PayPal Online Card Payment Services Agreement (previously the PayPal Website Payments Pro – Hosted Solution and Virtual Terminal Agreement)
Last Update: 10 December 2021
This PayPal Online Card Payment Services Agreement (“Card Agreement”) is a contract between you (also referred to as the “Merchant”) and PayPal Australia Pty Ltd ABN 93 111 195 389, AFSL 304 962 ("PayPal", "we", "us" or "our" as the context may require). You agree that any use by you of the Services (as defined in clause 4(a)) that we offer to you will constitute your acceptance of this Card Agreement and we recommend that you store or print-off a copy of this Card Agreement.
This Card Agreement applies to your use of the following products (“Products”). To proceed with obtaining one or more of the Products below, you must read, agree with and accept the terms and conditions contained in this Card Agreement.
The Products are:
- PayPal Website Payments Pro (Hosted Solution): functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder, integrated into the payment process of your website pursuant to clause 1 of this Card Agreement, by being hosted entirely on PayPal’s server (rather than on your website).
- Advanced Credit and Debit Card Payments: a suite of functionality consisting of Advanced Credit and Debit Card Payments API as standard, and Advanced Credit and Debit Card Payments Fraud Protection, as an optional additional service. We may also offer you other PayPal Website Payments Pro functionality as part of the Advanced Credit and Debit Card Payments; and
- Virtual Terminal: functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given to you by the cardholder.
Each of the Products above includes one or more of the online card payment services APIs, being:
- Direct Payments API - Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder.
- Advanced Credit and Debit Card Payments API - Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder, as an alternative to the Direct Payments API.
- Virtual Terminal - Functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given to you by the cardholder.
We may make changes to this Card Agreement by giving notice of such change by posting a revised version of this Card Agreement on the PayPal website(s). You will be deemed to have accepted the change after you have received notice of it. We will give you 30 days’ notice of any change with the change taking effect once the 30 day notice period has passed. The 30 day notice period will not apply where a change relates to the addition of a new service, extra functionality to the existing Service or any other change which we believe in our reasonable opinion to neither reduce your existing rights nor increase your responsibilities. In such instances, the change will be made without notice to you and will be effective immediately upon effective date.
If you do not agree with any changes to this Card Agreement, you may terminate this Card Agreement as set out in clause 7. If you do not object to a change by closing your Account within the 30 day notice period, you will be deemed to have accepted it. While you may close your Account at any time and without charge, please note that you may still be liable to us after you terminate this Card Agreement for any liabilities you may have incurred and are responsible for prior to terminating this Card Agreement and please further note our rights under the User Agreement.
Capitalised terms are defined below. Please view, download and save this Card Agreement.
Jump to section:
1. Setting up and activating your Product
3. Information security; Data Protection; Data Portability
4. User Agreement and how our legal documents apply
5. Software licence
6. Banking terms for Card Transactions
7. Termination and suspension
8. Fraud Protection
10. Chargeback Protection
12. Schedule 1 – Data Security Requirements
13. Schedule 2 – Card Agreement
14. Schedule 3 – Fraud Protection Terms
1. Setting up and activating your Product
- Getting started. To obtain and use the relevant Product, you must carry out the following:
- complete the online application process for the relevant Product, open a PayPal Business Account (if you do not already have one), and follow our instructions set out in PayPal's online process to access and use your Product;
- integrate the relevant Product into the payment process of your website, if your Product is Website Payments Pro (Hosted Solution) or Advanced Credit and Debit Card Payments. You are not required to integrate your Product into the payment process of your website if you only access and use Virtual Terminal. PayPal is not responsible for any problems that could occur by integrating your Product into your 'live' website. You are solely responsible for choosing, setting, integrating and customising your Product and ensuring that it suits your needs.
- activate your Product by using it in a ‘live’ payment transaction for the first time.
- Parity among payment methods. In displaying payment options on your website, you must display the logos of PayPal and the Card Associations with size and prominence equal among themselves and among those of other payment methods. You must not display a preference for one payment method over another. In using PayPal’s logo and buttons, you also agree to comply with the logo usage standards located at: https://www.paypal.com/au/webapps/mpp/logos-buttons, or as updated from time to time.
