection; Data Portability
4.1 Your PCI DSS compliance
You agree to comply with the PCI Data Security Standard (PCI DSS). You must protect all Card Data that comes within your control according to PCI DSS, and you must design, maintain and operate your website and other systems in conformity with PCI DSS. You must ensure that your staff are and remain sufficiently trained so that they are aware of PCI DSS and can carry out its requirements. PayPal is not responsible for any costs that you incur in complying with PCI DSS. Find more information about PCI DSS at the PCI Security Standards Council’s website here: https://www.pcisecuritystandards.org/pci_security/.
4.2 PayPal’s PCI DSS compliance
PayPal warrants that PayPal and your Product comply and will comply with PCI DSS. However, PayPal’s compliance, and your Product’s, are not sufficient to achieve compliance with PCI DSS by you and your systems and processes.
4.3 3D Secure
Requirements of the European Central Bank and PayPal’s bank regulators require use of 3D Secure in certain circumstances, and Card Associations may also require it to reduce an excessive number of Card Transactions unauthorised by the cardholder. PayPal may by notice to you require that you implement 3D Secure for all or certain specified Card Transactions. You agree to implement 3D Secure if required in such a notice, where the issuer of a particular card supports 3D Secure for that card.
4.4 Price and currency
You may not submit payment transactions in which the amount is the result of dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price for each currency.
4.5 Data Portability
Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).
5. Additional terms for American Express card acceptance
If we allow you to receive payments from American Express cards, this section 5 applies to you.
5.1 Commercial Marketing Communications
American Express may use the information obtained in your application at the time of setup to screen and/or monitor you in connection with card marketing and administrative purposes. By accepting these terms, you agree to receive commercial marketing communication from American Express. You may opt out by notice by contacting us. Visit our PayPal Help Centre page accessible from your User Agreement and most PayPal web pages to find out how to contact us. If you opt out of commercial marketing communications, you will still receive important transactional or relationship messages from American Express.
5.2 Direct Card Acceptance
You acknowledge that if you reach certain monthly and/or annual sales volumes relating to American Express as set by American Express for the time being and from time to time, American Express may require you to enter into a direct contractual relationship with them. In this situation, American Express will set pricing for American Express transactions, and you will pay fees for American Express transactions directly to American Express.
5.3 Audit Rights
American Express may conduct an audit of you at any time, for the purpose of determining compliance with the American Express Rules.
5.4 Submission and Settlement Rights
You authorise PayPal to submit transactions to, and receive settlement from, American Express, and to disclose transaction and merchant information to American Express to perform analytics and create reports, and for any other lawful business purposes, including commercial marketing communications purposes and important transactional or relationship communications. Merchant may terminate its acceptance of American Express at any time upon notice.
5.5 Third Party Beneficiary
American Express shall be a third-party beneficiary of this Agreement for purposes of American Express card acceptance. As a third-party beneficiary, American Express shall have the right to enforce directly against you the terms of this Agreement as related to American Express Card acceptance. You acknowledge and agree that American Express shall have no responsibility or liability with regard to PayPal’s obligations to you under this Agreement.
5.6 Card Present, Unattended Terminals and Payment Kiosks
You shall not accept American Express cards for any payment under this Agreement when the card is either (i) presented at a physical point of the purchase or transaction; (ii) used at unattended establishments (e.g., customer activated terminals) or (iii) presented at a payment kiosk. In addition, you shall be prohibited from providing or making available to any American Express cardmember that comes to its physical location, a computer or an online interface that will enable the American Express cardmember to access their PayPal Account.
6. Terms of use for specific functionalities relating to Cards
6.1 Fraud Protection Tools
The terms in Schedule 2 apply to your use of the Fraud Protection Tools.
6.2 Account Updater Service
6.2.1 Description. Subject to the terms of this section 6.2, PayPal may make the Account Updater Service available to you, for which PayPal will send the applicable Card Data of eligible Cards to one or more third party sources (including, but not limited, to the Card Associations), and use information available to PayPal, to check and update the applicable Card Data. Following these checks, the applicable updated Card Data relating to your customers, if any, is processed and stored by PayPal at your direction and on your behalf to enable you to accept Recurring Billing, Recurring Payments, or other eligible transactions using the Products from its customers with the applicable updated Card Data. If the Account Updater Service is made available to you, PayPal will either provide you with email notification that the Account Updater Service has been activated on your account(s) or allow you to enable the Account Updater Service on your account(s) through your PayPal account settings. You may elect to discontinue use of the Account Updater Service at any time by providing written notice to PayPal of such election or by such other means as may be designated by PayPal.
6.2.2 Permitted Use. You acknowledge and agree that the Account Updater Service is provided solely for the purpose of updating applicable Card Data to enable your acceptance of transactions using the Products. You shall not use the Account Updater Service for any other purpose, including, without limitation, the use of any portion of the Account Updater Service data in connection with the development of any other service or product.
6.2.3 Your Obligations. You shall fully comply with applicable law and the card scheme rules in connection with its use of the Account Updater Service. Further, you shall provide your customers, whose Card(s) is/are eligible for the Account Updater Service, with all disclosures required under applicable law to enable you to use the Account Updater Service to update the customer’s Card(s). The foregoing shall include, but shall not be limited to, incorporating promptly into your standard terms and conditions, privacy policy, and/or other customer facing documentation, any language required by applicable law or the card scheme rules. You shall also provide adequate disclosures to make clear to customers that if they do not want their applicable Card Data updated, they may request you to remove their Card that is being stored by PayPal and/or terminate their Recurring Billing or Recurring Payments agreement with you.
6.2.4 Confidentiality. You agree that you shall keep all information and Card Data provided through the Account Updater Service, if any, strictly confidential. You may not disclose any such information or Card Data to any third party and you may not use such information or Card Data for any purpose other than as may be expressly permitted.
6.2.5 Indemnification. You shall indemnify PayPal against any loss arising as a result of a breach by you of your obligations under this section for use of the Account Updater Service.
6.2.6 Accuracy of Information. You acknowledge that the Account Updater Service may only be accurate to the extent a card issuing bank and a customer participate, and that many card issuing banks and customers may not participate. You acknowledge and agrees that the Account Updater Service may rely upon information, Card Data, and services provided to PayPal by third parties.
6.2.7 Termination and Availability of Account Updater Service. PayPal may terminate the Account Updater Service at any time upon email notice to you. PayPal does not ensure that the Account Updater Service will be available for all Card Data.
6.3 Chargeback Protection Tool
The terms in Schedule 3 set out the eligibility and terms of use for the Chargeback Protection Tool.
Part II – Product-specific terms for the SEPA Direct Debit service
7. Use of the SEPA Direct Debit service
7.1 Use of SEPA Direct Debit service
PayPal offers services which enable Merchants to accept SEPA Direct Debit payments under SEPA Direct Debit’s consumer scheme called SDD Core and Merchant desires to use such services.
