Small BusinessOperations Fraud and Risk Management

Overcapture requirements (PSD2)

PayPal Editorial Staff

31 July 2024

This information applies to Business accounts.

Historically PayPal supported the capability for some merchants to allow users to amend orders in the context of checkout to add (or remove) services like shipping fees or taxes. While the user consents to the final amount in the merchant Checkout, this wasn't completed in a session with PayPal.

Example:

Merchant sends the buyer to PayPal to authorise a transaction of 100.00 USD.
Consumer reviews and authorises the transaction at PayPal for 100.00 USD.
Consumer returns to the merchant site where the transaction amount increases to 110.00 USD due to the addition of shipping, taxes, FX conversion, etc.

PayPal obtains authorisation from each customer for the maximum amount of transactions before redirecting a customer to the merchant. The transaction gets declined if the merchant captures more than the authorised amount.

This impacts all global merchants (domestic and international transactions) that sell to PayPal buyers from the countries subject to PSD2 (i.e., EEA).

What is the impact?

Strong Customer Authentication (SCA) requirements, which are part of the Second Payment Services Directive (PSD2), mandate additional authentication measures and restrictions to be performed on electronic transactions involving consumers (buyers) from the PSD2 countries.

The changes are in response to the principles set by The European Banking Authority (EBA) for transactions where the final amount is unknown.

The final transaction amount can't be higher than the authenticated amount: “If the final amount is higher than the amount the payer was made aware of and agreed to when initiating the transaction, the payer’s PSP shall apply SCA to the final amount of the transaction or decline the transaction.”
 The final transaction amount may be lower than the authenticated amount: “If the final amount is equal to or lower than the amount agreed in accordance with Article 75(1) of PSD2, the transaction can be executed, and there is no need to re-apply SCA, as the authentication code would still be valid in accordance with Article 5(3)(a) of the [RTS].”

What regions does this impact?

This impacts Merchants globally (for domestic and international transactions) selling to buyers from the EEA (PSD2 countries).

My business is not based in EU, do I need to comply?

Any merchant selling to buyers from the EEA region (PSD2 countries) will be impacted. The impact is determined by the consumers' (or buyers') country and not by the merchant country.

Does this impact all my PayPal, Venmo, Braintree transactions?

The impact is only on PayPal wallet transactions, i.e., merchants integrated on PayPal Branded XO. This can be direct PayPal integration or through Braintree. There's no impact on Venmo transactions because Venmo is not offered to EU consumers. For direct card transactions (Unbranded DCC), the card issuer will automatically reject transactions above what the consumer approved during the 3DS review.

Do I need to make any integration changes?

No immediate integration change is needed as long as the merchant is redirecting the buyer back to PayPal for a re-review in the event of PayPal declining the transaction with the above-mentioned error codes.

This is going to impact my merchant significantly. Can my business be excluded?

Unfortunately, we can't exclude any merchants from this compliance change. Here, you can learn more about the second Payment Services Directive (PSD2) regulation.

PayPal for You

Shop and Buy

Send and Receive

Manage Your Money

PayPal for Business

Accept Payments

Financial Services

Business Operations

Resources

PayPal for Enterprise

Payments

Risk & Operations

Businesses We Serve