- Credit report authorisation. You agree to allow PayPal to obtain from a third party your credit history and financial information about your ability to perform your obligations under this Card Agreement in the manner set out in the PayPal Privacy Statement and PayPal Collection Notice. PayPal will review your credit and other risk factors of your Account (including but not limited to, reversals and chargebacks, customer complaints, claims) on an ongoing basis. PayPal will store, use and disclose the information obtained in conformity with PayPal’s Privacy Statement.
- Cancellation. PayPal may terminate your access and/or use of any Product and / or terminate this Card Agreement at any time before the Activation Date by notifying you.
The fees which apply to the Products are set out in the Combined Financial Services Guide and Product Disclosure Statement located here: /webapps/mpp/ua/cfsgpds-full?locale.x=en_AU.
3. Information security; Data Protection; Data Portability
- Compliance with Data Security Schedule. You agree to comply with Schedule 1 below, which forms part of this Card Agreement.
- Price and currency. You may not submit payment transactions in which the amount is the result of dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price for each currency.
- Compliance with Data Protection Addendum. You (as a "Merchant") and we agree to comply with the data protection addendum found here, which forms part of this Agreement. The terms of the data protection addendum prevail over any conflicting terms in this Agreement relating to data protection and privacy.
- Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws and the Privacy Act 1988 (Cth)).
4. User Agreement and how our legal documents apply
- User Agreement applies. The terms of the User Agreement apply to you and are incorporated by reference into this Card Agreement. The definition of “Services” in the User Agreement will be amended to include the applicable Product, and the definition of “Agreement” will include this Card Agreement. In case of any inconsistency between this Card Agreement and the User Agreement, this Card Agreement supersedes the User Agreement, but only to the extent of that inconsistency and in relation to the relevant Product. The User Agreement can be found via a link in the footer of nearly every PayPal web page. The User Agreement includes important provisions which:
- permit PayPal to take a reserve to secure your obligation to pay chargebacks, reversals and fees;
- obligate you to follow PayPal’s Acceptable Use Policy in your use of PayPal;
- give legal effect to PayPal’s Privacy Statement, which governs our use and disclosure of your information and that of Shared Customers; and
- permit PayPal to restrict a payment or your PayPal Account in circumstances listed in the User Agreement.
- Failed payments and Product tools. You are responsible for chargebacks, reversals and other invalidated payments as provided in the User Agreement, regardless of how you use and configure your Product, including its fraud filtering technology and similar preventive tools (if any) or your use of the Fraud Protection product. Those tools can be useful in detecting fraud and avoiding payment failures, but they do not affect your responsibility and liability pursuant to the User Agreement for chargebacks, reversals and payments which are otherwise invalidated.
- Surcharge. You agree that you will not impose a surcharge or any other fees for accepting any cards under this Card Agreement, that exceeds the amount you pay us for that payment as a percentage of your total payment amount, or as otherwise permitted and directed by local regulations.
- Additional terms for American Express Card Acceptance:
If we allow you to receive payments from American Express cards, this section below applies to you.
- Commercial Marketing Communications. American Express may use the information obtained in your application at the time of setup to screen and/or monitor you in connection with card marketing and administrative purposes. By accepting these terms, you agree to receive commercial marketing communication from American Express. You may opt out by notice by contacting us. Visit our Help and Contact page accessible from your User Agreement and most PayPal web pages to find out how to contact us. If you opt out of commercial marketing communications, you will still receive important transactional or relationship messages from American Express.
- Direct Card Acceptance. You acknowledge that if you reach certain monthly and/or annual sales volumes relating to American Express as set by American Express for the time being and from time to time, American Express may require you to enter into a direct contractual relationship with them. In this situation, American Express will set pricing for American Express transactions, and you will pay fees for American Express transactions directly to American Express.
- Audit Rights. American Express may conduct an audit of you at any time, for the purpose of determining compliance with the American Express Rules.
- Submission and Settlement Rights. You authorise PayPal to submit transactions to, and receive settlement from, American Express, and to disclose transaction and merchant information to American Express to perform analytics and create reports, and for any other lawful business purposes, including commercial marketing communications purposes and important transactional or relationship communications. Merchant may terminate its acceptance of American Express at any time upon notice.