7.2 Origination of SEPA Transactions
You will transmit instructions to collect SEPA Transactions to PayPal via API calls, and such instructions to collect SEPA Transactions and calls will be aggregated into a file that will be delivered to PayPal’s processing bank (or processed directly by PayPal) (each transmission, a “File”) in accordance with the procedures and guidelines set forth by PayPal in its integration guide for the PayPal SEPA Direct Debit service (“Guide”). PayPal acts as a creditor on behalf of your customers, and PayPal’s processing bank (or PayPal itself) acts as a creditor bank with respect to SEPA Transactions. The File specification requirements in the Guide will govern if they conflict with the SDD Core Rules with respect to any File format issues. For SEPA Transactions, originated settlement debits and returns will be reported to you via PayPal’s information reporting on the same business day that PayPal receives the settlement debit or return. The Guide will govern if such timing conflicts with the SDD Core Rules.
7.3 Guide
You must comply with the Guide. The Guide can be amended at any time by PayPal by providing 30 days’ notice.
7.4 Maintaining a business account.
You shall maintain one or more business account(s) at PayPal, which PayPal may use to process such SEPA Transactions, including the debiting and crediting of funds in connection with the settlement of such SEPA Transactions and collecting related fees.
7.5 Merchant Responsibilities for the SEPA Direct Debit service
7.5.1 Merchant shall (i) comply with the SDD Core Rules and applicable law when submitting instructions relating to SEPA Transactions to PayPal; (ii) maintain Merchant’s business account(s) in good standing; and (iii) complete PayPal’s appropriate set-up process for the SEPA Direct Debit service, including executing any additional documentation (including supplementing agreements or implementation forms relating to the SEPA Direct Debit service. Merchant may not use the SEPA Direct Debit service for any illegal transaction or activity, including under the regulations and laws of the receiver of Merchant’s transaction. Merchant also will comply with the requirements for using the SEPA Direct Debit service set forth in the Guide.
7.5.2 Merchant agrees to cooperate with PayPal to facilitate PayPal’s adherence to guidance provided by anybody having jurisdiction over it or over SDD Core, including guidance concerning risk management of the SEPA Direct Debit service.
7.6 Preparation Of SEPA Transactions And Files; Processing Schedules
7.6.1 Merchant shall give instructions to collect SEPA Transactions in accordance with the SDD Core Rules and any applicable PayPal policies and procedures, including the requirements set forth in the Guide.
7.6.2 PayPal shall process SEPA Transactions in accordance with PayPal’s schedule for processing and delivery cut-off times set forth in the Guide for the SEPA Direct Debit service.
7.6.3 The parties agree that PayPal may update and revise these File delivery cut-off times by delivering notices to the Merchant or updating the sections of the Guide which set forth amended/revised cut-off items for the SEPA Direct Debit service.
7.7 Security Procedures; Authorized Persons; Other Instructions or Notices
7.7.1 Before using the SEPA Direct Debit service, Merchant will provide PayPal with a written list, using a form acceptable to the PayPal, of persons authorized by Merchant ("Authorized Persons") to verify the authenticity of instructions relating to SEPA Transactions (including relating to any R-transactions) in accordance with the applicable security procedure and to perform certain other duties in connection with the SEPA Direct Debit service. Merchant shall update such list from time to time as necessary to reflect any changes in the Authorized Persons. PayPal may rely on information and instructions from any person identifying himself or herself by a name which is included on such list.
7.7.2 Merchant agrees to use the applicable security procedure, if any, when Merchant delivers instructions relating to SEPA Transactions (including relating to any R-transactions) to PayPal. The purpose of the security procedure is to verify the authenticity of instructions relating to SEPA Transactions (including relating to any R-transactions) delivered in the name of Merchant to PayPal and not to detect errors in the transmission or content of any instructions relating to SEPA Transactions (including relating to any R-transactions). Each time Merchant uses the SEPA Direct Debit service, Merchant agrees, and acknowledges to PayPal, that, in view of Merchant's requirements, Merchant has determined that the applicable security procedure is a satisfactory method of verifying the authenticity of instructions relating to SEPA Transactions (including relating to any R-transactions) Merchant agrees that PayPal may act upon any instructions, the authenticity of which has been verified by PayPal through the use of the applicable security procedure.
7.7.3 Merchant shall have sole responsibility for its custody, control and use of all materials. Merchant agrees that no individual will be allowed to initiate a request or other instruction contemplated in the Agreement or to have access to any materials without proper supervision and strict security controls. PayPal will be fully protected in relying on the correct user identification codes and passwords of Merchant, as described in the Guide and this Agreement.
7.7.4 Except as otherwise expressly stated in the Agreement, PayPal is not required to act on any instruction from any person or to give notices to any person.
7.7.5 Absent circumstances necessitating an immediate or expedited material change to an applicable security procedure as determined by PayPal in its sole reasonable discretion, PayPal will provide Merchant with prior written notice of any material change to an applicable security procedure.
7.8 Oral Instructions
Merchant acknowledges and agrees that PayPal may rely on oral instructions from any authorized person.
7.9 Inconsistency Of Name
Merchant acknowledges that PayPal shall not have any duty to determine whether instructions relating to a SEPA Transaction (including relating to any R-transactions) contain a name which is consistent with the relevant IBAN or other identifying number and PayPal shall be entitled to process such transactions on the basis of the IBAN or other identifying number alone.
7.10 Merchant’s Payment Obligations
7.10.1 Payment Generally. Merchant shall maintain collected and available funds in each business account sufficient to cover any returned, correcting, or reversing SEPA Transactions. PayPal will debit a business account for any returned, correcting or reversing entry relating to SEPA Transactions originated by Merchant. In the event there are insufficient funds in the business account for the correcting, reversing or returned entry, Merchant will promptly transfer in immediately an amount sufficient to cover such entry upon demand by PayPal.
7.10.2 Reimbursement of PayPal. Merchant agrees to reimburse PayPal for any returns or reversals that PayPal pays in relation to payments that Merchant has received in their business accounts, regardless of whether Merchant retained the funds received and to which the return or reversal relates. PayPal may debit the related business account to carry out Merchant’s obligation to reimburse PayPal for returns and reversals.
7.11 Own Funds Available In Expense Reserve.
Merchant agrees to retain in Merchant’s business account an amount that does not consist of participant funds and which equals the average amount payable monthly for chargebacks, reversals, fees to PayPal, and other expenses that you incur in respect of Card Transactions and SEPA Transactions. This amount is termed the “Expense Reserve”, and PayPal may restrict your ability to withdraw and pay out the Expense Reserve in order to retain it on hand to cover your expenses. You agree to add funds that are not participant funds to Merchant’s business account, if the amount of the Expense Reserve should at any time fall below 10% of the average amount payable monthly for chargebacks, reversals, fees to PayPal, and other expenses in respect of both Card Transactions and SEPA Transactions.