- Third Party Beneficiary. American Express shall be a third-party beneficiary of this Agreement for purposes of American Express card acceptance. As a third-party beneficiary, American Express shall have the right to enforce directly against you the terms of this Agreement as related to American Express Card acceptance. You acknowledge and agree that American Express shall have no responsibility of liability with regard to PayPal’s obligations to you under this Agreement.
- Card Present, Unattended Terminals and Payment Kiosks. You shall not accept American Express cards for any payment under this Agreement when the card is either (i) presented at a physical point of the purchase or transaction; (ii) used at unattended establishments (e.g., customer activated terminals) or (iii) presented at a payment kiosk. In addition, you shall be prohibited from providing or making available to any American Express cardmember that comes to its physical location, a computer or an online interface that will enable the American Express cardmember to access their PayPal Account.
5. Software licence
- Licence. PayPal hereby grants to you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to:
- use your Product in accordance with the documentation provided by us and as set out on the PayPal Website from time to time; and to
- use the documentation provided by PayPal for your Product and reproduce it for internal use only within your business. Your Product as licensed is subject to change and will evolve along with the rest of the PayPal system; see clause 9(a). You must comply with the implementation and use requirements contained in all PayPal documentation and instructions accompanying the Product issued by PayPal from time to time (including, without limitation, any implementation and use requirements we impose on you to comply with applicable laws and card scheme rules and regulations).
- ID codes. PayPal will provide you with certain identifying codes specific to you. The codes identify you and authenticate your messages and instructions to us, including operational instructions to PayPal software interfaces. Use of those codes may be necessary for the PayPal system to process instructions from you (or your website). You must keep the codes safe and protect them from disclosure to parties whom you have not authorised to act on your behalf in dealing with PayPal. You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes; see also Schedule 1. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.
- No warranty. Your Product and all accompanying documentation are provided to you on an “as is” basis. To the extent permitted by law, PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to your Product, the licensed software or user documentation provided. Nothing provided by PayPal under this Card Agreement or otherwise for your Product has PayPal’s authorisation to include a warranty, and no obligation or liability will arise or grow out of PayPal’s rendering of technical, programming or other advice or service in connection with any Product, licensed software and user document provided (including, without limitation, services that may assist you with the customisation of your Product). PayPal recommends that you test the implementation of your Product thoroughly as PayPal is not responsible for any loss caused by the implementation of the Product.
- Ownership of PayPal Website Payments Pro and Advanced Credit and Debit Card Payments information and materials. As part of your access to, and use of PayPal Website Payments Pro and/or Advanced Credit and Debit Card Payments, you will be provided with certain information and materials (the “Pro Materials”) for your use with the Products. All intellectual property rights associated with the Pro Materials remain the property of PayPal or the relevant Acquiring Institution (as the case may be). You agree to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Pro Materials to any person.
- PayPal Hosted Integrations and your intellectual property. You hereby grant to PayPal a royalty-free, worldwide non-exclusive licence to use your or any of your affiliates’ names, images, logos, trademarks, service marks, and/or trade names as you may provide to PayPal when using the Products (“Your Marks”) for the sole purpose of enabling your use of the Products (including, without limitation, the customisation of your hosted Product). Title to and ownership of Your Marks and all goodwill arising from any use hereunder will remain with you. You represent and warrant that you have the authority to grant PayPal the right to use Your Marks and you shall indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any claims or losses suffered by it arising from the use of Your Marks in connection with the Products.
6. Banking terms for Card Transactions
PayPal utilises services from banking partners in processing Card Transactions, including both direct payments to you from a card as well as Card Transactions that fund a PayPal payment to you. Schedule 2 below applies in relation to those services. In accepting this Card Agreement, you also accept the terms for Card Transactions in Schedule 2, the terms of which form part of this Card Agreement.
7. Termination and suspension
- By you. You may terminate this Card Agreement at will by doing either of the following:
- Giving 30 days’ notice to PayPal Customer Service of your intent to terminate this Card Agreement. PayPal Customer Service will confirm termination via email. This option lets you stop using your Product and paying for it, but your PayPal Account remains open and its User Agreement remains in effect; or
- Closing the PayPal Account that you use with your Product (see the User Agreement for more information).