7.12 Pre-Notification Email
Merchant must ensure that it sends a pre-notification to its users of the SEPA Direct Debit service of the time in which it will collect funds from the users’ bank account with each and every invoice it sends, in accordance with SDD Core Rules. If the Merchant does not send an invoice, it will in any event send the pre-notification in an email. Such messaging must state: “We will debit your bank account within 1-2 business days. Please ensure you have sufficient funding to prevent failed returns and processing fees”
7.13 Effect Of Termination
For avoidance of doubt, termination of the Agreement shall not affect a Party’s respective rights, obligations and remedies under the Agreement as to SEPA Transactions submitted by Merchant before the date of termination, nor shall it affect PayPal’s right to collect for fees any SEPA Transaction, fees for any R-transactions or Merchant’s liability for unauthorized transactions, each of which shall survive termination.
7.14 Rejected Transactions
7.14.1 PayPal may reject an entry if PayPal, in its reasonable discretion, believes the entry may violate any applicable law, SDD Core Rules or any international payment rules (if applicable) or the entry does not comply with the requirements set out under this Agreement or any applicable PayPal policies and procedures. PayPal may also reject any entry if it may be returned for any reason under the SDD Core Rules or if Merchant breaches its payment obligations for any PayPal service.
7.14.2 If PayPal rejects an entry, PayPal will notify Merchant by electronic means, which will include a description of the specific defect. Notices of rejection shall be effective when given to Merchant regardless of time of receipt by Merchant. PayPal will have no liability to Merchant for the rejection of any entry as permitted under the Agreement, and PayPal will have no obligation to pay interest for the period before Merchant receives the notice of rejection.
7.14.3 If an entry is rejected for any reason, it is Merchant’s sole responsibility to correct the entry intended for resubmittal. Notwithstanding the foregoing, Merchant may request that PayPal repair a rejected entry provided Merchant pays all reasonable charges and expenses PayPal incurs in connection with any repairs.
7.15 Cancellation, Amendment, Reversal
Merchant shall not cancel, amend or reverse an entry after its receipt by PayPal. PayPal has no obligation to cancel, amend or reverse SEPA Transactions after PayPal accepts them. If Merchant submits a reversal/deletion request for an entry, and PayPal can verify the authenticity of the reversal/deletion request, PayPal will make commercially reasonable efforts to act on such request. PayPal has no liability if such reversal/deletion request is not implemented (for example, but not limited to, if it is returned for non-sufficient funds). Merchant agrees to indemnify PayPal with respect to cancellations and reversals as set forth in the Agreement. In addition to its responsibility thereunder and without limiting Merchant’s indemnity obligation thereunder, Merchant shall be responsible to PayPal for any actual losses or expenses directly incurred by PayPal as a result of Merchant’s request that PayPal cancels or amends SEPA Transactions or PayPal’s attempted cancellation or amendment of SEPA Transactions as requested by Merchant, but Merchant shall not be liable to PayPal for any indirect or consequential damages arising in connection with PayPal’s attempted cancellation or amendment of SEPA Transactions, including without limitation loss by PayPal of business, profits, revenue, goodwill or anticipated savings. Merchant’s obligations under this section 7.15 shall survive termination of the Merchant’s use of the SEPA Direct Debit service.
7.16 Returned Transactions
PayPal will have no obligation to re-transmit a returned entry through the SEPA Direct Debit service, or to take any further action with respect to a returned entry, unless Merchant uses the optional service to request a re-transmission of a returned entry resulting from non-sufficient funds.
7.17 Reject, Return, Refund (Invalid Mandate/Unauthorised Transaction)
Merchant acknowledges that SDD Core Rules allow a SEPA debit entry to be refunded within 13 months after initiation for, what is termed as Reject, Refusal, Reversal, Return, Refund and Revocation purposes. Merchant agrees that it shall be responsible for all such rejects, refusals, reversals, returns, revocations and refunds, and PayPal shall have the right to be reimbursed by the Merchant for any and all such instances.
7.18 Merchant’s Additional Responsibilities
As between the Parties, Merchant shall be solely responsible for the accuracy of any information that it transmits to PayPal and agrees that PayPal shall not be responsible for the accuracy or ownership of any information set forth in any payment instruction or entry. PayPal will initiate delivery of the funds to the recipient in accordance with the information contained in the payment instruction or entry, regardless of whether such information is correct or incorrect and without any obligation to validate such information. In no event shall PayPal be liable for payments made in accordance with the information provided by Merchant or contained in the SEPA Transactions. If the funds transmitted are misdirected or lost because the information (including bank account number, PayPal user ID or email address or mobile phone number) provided by Merchant to PayPal is incomplete or inaccurate as it relates to the intended recipient, as between the parties, Merchant shall be responsible for reimbursing the amount of the misdirected or lost payment to the Recipient or payor as applicable.
7.19 PayPal Responsibility
7.19.1 Subject to the terms and conditions of this Agreement and the User Agreement, PayPal will exercise reasonable care to process the SEPA Transactions sent to it by the Merchant in accordance with this Agreement and the standards and timeframes described in the Guide.
7.19.2 Subject to PayPal's right to reject or return SEPA Transactions under this Agreement, PayPal will process SEPA Transactions received from Merchant and send SEPA Transactions to the SEPA processor selected by PayPal or directly to another bank or processor for settlement on the effective entry date shown in the related SEPA Transactions. SEPA Transactions received by PayPal after the applicable processing deadline on a business day may be treated by PayPal as received on the next business day. SEPA Transactions will be deemed received by PayPal when PayPal receives the complete file or entry at the location specified in the Guide.
7.20 No Seller Protection
SEPA Transactions made under the SEPA Direct Debit service are excluded from PayPal’s Seller Protection program.
7.21 Customer Disputes
Customer disputes associated with transactions made under the SEPA Direct Debit service will be handled directly by the Merchant, without PayPal’s intervention. PayPal will not be liable vis-a-vis Merchant’s customers with regards to any disputes.
Part III – General Terms applicable to all Online Payment Services
8. Fees
8.1 How fees are paid
8.1.1 You agree to pay the fees in this Agreement as they become due without set-off or deduction. Unless otherwise stated in this Agreement, you authorise us to deduct our fees from the amounts we transfer but before those funds are credited to your Account.
8.1.2 Except as further provided in this Agreement, you agree to pay the fees set out in the User Agreement.
8.1.3 Unless otherwise stated in this Agreement, fees will be charged in the currency of the payment received.
8.2 Transaction Fees for Standard PayPal Payments
The Fees for receiving Domestic Transactions (Selling) as outlined in the User Agreement apply to each domestic Standard PayPal Payment you receive.
8.3 Transaction Fees for Receiving Card Payments
The fees called out in the User Agreement for receiving payments in your PayPal account apply to each payment you receive from a card using the Online Card Payment Services. If you opt to be charged under the Interchange Plus Fee Structure, you will be charged the fees called out in the User Agreement for receiving payments in your PayPal account plus the Interchange Fee. For Advanced Credit and Debit Card Payments users only: you may opt to be charged under the Interchange Plus Fee Structure. Please contact us for further information. If you opt to be charged under the Interchange Plus Plus Fee Structure, the additional terms outlined in section 3.2 above will apply.
8.4 Additional Transaction Fees
The fee for Receiving Cross Border payments (Selling) applies as outlined in the User Agreement, except that it does not apply to payments received from cards using the Online Card Payment Services under the Interchange Plus or Interchange Plus Plus Fee Structure.
8.5 Transaction Fees for the SEPA Direct Debit service
The fees for accepting SEPA Direct Debit payments apply as referred to in the User Agreement. You authorise us to (and we may) collect fees first from any available balance in your business account and then also from the funding source(s) registered for your business account, and you authorise us to (and we may) collect fees for receiving payments from the payments you receive before those funds are credited to your business account. If we are unable to collect a past due fee from your business account and its funding source(s), we may take action against you as provided in the User Agreement for unpaid fees. Separate amounts may be charged from time to time by third parties (including the debtor’s bank), for example in the event of rejected or refunded transactions. Any such amounts shall be passed on you by PayPal.
8.6 Monthly Reports on Transaction Costs
PayPal shall make available monthly reports on transaction costs (inclusive of interchange fees) for Card Transactions and SEPA Transactions which you process with the Products. These reports will be downloadable from your PayPal account. The reports do not include any Standard PayPal Payments.
9. Data Security and Data Protection
9.1 Compliance with Data Security Schedule
You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement.
9.2 Data Usage
Unless you receive and record the express consent of your customer, you may not retain, track, monitor or store any Data.
9.3 Compliance with Data Protection Addendum
You (as a “Merchant”) and we agree to comply with the data protection addendum found here, which forms part of this Agreement. The terms of the data protection addendum prevail over any conflicting terms in this Agreement relating to data protection and privacy.
10. Intellectual property and ID codes
10.1 Licence
PayPal hereby grants to you a non-exclusive, non-transferable, revocable, non-sublicensable, limited license to (a) use your Product in accordance with the documentation provided on the PayPal Website; and to (b) use the documentation provided by PayPal for your Product and reproduce it for internal use only within your business. Your Product as licensed is subject to change and will evolve along with the rest of the PayPal system; see section 13.1. You must comply with the implementation and use requirements contained in all PayPal documentation and instructions accompanying the Product issued by PayPal from time to time (including, without limitation, any implementation and use requirements we impose on you to comply with applicable laws and card scheme rules and regulations).
10.2 ID codes
PayPal will provide you with certain identifying codes specific to you. The codes identify you and authenticate your messages and instructions to us, including operational instructions to PayPal software interfaces. Use of the codes may be necessary for the PayPal system to process instructions from you (or your website). You must keep the codes safe and protect them from disclosure to parties whom you have not authorised to act on your behalf in dealing with PayPal. You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.
10.3 Ownership of PayPal Website Payments Pro and Advanced Credit and Debit Card Payments information and materials
As part of your access to, and use of PayPal Website Payments Pro and/or Advanced Credit and Debit Card Payments, you will be provided with certain information and materials (the “Pro Materials”) for your use with the Products. All intellectual property rights associated with the Pro Materials remain the property of PayPal or the relevant Acquiring Institution (as the case may be). You agree to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Pro Materials to any person.
10.4 PayPal Hosted Integrations and your intellectual property
You hereby grant to PayPal a royalty-free, worldwide non-exclusive licence to use your or any of your affiliates’ names, images, logos, trademarks, service marks, and/or trade names as you may provide to PayPal when using the Products (“Your Marks”) for the sole purpose of enabling your use of the Products (including, without limitation, the customisation of your hosted Product). Title to and ownership of Your Marks and all goodwill arising from any use hereunder will remain with you. You represent and warrant that you have the authority to grant PayPal the right to use Your Marks and you shall indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any claims or losses suffered by it arising from the use of Your Marks in connection with the Products.
11. Terms of use for specific functionalities
11.1 Vaulting Tool
11.2 If you use the Vaulting Tool, before collecting your customers' Data, you will:
11.3 notify your customers that:
11.3.1 the information collected will be saved and retrievable by you for future payments from the customer including, potentially, “buyer not present” payments;
11.3.2 the customer can update the information; and
11.3.3 the customer can revoke the consent.
11.4 obtain your customers' consent to collect and use that information on the above basis; and
11.5 ensure that when your customers give the above consent and opt into the feature they do so by taking a deliberate and recorded action, e.g. clicking an optional button, or checking a default-unchecked box.
12. Termination and suspension
12.1 By you
You may terminate this Agreement by giving 30 days’ prior notice to PayPal Customer Service of your intent to either:
12.1.1 terminate this Agreement only. PayPal Customer Service will confirm termination via email. This option lets you stop using your Products and paying for them, but your PayPal Account remains open and its User Agreement remains in effect; or
12.1.2 close the PayPal Account that you use with your Products (see the User Agreement for more information). This option terminates this Agreement, letting you stop using your Products and paying for them, and initiates the closure process for your PayPal Account. Your PayPal Account remains open and its User Agreement remains in effect until the closure of the PayPal Account takes effect, subject further to the provisions relating to closing your PayPal Account in the User Agreement.
If you use Advanced Credit and Debit Card Payments only, you may give PayPal Customer Service immediate notice to terminate this Agreement or close the PayPal Account that you use with Advanced Credit and Debit Card Payments as outlined in sections 12.1.1. and 12.1.2. above.
You may stop using Advanced Credit and Debit Card Payments at any time by giving prior notice to PayPal Customer Service of your intent to stop using Advanced Credit and Debit Card Payments only. PayPal Customer Service will confirm the stoppage for you via email. This option lets you stop using Advanced Credit and Debit Card Payments and paying for any future transactions, but your PayPal Account remains open and this Agreement and the User Agreement remain in effect. You may start using Advanced Credit and Debit Card Payments again at any time subject to the terms of this Agreement as amended.
You may stop your acceptance of American Express card payments using the Products at any time by giving prior notice to PayPal Customer Service.
Visit our PayPal Help Centre page accessible from your User Agreement and most PayPal web pages to find out how to contact us so that you can take the above actions.
12.2 By PayPal
PayPal may terminate this Agreement or any Product-specific part of it by doing any of the following:
12.2.1 Giving you 2 months’ prior notice by email to you at your registered email address associated with your Account of PayPal’s intent to terminate this Agreement or the Product-specific part of it. Unless otherwise notified, terminating this Agreement does not affect your User Agreement and your PayPal Account remains open.
12.2.2 Terminating the User Agreement that applies to the PayPal Account used with your Product. Your PayPal Account remains open and its User Agreement remains in effect until the closure of the PayPal Account takes effect, subject further to the provisions relating to closing your PayPal Account in the User Agreement.