- By PayPal. PayPal may terminate this Card Agreement at will by doing any of the following:
- Giving you 30 days’ notice by email to your registered email address associated with your Account of PayPal’s intent to terminate this Card Agreement. Unless otherwise notified, this option does not affect your User Agreement and your PayPal Account remains open.
- Terminating the User Agreement that applies to the PayPal Account used with your Product.
- By events. PayPal may terminate this Card Agreement immediately without notice if you:
- Breach this Card Agreement or the User Agreement;
- Become unable to pay or perform your obligations as they fall due;
- Become unable to pay your debts, admit your inability to pay your debts or otherwise become insolvent;
- Have any execution, attachment or similar action taken, levied or enforced against you or your assets, or if any garnishee order is issued or served on you;
- Become the subject of any petition presented, order made or resolution passed for the liquidation, administration, bankruptcy or dissolution of all or a substantial part of your business, except where solvent amalgamation or reorganisation is proposed on terms previously approved by PayPal;
- Lose full and unrestricted control over all or part of its assets because of the appointment of a receiver, manager, trustee, liquidator or similar officer;
- Enter into or proposes any composition or arrangement concerning your debts with your creditors (or any class of its creditors);
- A material adverse change occurs in your business, operations, or financial condition; or
- You provide inaccurate information in applying for your Product or in your dealings with us.
- Effect of termination. When this Card Agreement terminates, you must immediately stop using the terminated Product, and PayPal may prevent or hinder you from using it after termination. If you nevertheless use a Product after termination of this Card Agreement, then this Card Agreement will continue to apply to your use of that Product until you give effect to the termination by stopping your use of that Product. The following clauses in this Card Agreement will survive termination of this Card Agreement and continue in full force and effect: Clauses 2, 5(a) and 9. Termination of this Card Agreement will not affect any rights, remedies or obligations of the parties that have accrued or become due prior to termination, and you will not be entitled to a refund of any Monthly Fee paid prior to termination.
- Breach and suspension. If you breach this Card Agreement, the User Agreement, or a security requirement imposed by PCI DSS, PayPal may immediately suspend your use of your Product. PayPal may require you to take specified corrective actions to cure the breach and have the suspension lifted, although nothing in this Card Agreement precludes PayPal from pursuing any other remedies it may have for breach. In addition, if PayPal reasonably suspects that you may be in breach of this Card Agreement or PCI DSS, PayPal may suspend your use of your Product pending further investigation.
8. Fraud Protection
If you are offered and choose to use the Fraud Protection product, the terms in Schedule 3 below will apply to your use of that functionality.
- Future of the Products. PayPal retains sole and absolute discretion in determining
- the future course and development of the Products,
- which improvements to make in them and when, and
- whether and when defects are to be corrected and new features introduced.
- Indemnity. You agree to indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any direct loss, damage and liability, and from any claim, demand or cost (including reasonable lawyers’ fees) incurred in relation to any third party (including a Shared Customer) and arising out of your breach of this Card Agreement, the User Agreement and the documents incorporated in it by reference (including the Acceptable Use Policy), or the violation of any law.
- Assignment, amendment and waiver. You may not assign this Card Agreement without first obtaining PayPal’s written consent. PayPal may assign, novate or otherwise transfer this Card Agreement without your consent by notifying you. Neither party may amend this Card Agreement or waive any rights under it except in a written document signed by both parties.
- Governing law and jurisdiction. This Card Agreement is governed by the laws of New South Wales, Australia. The parties submit to the non-exclusive jurisdiction of the courts of New South Wales.
10. Chargeback Protection
- General. To be eligible for Chargeback Protection services, you must have a PayPal Business account in good standing and must be approved by PayPal to be enrolled in the Chargeback Protection program. Further, you must:
- successfully integrate with PayPal’s Advanced Credit and Debit Card Payments;
- successfully integrate the required risk data acquisition service, which includes but is not limited to Fraudnet, Magnes, STC integrations or other similar integration as required by PayPal from time to time; and
- provide additional data as reasonably required by PayPal.