12.3 By events
PayPal may terminate this Agreement immediately without notice if you:
12.3.1 Breach this Agreement or the User Agreement;
12.3.2 Become unable to pay or perform your obligations as they fall due;
12.3.3 Become unable to pay your debts (within the meaning of section 123 of the Insolvency Act 1986), admit your inability to pay your debts or otherwise become insolvent;
12.3.4 Have any distraint, execution, attachment or similar action taken, levied or enforced against you or your assets, or if any garnishee order is issued or served on you;
12.3.5 Become the subject of any petition presented, order made or resolution passed for the liquidation, administration, bankruptcy or dissolution of all or a substantial part of your business, except where solvent amalgamation or reorganisation is proposed on terms previously approved by PayPal,
12.3.6 Lose full and unrestricted control over all or part of your assets because of the appointment of a receiver, manager, trustee, liquidator or similar officer;
12.3.7 Enter into or proposes any composition or arrangement concerning your debts with your creditors (or any class of its creditors);
12.3.8 A material adverse change occurs in your business, operations, or financial condition; or
12.3.9 You provide inaccurate information in applying for your Product or in your dealings with us.
12.4 Effect of termination
When this Agreement or any part of it terminates, you must immediately stop using the terminated Products, and PayPal may prevent or hinder you from using them after termination. If you nevertheless use a Product after termination of this Agreement, then this Agreement will continue to apply to your use of that Product until you give effect to the termination by stopping your use of that Product. The following sections in this Agreement shall survive termination of this agreement and continue in full force and effect: sections 7.13, 7.15, 8, 9.1, 12.2, 12.4. Termination of this Agreement or any part of it shall not affect any rights, remedies or obligations of the parties that have accrued or become due prior to termination, and you will not be entitled to a refund of any Monthly Fee applicable to any period prior to termination.
12.5 Breach and suspension
If you breach this Agreement, the User Agreement, or a security requirement imposed by PCI DSS, PayPal may immediately suspend your use of your Product (in other words, we may render your Product temporarily inoperable). PayPal may require you to take specified corrective actions to cure the breach and have the suspension lifted, although nothing in this Agreement precludes PayPal from pursuing any other remedies it may have for breach. In addition, if PayPal reasonably suspects that you may be in breach of this Agreement or PCI DSS, PayPal may suspend your use of your Product pending further investigation.
If PayPal suspends your access to or use of PayPal Website Payments Pro, Advanced Credit and Debit Card Payments or the SEPA Direct Debit service, PayPal will notify you and explain the basis of PayPal’s actions in suspending your use of your Product, and may specify corrective actions to cure the breach and have the suspension lifted. PayPal’s suspension of your access or use of PayPal Website Payments Pro, Advanced Credit and Debit Card Payments or the SEPA Direct Debit service will remain in effect and until such time as PayPal is satisfied that you have remedied the applicable breach(es).
13. Miscellaneous
13.1 Future of the Products
PayPal retains sole and absolute discretion in determining (a) the future course and development of the Products, (b) which improvements to make in them and when, and (c) whether and when defects are to be corrected and new features introduced. PayPal welcomes feedback from users in planning the future of the Products but is not required to act in accordance with any feedback received. In giving us feedback, you agree to claim no intellectual property interest in your feedback.
13.2 No warranty
Your Product and all accompanying documentation are provided to you on an “as is” basis.
PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to:
- your Product;
- the licensed software; and
- user documentation provided.
Nothing provided by PayPal under this Agreement or otherwise for your Product has PayPal’s authorisation to include a warranty. No obligation or liability will arise out of PayPal’s rendering of:
- technical advice;
- programming advice; or
- other advice or service,
in connection with any Product, licensed software and user document provided. This includes, among other matters, services that may assist you with the customisation of your Product.
PayPal recommends that you test the implementation of your Product thoroughly as PayPal is not responsible for any loss caused by a defect in it.
If PayPal hosts your Product (in other words, we run the software for you as a web service), PayPal does not guarantee continuous, uninterrupted or secure access to your hosted Product.
PayPal will not be liable for any delay or failure in hosting your Product.
You acknowledge the availability of your Product for use may be occasionally limited to allow for repairs, maintenance or the introduction of new facilities or services.
Some countries do not allow the disclaimer of implied warranties, so the foregoing disclaimers might not apply to you.
13.3 Indemnity
You agree to indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any direct loss, damage and liability, and from any claim, demand or cost (including reasonable attorneys’ fees) incurred in relation to any third party (including a Shared Customer) and arising out of your breach of this Agreement, the User Agreement and the documents incorporated in it by reference (including the Acceptable Use Policy) and the Guide, or the violation of any law.
13.4 Assignment, amendment and waiver
You may not assign this Agreement without first obtaining PayPal’s written consent. PayPal may assign, novate or otherwise transfer this agreement without your consent by notifying you. Neither party may amend this Agreement or waive any rights under it except in a written document signed by both parties.
13.5 English law and jurisdiction
This Agreement is governed by the laws of England and Wales. You and we submit to the non-exclusive jurisdiction of the courts of England and Wales.
14. Definitions
Capitalised terms not listed in this section are defined in the User Agreement.
“3D Secure” means a security procedure that enables a card-issuing bank to authenticate the cardholder authorising a Card Transaction at the time a payment is made. 3D Secure has other brand names depending on the Card Association whose branding appears on the card; brand names for 3D Secure include Verified by Visa and MasterCard SecureCode.
“Account Updater Service” means a functionality as further defined in section 6.2.
“Acquiring Institution” means a financial institution or bank that provides services to you and PayPal to enable you to (a) accept payment by cardholders using cards: and (b) receive value in respect of Card Transactions.
“Activation Date” means the date on which you complete all of the steps for “Getting started” as listed in section 2 above.
“Advanced Credit and Debit Card Payments” means the suite of functionality consisting of the Advanced Credit and Debit Card Payments API (as the standard online interface) and Fraud Protection Tools (as optional additional services). This suite of functionality may also include optional add-on features (e.g., integration of eligible third-party wallets) that require your acceptance of additional third-party terms before such add-on features may be used. We may also choose to offer you other PayPal Online Card Payment Services functionality as part of the Advanced Credit and Debit Card Payments suite of functionality.
“Advanced Credit and Debit Card Payments API” means an Online Card Payment Service as further defined in the About this Agreement section.
“Advanced Fraud Management Filters” means a technology provided by PayPal to enable you to (a) check a card payment against criteria such as the cardholder’s billing address (Address Verification Service or AVS), the card’s CVV2 Data, and databases of suspicious addresses, identifiers, and patterns. See the PayPal Website and product documentation for further information. Advanced Fraud Management Filters offer a greater level of transaction screening, and transactions can be automatically flagged, reviewed or declined based on how you configure the filters.
“Authorized Persons” shall have the meaning given to it in section 7.7.1.
“AVS Data” means information returned by the Address Verification System operated by or on behalf of Card Associations, which compares address data provided by an apparent cardholder with address data on file for the card at the card issuer.
“Card Association” means a company or consortium of financial institutions which promulgates rules to govern Card Transactions that involve the card that carries the company’s or the consortium’s brand. Examples include Visa USA, Visa Europe, and the other Visa regions; Mastercard International Incorporated; American Express Company and similar organisations.
“Card Data” means all personal or financial information relevant to a Card Transaction, including information recorded on the card itself (whether in human-readable form or digitally), together with the cardholder’s name and address and any other information necessary for processing a Card Transaction.
“Card Transaction” means a payment made using a credit or debit card, an American Express card, or any other payment method using a physical data-carrying item intended to be held in the payer’s possession. The Products support only certain types of Card Transactions; see the PayPal Website for more information.
“Chargeback Protection Tool” means the optional tool that protects eligible Advanced Credit and Debit Card Payments against “unauthorized” and “item not received” chargebacks.
“Critical Systems” means the information technology (both hardware and software) that you employ to operate your Products, to protect them and your online points of sale against intrusion and interference, and to store payment-related and personal data, including any Data that you retain and all personal data about Shared Customers.
“CVV2 Data” means the three-digit number printed to the right of the card number in the signature panel area on the back of the card. (For American Express cards, the code is a four-digit unembossed number printed above the card number on the front of the American Express card.) The CVV2 Data are uniquely associated with each individual plastic card and ties the card account number to the plastic.
“Data” means Card Data and all personal or financial information relevant to a SEPA Transaction.
“Data Breach” means an intrusion into or malfunction of a computer system in which Data are stored, and which intrusion or malfunction either (a) exposes, modifies or destroys all or part of the Data in the system, or (b) runs a significant risk, in the opinion of a qualified expert in information security, of exposing, modifying or destroying all or part of the Data in the system. Data are exposed where they are released from the normal access controls of the system without authorisation, or where they are actually disclosed to one or more unauthorised persons.
“Direct Payments API” means an Online Card Payment Service as further defined in the About this Agreement section.
“Expense Reserve” has the meaning given to it in section 7.11.
“Express Checkout” means a Functionality for expediting online retail checkout by using information provided to you by PayPal. Details about Express Checkout appear on the PayPal Website and in the documentation that PayPal provides for PayPal Website Payments Pro and Advanced Credit and Debit Card Payments.
“File” has the meaning given to it in section 7.2.
“Fraud Protection Tools” means a technology provided by PayPal to enable you to check a card payment against criteria such as the cardholder’s billing address (Address Verification Service or AVS), the card’s CVV2 Data, and databases of suspicious addresses, identifiers, and patterns, offered together with the Advanced Credit and Debit Card Payments API as an alternative to the Advanced Fraud Management Filters.
“General Data Protection Regulation” means the Regulation (EU) 2016/679 (General Data Protection Regulation) or any successor to it, together with all other laws about the privacy of citizens or residents of the member state of the European Economic Area in which you reside or are established as a business enterprise.
“Guide” has the meaning given to it in section 7.2.
“Hosting Option” means any of the following: (i) a PayPal Hosted Integration; or (ii) a Self Hosted Integration.
“Monthly Fee” means a fee payable on a monthly basis as required in section 8 above.
“Online Card Payment Services” means a functionality provided online by PayPal to enable merchants to receive payments directly from a payer’s card (without the funds passing via the payer’s PayPal Account), without the card being present at the website or other point of sale. Online Card Payment Services are integral to the Products. The Online Card Payment Services are listed and further defined in the About this Agreement section.
“Online Payment Services” means the Online Card Payment Services and the SEPA Direct Debit service.
“PayPal Hosted Integration” means PayPal’s Direct Payments API or Advanced Credit and Debit Card Payments API integrated into the payment process of your website pursuant to section 2, with that functionality being operated (including the card entry field being hosted) entirely on PayPal’s server (rather than on your website).
“PayPal Website” means the website provided by PayPal for the country in which you reside. In the case of the UK, the PayPal Website is currently at http://www.paypal.co.uk. References to PayPal Websites for other countries can be found via a link from any other PayPal Website.
“PCI DSS” means the Payment Card Industry Data Security Standard, which consists of specifications prescribed by Card Associations to ensure the data security of Card Transactions. A copy of PCI DSS is available online from https://www.pcisecuritystandards.org/.
“Product” or “Your Product” means whichever one of the Products you access and use after accepting this Agreement. The Products are listed and further defined in the About this Agreement section.
“Qualified Security Assessor” has the meaning given it in PCI DSS.
“Recurring Payments Tool” means a technology provided by PayPal for setting up payments that recur at specified intervals or frequencies with authorisation from the payer. See the PayPal Website and product documentation for further information.
“R-transaction” shall have the meaning given to it in the SDD Core Rules.
“SDD Core” means SEPA Direct Debit’s consumer scheme.
“SDD Core Rules” means the SEPA Direct Debit Core Scheme Rulebook (as amended from time to time).
“Self Hosted Integration” means PayPal’s Direct Payments API or Advanced Credit and Debit Card Payments API integrated into the payment process of your website pursuant to section 2, with that functionality being operated (including the card entry field being hosted) at least in part on your website.
“SEPA Direct Debit” means a service which enables you to accept SEPA Transactions under SDD Core.
“SEPA Transactions” means SEPA Direct Debit payments.
“Shared Customer” means a person who has a PayPal Account and is also your customer.
“Standard PayPal Payments” means all Payments which you receive from another PayPal account or payments via PayPal’s Account Optional Service or from Local Payment Methods.
“User Agreement” means the contract entered into online as part of the online registration process required to open a PayPal Account. The current User Agreement is to be found via a link from the footer of nearly every page on the PayPal Website. It includes certain policies, notably the Acceptable Use Policy, which are also listed on the PayPal Website.
“Vaulting Tool” means an API-based technology provided by PayPal to enable you to store and retrieve card details for payments that recur at specified intervals or frequencies with authorisation from the payer. See the PayPal Website and product documentation for further information.
“Virtual Terminal” means a functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given you by the cardholder. Virtual Terminal is one of the Online Card Payment Services and also a standalone Product as further defined in the About this Agreement section.
“Website Payments Pro” means a Product as further defined in the About this Agreement section.
Schedule 1
Data Security Requirements
The General Data Protection Regulation requires you to keep a Shared Customer’s personal data secure.
Website Payments Pro, Advanced Credit and Debit Card Payments and Virtual Terminal enable you to accept payments online directly from debit and credit cards, which are payment instruments whose security depends on controlling the disclosure of Card Data. A person who has sufficient Card Data can send or receive a card payment charged to the cardholder’s account without necessarily having the cardholder’s authorisation for the payment. To prevent your Shared Customers from having their Card Data misused, you must keep Card Data secret at all times.
PayPal strongly recommends that you obtain the services of a competent professional expert in information security to advise you and assist in securing your website and any other points of sale.
Principles of Data Security
- Design and development
You must design and develop your Critical Systems and all payment-related processes so that they are secure from intrusion and interference by unauthorised persons. All users of your systems must be required to authenticate themselves to your Critical Systems, and those Critical Systems must limit the access and powers of their users. You must also organise your business so as to segregate critical duties and create controls and checkpoints in your operations, rather than place too much unchecked power over your systems and operations in one person. Never give a user more power over your systems and processes than the minimum necessary for the user to perform his or her assigned role.