- PayPal reserves the right to change integration requirements upon reasonable notice.
- Your application for Chargeback Protection services will be assessed by PayPal, and we may accept or reject applications at our sole discretion based on the data that we have on your account. You are not permitted to enable Chargeback Protection Services or Fraud Protection or Fraud Protection Advanced at the same time. Upon enrolling in Chargeback Protection Services, your use and access to Fraud Protection or Fraud Protection Advanced will be terminated. PayPal reserves the right, in its sole discretion, to cancel or suspend your use of Chargeback Protection services for any reason it deems appropriate at any time upon reasonable notice to you, or immediately if reasonable notice is impracticable in order to maintain the security of PayPal’s system and / or your account is no longer in good standing.
- If you are approved and enrolled in Chargeback Protection services, we will waive our right to recover the amount of any unauthorised chargeback and item not received chargeback losses made on "Eligible Transactions" (as defined below) under the PayPal User Agreement and we will waive any chargeback fee pursuant to the PayPal User Agreement, subject to our receipt of the requested documentation and information within the required timeframe as described below.
- You are required to provide proof of shipment or proof of delivery for physical goods or services, or any additional information as reasonably required by PayPal, for Eligible Chargebacks in order to for the particular transaction to be eligible for Chargeback Protection. Proof of delivery or proof of shipment must be provided to PayPal within two days of receipt of the chargeback claim (or such time period as otherwise specified by PayPal).
- Eligible Chargebacks. Chargeback Protection services only apply to chargeback claims involving: (i) transactions not authorised by the cardholder, as determined by PayPal; and (ii) transactions where the item was not received ("Item Not Received") by the buyer (collectively "Eligible Chargebacks").
- Eligible Transactions. In addition to the above requirements, Chargeback Protection services will only apply to Eligible Chargebacks on card transactions processed by PayPal that meet the criteria set forth below ("Eligible Transactions"):
- Card transactions processed via the Advanced Credit and Debit Card Payments checkout integration;
- Card transactions for goods and services that are not excluded under the terms of the PayPal User Agreement, including but not limited to the Acceptable Use Policy; and
- Not transactions that are ineligible for PayPal’s Seller Protection program under PayPal User Agreement.
- Establishing proof of delivery or proof of shipment. The proof of delivery and proof of shipment requirements of PayPal’s Seller Protection program apply to the Chargeback Protection Services and are adopted and incorporated by reference. The proof of delivery and proof of shipment requirements can be found here.
- Chargeback Protection Services Fees. The fees for the Chargeback Protection Services are set out under our Fee Page.
- Chargeback Recovery by PayPal. If you have provided us with incorrect information (for example, with respect to your business type) during the application process for Chargeback Protection services or during sign up for a PayPal account, we are entitled to recover all our chargeback losses from you (including for past transactions prior to us discovering that the information provided was incorrect). We are also entitled to recover all our chargeback losses from you if you violate the PayPal User Agreement (for example, if you engage in a Restricted Activity), the Acceptable Use Policy or this Agreement.
Capitalised terms not listed in this clause are defined in the User Agreement or above in this Card Agreement.
- Acquiring Institution: A financial institution or bank that provides services to you and PayPal to enable you to (A) accept payment by cardholders using cards; and (B) receive value in respect of Card Transactions.
- Activation Date: The date on which you complete all of the steps for “Getting started” as listed in clause 1(a) above.
- AVS Data: Information returned by the “Address Verification System” operated by or on behalf of Card Associations, which compares address data provided by an apparent cardholder with address data on file for the card at the card issuer.
- Card Association: A company or consortium of financial institutions which promulgates rules to govern Card Transactions that involve the card that carries the company’s or the consortium’s brand. Examples may include (where applicable) Visa USA, Visa Europe, and the other Visa regions; MasterCard International Incorporated; American Express Company and similar organisations.
- Card Data: All personal or financial information relevant to a Card Transaction, including information recorded on the card itself (whether in human-readable form or digitally), together with the cardholder’s name and address and any other information necessary for processing a Card Transaction.
- Card Transaction: A payment made using a credit or debit card, an American Express card, or any other payment method using a physical data-carrying item intended to be held in the payor’s possession. The Products support only certain types of Card Transactions; see the PayPal Website for more information.