- Protection against intrusion
You must divide your operations into two basic categories, (1) those functions available to all users including those outside your organisation, and (2) those available only to trusted people within your organisation. You must employ a firewall to block untrusted users from the using internal-only functions of your Critical Systems. Your web servers and other external-facing portions of your Critical Systems must use well developed and thoroughly tested technology, and make available externally only those functions which are necessary for Shared Customers and other external users to use. Strip your external-facing servers of all superfluous functions to protect (harden) them and reduce their vulnerability to external attack.
- Access controls
Your Critical Systems must restrict access to Data and all other personal or important data to only trusted persons within your organisation, and no such person should have greater access to such data than is necessary for that person to perform his or her role. Your systems must track and log all access, use, modification and deletion of Data and other personal or important data so that you maintain an audit trail of all such actions. You must also limit access to your Critical Systems and the resources on which they depend such as networks, firewalls, and databases.
- Data minimization
As a general principle, you should gather and retain no more Data or other sensitive data than you need. Holding Data and personal data creates a risk of liability to you, and you can reduce that risk by taking and holding less data. If you store Card Data, consider carefully the need to do so: PayPal must refund a payment which lacks its payer’s authorisation, and if the user will authorise a further payment, the user will generally also give you up-to-date Card Data again, so you may have little need to store Card Data for future use. Data that you do not have is data that you cannot spill if you suffer a Data Breach.
- Changes and testing
Except in emergencies, avoid changing Critical Systems without first planning, testing, and documenting the change, unless the change is routine (e.g. adding a user, changing a password, updating inventory and prices). For major systemic changes or those which can impact the security or availability of your Critical Systems, planned changes should be escalated for approval by high-ranking managers other than the planners of those changes. Implement planned changes in your production systems only after they have been thoroughly tested in a non production environment. Conduct all such testing under the supervision of your risk management department or others in your company with particular responsibility for its losses.
- Audits
You must audit the operations and security of your Critical Systems at least once a year. This systems audit must be distinct from any audit of your finances. Use trusted and independent experts to audit your Critical Systems, and if you use your employees as auditors, ensure their independence by protecting their employment from retaliation and by isolating them from the work of administering, operating, changing and testing your Critical Systems.
- Outsourcing and organisational control
You must ensure that all persons who have access to your Critical Systems, or who design, develop, operate, maintain, change, test and audit your Critical Systems comply with this Agreement and PCI DSS. You are responsible to ensure compliance even if such persons are not your employees.
What to do in case of a Data Breach
- Data Breach
If you experience a Data Breach, you agree to do all of the following:
- Take whatever action you can to stop the Data Breach and mitigate its consequences immediately after discovering the Data Breach.
- Notify PayPal as soon as possible after discovering the Data Breach by contacting your account manager (if one is assigned to you) or contacting our Customer Service (details of how to contact us are on the “Contact Us” page). If you cannot simultaneously do (a) and notify PayPal, then do (a) first and then notify PayPal.
- Notify all Shared Customers whose Data has been exposed or which is likely to have been exposed, so that those Shared Customers can take steps to prevent misuse of the Data. You further agree to complete this notification immediately after you perform (a) and (b) above, to notify PayPal when you have completed this notification, and to provide a list of Shared Customers whom you have notified. If you fail to complete this step promptly after the Data Breach, PayPal may notify Shared Customers of the Data Breach, and will identify the Shared Customers from your PayPal Account records of who has paid you.
- If requested by PayPal, have an independent third party auditor, approved by PayPal, conduct a security audit of your Critical Systems and issue a report. You agree to comply with PayPal’s request under this section at your own expense. You must provide a copy of the auditor’s report to PayPal, and PayPal may provide copies of it to the banks (including, without limitation, Acquiring Institutions) and Card Associations involved in processing card transactions for PayPal. If you do not initiate a security audit with 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at your expense. See also Schedule 1 on Audit.
- Cooperate with PayPal and follow all reasonable instructions from PayPal to avoid or mitigate consequences of the Data Breach, to improve your Critical Systems so that they satisfy the requirements this Agreement, and to help prevent future Data Breaches. However, PayPal shall not require you to do more than this Agreement requires, unless the additional measures are reasonable in light of the risk to Shared Customers and the best practices of online retailing.
- Resume normal operation of your Critical Systems only when you have ascertained how the Data Breach occurred and taken all reasonable steps to eliminate the vulnerabilities that made the Data Breach possible or which could make other Data Breaches possible.
- Report the Data Breach to law enforcement authorities, cooperate in any investigation that they undertake, and cooperate as the authorities may request in order to identify and apprehend the perpetrator of the Data Breach.
- Refrain from using Data that have been exposed or modified in the Data Breach. However, this section does not prevent you from obtaining and using Data again from Shared Customers affected by the Data Breach, after the vulnerabilities in your Critical Systems have been remedied pursuant to (f) above.
Data Protection
- See sections 4 and 9 of this Agreement for Data Protection terms.
- Intentionally left blank.
Card Data and PCI DSS
- Retention of Card Data
You must completely and securely destroy all Card Data that you retain or hold within 24 hours after you receive an authorisation decision from the issuer relevant to that Card Data.
If, with the cardholder’s consent, you briefly retain Card Data, you may do so only to the extent that the Card Data are necessary for processing payment transactions with the cardholder’s authorisation. You must never give or disclose the retained Card Data to anyone, not even as part of the sale of your business. Moreover, and regardless of anything to the contrary, you must never retain or disclose the card verification and identification data printed in the signature stripe on the back of the card (i.e. the CVV2 Data), not even with the cardholder’s consent.
- Card Data that you must not store
Notwithstanding the immediately preceding section, you agree to not store any personal identification number (PIN) data, AVS Data, CVV2 Data, or data obtained from the magnetic stripe or other digital storage facility on the card (unless that data is also printed or embossed on the front of the card) of any cardholder. Card associations may impose fines if you violate this section, which reflects card association rules. In this section, ‘store’ means retain in any form, whether digital, electronic, paper-based, or otherwise, but does not include temporary capture and holding of data while it is actively being processed (but not afterwards).
- Merchant’s use of Card Data
You agree not to use or disclose Card Data except for the purposes of obtaining authorisation from the card issuer, completing and settling the Card Transaction for which the Card Data was given to you, together with resolving any Chargeback or Reversal Dispute, or similar issues involving Card Transactions. PayPal is required by banking laws to refund payments lacking the payer’s authorisation, so your use of Card Data to carry out a Card Transaction must be authorised by the cardholder or it will subject to Reversal.
- Secure storage and disposal of Card Data
You agree to:
- establish and maintain sufficient controls for limiting access to all records containing Card Data;
- not sell or disclose to a third party any Card Data or any information obtained in connection with a Card Transaction;
- keep no Card Data on paper or in portable digital storage devices such as USB memory devices or removable disks;
- not reproduce any electronically captured signature of a cardholder except on PayPal’s specific request; and
- destroy Card Data either by destroying the medium on which the Card Data are stored or by erasing or rendering the Card Data completely and irreversibly unintelligible and meaningless.