- Chargeback Protection Services: The optional service that provides protection for eligible Advanced Credit and Debit Card Payments from “unauthorized” and “item not received” chargebacks, as further described herein.
- Critical Systems: The information technology (both hardware and software) that you employ to operate the applicable Products, to protect them and your online points of sale against intrusion and interference, and to store payment-related and personal data, including any Card Data that you retain and all personal data about Shared Customers.
- CVV2 Data: The three-digit number printed to the right of the card number in the signature panel area on the back of the card. (For American Express cards, the code is a four-digit unembossed number printed above the card number on the front of the American Express card.) The CVV2 Data are uniquely associated with each individual plastic card and ties the card account number to the plastic.
- Fraud Protection: Technology provided by PayPal to enable you to check a card payment against criteria such as the cardholder’s billing address (Address Verification Service or AVS), the card’s CVV2 Data, and databases of suspicious addresses, identifiers, and patterns, offered together with the applicable Product.
- Monthly Fee: A fee payable on a monthly basis as required in clause 2 above.
- PayPal Website: means or www.paypal.com/au.
- PCI DSS: Payment Card Industry Data Security Standard, i.e. specifications prescribed by Card Associations to ensure the data security of Card Transactions. A copy of PCI DSS is available online from https://www.pcisecuritystandards.org/.
- Shared Customer: A person who both has a PayPal Account and is also your customer.
12. Schedule 1 – Data Security Requirements
Data Security Requirements
- Ownership of PayPal Website Payments Pro – Hosted Solution information and materials
- As part of Merchant’s access to, and utilisation of PayPal Website Payments Pro– Hosted Solution, Merchant will be provided with certain information and materials (the “Pro Materials”) which are able to be used by Merchant to use PayPal Website Payments Pro – Hosted Solution.
- All intellectual property rights associated with the Pro Materials remain the property of PayPal, or WorldPay UK Limited or HSBC Bank Plc (collectively the “Banks”) (as the case may be).
- Merchant agrees to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Pro Materials to any person.
- Merchant’s Security Codes obligations
- Merchant acknowledges and agrees that it is solely responsible for maintaining adequate security and control of any and all IDs, passwords or other security codes (collectively, the “Security Codes”) that are issued to the Merchant by PayPal or the Banks.
- Merchant agrees to restrict use of, and access to, the Merchant’s Security Codes to the Merchant’s employees, agents or contractors as may be reasonably necessary to allow Merchant to use any applicable Product, and to ensure that such persons comply with the provisions set out in this Schedule or the other security advice provided to the Merchant by PayPal or the Banks (as the case may be).
- Merchant’s obligations to comply with Data Security requirements
- Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
- Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website:
- comply with all applicable laws and regulations, including, without limitation, the Privacy Act 1988 or any statutory modification or re-enactment thereof for the time being in force) (the “Privacy Act”) and the guidance issued by the Office of the Privacy Commissioner;
- comply with the applicable obligations, rules and guidelines issued by Visa USA, Europe, Asia Pacific, Canada and all Visa regions, MasterCard International Incorporated or other applicable card associations (the “Associations” and the “Association Rules”), including, without limitation, the Visa Cardholder Information Security Program (CISP), Visa Account Information Security Program (AISP), the MasterCard Site Data Protection Program and the Payment Card Industry Data Security Standard (“PCI DSS”). Further information can be found by visiting the following URLs: www.visaeurope.com, www.visaeurope.com/en/businesses__retailers/payment_security/overview.aspx and https://www.mastercard.com/sdp.
- PCI/DSS include the requirements that the Merchant must, without limitation:
- install and maintain a firewall configuration to protect data;
- not use vendor supplied defaults for system passwords and other security parameters;
- protect stored data;
- encrypt transmission of cardholder data and sensitive information across public networks;
- use and regularly update anti-virus software;
- develop and maintain secure systems and applications;
- restrict access to data by business need-to-know;
- assign a unique ID to each person with computer access;
- restrict physical access to cardholder data;
- track and monitor all access to network resources and cardholder data;
- regularly test security systems and procedures; and
- maintain a policy that addresses information security.