If you transfer your business, Card Data and any information you have about Card Transactions is not transferable under Card Association rules as an asset of the business. In such cases, you agree to provide the Card Data and any transactional data to PayPal if it requests. If PayPal does not request such data, you must destroy it when your business transfers.
- PCI DSS audit
If PayPal so requests, you agree that a Qualified Security Assessor may conduct a security audit of your systems, controls and facilities and issue a report to PayPal and the Associations. You agree to cooperate fully in the conduct of this audit, and to provide any information and access to your systems required by the auditor for the performance of the audit. You also agree to bear the reasonable expenses of this audit. If you fail to initiate such an audit after PayPal requests you to do so, you authorise PayPal to take such action at the Merchant’s expense, or PayPal may immediately suspend your use of your Product. You will receive a copy of the audit report, and PayPal must also receive a copy and provide a copy to any Acquiring Institution or Card Association that requests a copy.
Schedule 2
Terms of use of Fraud Protection Tools (“Fraud Tools”)
- How the Fraud Tools work
The Fraud Tools are made available to you as fraudulent transaction management tools to help you screen potentially fraudulent transactions based on the settings you adopt in the Fraud Tools. The tools allow you to set filter rules, i.e. to instruct us about which transactions the tool shall decline on your behalf based on abstract criteria.
We may provide suggestions or recommendations regarding what filters and settings in the Fraud Tools to use that may be appropriate for your business. These suggestions take into account your past transaction history.
It is your responsibility to set the filter rules. Please note: If you set these filter rules too restrictively, you might lose sales volume. We advise you to monitor your filter rules and settings on an ongoing basis.
- No Warranty and Limitation of Liability
We do not represent or warrant that the Fraud Tools are error-free or that they will identify all potentially fraudulent transaction activity.
We are not liable for your losses (such as loss of profits) or damages arising from or related to your use of the Fraud Tools, to the extent that applicable law allows.
The Sections “Other Legal Terms – Indemnification and Limitation of Liability – Limitation of Liability” and “Other Legal Terms – Indemnification and Limitation of Liability – No warranty”, “About your account – Closing your PayPal Account”, “Other Legal Terms – Indemnification and Limitation of Liability – Release of PayPal” of the User Agreement apply.
- Data Protection
You may only use the Fraud Tools for the purpose of your management of fraud risk and for no other purpose.
You may not share use of the Fraud Tools with any other person, nor may you disclose to any person the categories provided in the Fraud Tools or the results generated from your use of the Fraud Tools.
- Miscellaneous
Despite your settings on the Fraud Tools, we always retain the right to decline or suspend any transaction pursuant to the terms of the User Agreement.
These terms supplement the User Agreement that governs your use of our services in general. The definition of our Services in the User Agreement, when read together with these terms, includes the Fraud Tools.
We may amend, delete or add to these terms in line with the Change process set out in the User Agreement. If you do not agree with any Change, you may terminate these terms.
You may terminate these terms at any time by removing the Fraud Tools from your integration and following any other integration-related steps which we may make available to you. This lets you stop using the Fraud Tools, but otherwise your Account remains open and the User Agreement (and any other relevant agreements relating to the provision of Services to you) remains in effect.
These terms survive any termination to the extent and for so long as we require to: (i) deal with matters arising from your use of the Fraud Tools prior to termination; and/or (ii) comply with applicable laws and regulations.
Schedule 3
Terms of use of Chargeback Protection Tool
- General. To be eligible for Chargeback Protection Tool, you must have a PayPal business account in good standing, you must be approved by PayPal for such Chargeback Protection Tool, and you must:
- successfully integrate PayPal’s Advanced Credit and Debit Card Payments;
- successfully integrate the Risk Data Acquisition Service; and
- provide additional data as required by PayPal.
PayPal reserves the right to change integration requirements upon notice.
You are not permitted to enable Chargeback Protection and Fraud Protection services at the same time. If you enroll into chargeback protection program, your access and use of Fraud Protection Tools will be terminated, and vice-versa. Both are optional services and you are free not to use either of these services.
PayPal reserves the right, in its sole discretion, to cancel or suspend your use of Chargeback Protection Tool for any reason it deems appropriate at any time upon reasonable notice to you or immediately if reasonable notice is impracticable in order to maintain the security of PayPal’s systems and/or your account is no longer in good standing.
With Chargeback Protection Tool, we will waive our right to recover the amount of any unauthorized chargeback and “item not received” chargeback losses made on “Eligible Transactions” (as defined below) pursuant to the PayPal User Agreement (see the ‘Refunds and Reversals’ section), and we will not charge a chargeback fee pursuant to the PayPal User Agreement. This means, in the event of an Eligible Chargeback, you will keep the transaction amount, and you will not pay any chargeback fee for such transaction. However, you must respond to our requests for documentation and other information within the required timeframe when you enroll in Chargeback Protection Tool, as described below (“Chargeback Protection Tool Options” and “Establishing proof of delivery or proof of shipment”).
- “Chargeback Protection”: you are required to provide proof of shipment or proof of delivery for physical goods or services for Eligible Chargebacks in order to retain the transaction amount and avoid paying any chargeback fee for such transaction. Proof of delivery or proof of shipment shall be provided to PayPal within two days of receipt of the chargeback claim (or such longer time period as otherwise specified by PayPal).
- Eligible Chargebacks. Chargeback Protection Tool only applies to chargeback claims involving: (i) transactions not authorized by the cardholder, as determined by PayPal; and (ii) transactions where the item was not received (“Item Not Received”) by the buyer (collectively “Eligible Chargebacks”).
- Eligible Transactions. Chargeback Protection Tool only applies to Eligible Chargebacks on card transactions processed by PayPal that meet the criteria set forth below (“Eligible Transactions”):
- Card transactions processed via the Advanced Credit and Debit Card Payments checkout integration; and
- Card transactions for goods and services that are not (1) excluded under the terms of PayPal User Agreement, including but not limited to the Acceptable Use Policy (paypal.com), or (2) “Ineligible Transactions” (as defined below).
- Ineligible Transactions. Chargeback Protection Tool does not apply to chargebacks involving transactions where the item received by the buyer is not what they ordered (“Significantly Not as Described”).
Chargeback Protection Tool also does not apply to items or transactions that are ineligible for PayPal’s Seller Protection program (“Ineligible Transactions”). The list of the ineligible items or transactions for PayPal’s Seller Protection program are adopted and incorporated by reference, and can be found here.
- Establishing proof of delivery or proof of shipment. The proof of delivery and proof of shipment requirements of PayPal’s Seller Protection program apply to the Chargeback Protection Tool and are adopted and incorporated by reference. The proof of delivery and proof of shipment requirements can be found here.
- Chargeback Recovery by PayPal. If you have provided us with incorrect information (for example, with respect to your business type) during sign up for a PayPal account, we are entitled to recover all our chargeback losses from you (including for past transactions prior to us discovering that the information provided was incorrect). It is a condition of this agreement that you do not violate the PayPal User Agreement by engaging in a Restricted Activity or breaching the Acceptable Use Policy (paypal.com) or this Agreement.