At PayPal’s request, Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing PayPal Payment Pro and/or Virtual Terminal services will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. Merchant agrees to independently arrange evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction.
- undertake non penetrative scans (either quarterly or annually depending on the volume of Merchant’s annual transactions as notified by either PayPal or the Banks to Merchant) of Merchant’s web accessible ports and an on site audit if Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor. For details of Visa and MasterCard Qualified Security Assessors log onto: https://www.mastercard.com/us/sdp/serviceproviders/compliant_serviceprovider.html or https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
- notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
- provide PayPal with all information or access to records as needed by PayPal to ensure Merchant’s compliance with this paragraph 3; and
- notify PayPal immediately of any security breach to Merchant’s records or system as it relates to the Merchant’s access to, and/or utilisation of PayPal Website Payments Pro – Hosted Solution.
- Merchant agrees to not store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association rule or guidance.
- Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with the Merchant, Merchant will allow a third party forensic auditor certified by the Associations to conduct a security review of the Merchant’s systems, controls and facilities and to issue a report to PayPal and the Associations. If Merchant fails to initiate such a process after PayPal’s requesting it to do so, Merchant authorises PayPal to take such action at the Merchant’s expense.
- PayPal may immediately suspend Merchant’s access to or use of PayPal Website Payments Pro – Hosted Solution or terminate without notice this Card Agreement upon notice of the Merchant potentially breaching or breaching any provision set out in this paragraph 3.
- If PayPal suspends your access to or use of PayPal Website Payments Pro – Hosted Solution, PayPal will set out in a notice to Merchant and explain the basis of PayPal’s actions in suspending the Merchant, including measures reasonably calculated to rectify breach. PayPal’s suspension of the Merchant’s access or use of PayPal Website Payments Pro – Hosted Solution will remain in effect and until such time as PayPal is satisfied that the Merchant has remedied the applicable breach(es).
- PayPal’s obligations to keep data secure
When processing the personal data of cardholders whose transaction data Merchant submits to PayPal, PayPal will
- comply with the Privacy Act and employ industry standard or better encryption and security methods as being appropriate for use by financial institutions.
- Merchant's use of cardholder information
- Merchant agrees to only use, disclose or process, any cardholder information obtained in connection with a card transaction (including the names, addresses and card account numbers of cardholders) including for the purposes of authorising, completing and settling card transactions and resolving any chargeback or reversal disputes, retrieval requests or similar issues involving card transactions. Merchant will only be able to process cardholder information differently than set out in this paragraph if the Merchant obtains the prior written consent from PayPal and each applicable Association, card issuing bank and cardholder or as otherwise pursuant to a court order or otherwise required by law.
- Merchant agrees to:
- establish and maintain sufficient controls for, limit access to and render unreadable prior to discarding, all records containing cardholder account numbers and card imprints;
- not sell or disseminate any cardholder information obtained in connection with a card transaction held in a database or otherwise (including the names, addresses and card account numbers of cardholders);
- not retain or store magnetic stripe data or hardcopies containing cardholder data (including faxes) after a transaction has been authorised; and
- not reproduce any electronically captured signature of a cardholder except on PayPal’s specific request (upon such a request Merchant agrees to comply).
- Merchant acknowledges that Association rules prohibit the sale or disclosure of databases containing Cardholder account numbers, personal information or other Association transaction information to third parties as an asset of a failed business. In such cases, Merchant agrees that transaction information is to be returned to the Banks or acceptable proof of destruction of this data is provided.
- Merchant agrees that it is responsible and liable for compliance by this paragraph by any third party processor, hosting service or other agent of the Merchant engaged in the processing or storage of cardholder data. Merchant agrees to notify PayPal in writing of any third party engaged by any third party processor, hosting service or other agent prior to the Merchant engaging them and further immediately notify PayPal in writing of any access to transaction data by any unauthorised person.
- Merchant’s use of a Technical Service Provider
- Merchant may utilise third parties to perform certain Merchant obligations set out in this Schedule with our express written consent which may contain conditions as to the Merchant’s use of such a person (each such a party known as a “Technical Service Provider”). To be eligible for consent, each Technical Service Provider must (among other things) be registered with the applicable Association.
- If the Merchant is permitted to utilise a Technical Service Provider, the Merchant agrees and will procure that the Technical Service Provider will comply with the provisions relating to data and information security as set out in this Schedule (including, without limitation, PCI DSS requirements) as they apply to storing, processing or transmitting cardholder data to PayPal.
- Prior to, or from the appointment of a Technical Service Provider, Merchant agrees to:
- notify PayPal in writing of the details of the Technical Service Provider that engages in, or proposes to engage in, the processing, storing or transmitting of Cardholder data on the Merchant’s behalf, regardless of the manner or duration of such activities;
- provide satisfactory evidence to PayPal that the Technical Service Provider is registered with the applicable Association;
- comply with any requirements of the Technical Service Provider including, without limitation, complying with any requirements relating with respect to the Technical Service Provider’s services, hardware or software and obtaining any required end user consents for transmission of data through the Technical Service Provider; and
- at PayPal’s discretion, provide PayPal with permission to register Merchant with the relevant Technical Service Provider (as required).
- The Merchant agrees that it is solely responsible for the relationship with the Technical Service Provider and any data transmitted or made available to the Technical Service Provider. The Merchant’s failure to comply with the provisions set out in this paragraph 7, or the failure of the Technical Service Provider or gateway processor to register and/or comply with the applicable data security requirements may result in fines or penalties which the Merchant is liable for. PayPal may immediately terminate this Card Agreement upon the Merchant breaching this paragraph 7.
13. Schedule 2 – Card Agreement
Card Agreements PayPal uses services from WorldPay UK Limited and HSBC/Global Payments in processing card transactions. The relevant card agreements are located at /webapps/mpp/ua/ceagreement-full?locale.x=en_AU (Commercial Entity Agreement for PayPal Payment Card Funded Processing Services).
14. Schedule 3 – Fraud Protection Terms
- How the Fraud Protection works
The Fraud Protection is made available to you as a fraudulent transaction management tool to help you screen potentially fraudulent transactions based on the settings you adopt in the Fraud Protection. The tool allows you to set filter rules, i.e. to instruct us about which transactions the tool shall decline on your behalf based on abstract criteria. In order to use the Fraud Protection, you must follow our instructions to actively turn on the Fraud Protection.
We may provide tips regarding what filters and settings in the Fraud Protection to use that may be appropriate for your business. These suggestions take into account your past transaction history.
Notwithstanding the above, it is your responsibility to determine, and set the final filter rules.
- No Warranty and Limitation of Liability
We do not represent or warrant that the Fraud Protection is error-free or that it will identify all potentially fraudulent transaction activity. This is simply a tool that would assist you with identifying potential fraudulent transactions.
We are not liable for your losses (such as loss of profits) or damages arising from or related to your use of the Fraud Protection, to the extent that applicable law allows.
- Data Protection
You may only use the Fraud Protection for the purpose of your management of fraud risk and for no other purpose.
You may not share use of the Fraud Protection with any other person, nor may you disclose to any person the categories provided in the Fraud Protection or the results generated from your use of the Fraud Protection.
Despite your settings on the Fraud Protection, we always retain the right to decline or suspend any transaction pursuant to the terms of the User Agreement.
These terms supplement the User Agreement that governs your use of our services in general. The definition of our Services in the User Agreement, when read together with these terms, includes the Fraud Protection, when applicable.
We may amend, delete or add to these terms in line with any change process set out in the User Agreement. If you do not agree with any change, you may terminate these terms.
You may terminate these terms under this Schedule 3 at any time by removing the Fraud Protection from your integration and following any other integration-related steps which we may make available to you. This lets you stop using the Fraud Protection, but otherwise your Account remains open and the User Agreement (and any other relevant agreements relating to the provision of Services to you) remains in effect.
We may, at any time, for any reason and (where possible) with reasonable prior notice, terminate, cancel or suspend the Service to the extent it relates to our Fraud Protection without liability towards you.
These terms survive any termination to the extent and for so long as we require to: (i) deal with matters arising from your use of the Fraud Protection prior to termination; and/or (ii) comply with applicable laws and regulations.