Policy Updates

>> View all legal agreements

>> View past policy updates

Policy Updates

 

This page informs users in advance of important changes to the PayPal service, its User Agreement, or other policies. This page displays policy updates with future effective dates. Go to Past Policy Updates for previous policy updates.

 

Amendment to the PayPal User Agreement

Effective Date: Jan 29, 2015

Please read this document.

You do not need to do anything to accept the changes as they will automatically come into effect on the above date. Should you decide you do not wish to accept them you can notify us before the above date to close your account (https://www.paypal.com/cz/cgi-bin/?&cmd=_close-account) immediately without incurring any additional charges.

We do hope, however, that you continue to use PayPal and enjoy the following benefits:

It’s safer

When you pay with PayPal your sensitive financial details are never shared with sellers or retailers, so you’re more protected against fraud.

It’s faster

You don’t have to type in your card details each time you pay, so you can check out faster online. You can also get eBay items delivered more quickly, as you can pay the seller instantly.

It’s easier

PayPal is the preferred web payment method in the UK because it’s a smarter, savvier way to pay online in just a few clicks. All you need is your email address and a password.

Please review the current User Agreement.


Amendment to the PayPal User Agreement.

  1. Intellectual Property

    Section 1.3 is amended to clarify the conditions of use of HTML logos provided by PayPal through its merchant services, auction tools features or affiliate programmes.  The amended section 1.3 now reads as follows:

    1.3 Intellectual Property. The URLs representing the PayPal website(s), “PayPal,” and all related logos of our products and services described in our website(s) are either copyrighted by PayPal, trademarks or registered trademarks of PayPal or its licensors. In addition, all page headers, custom graphics, button icons, and scripts are either copyrighted by PayPal, service marks, trademarks, and/or trade dress of PayPal. You may not copy, imitate, modify, alter, amend or use them without our prior written consent. You, as a merchant, may use HTML logos provided by PayPal through our merchant services, auction tools features or affiliate programmes without prior written consent for the sole purpose of identifying yourself on your website as a merchant who accepts payments through the Service and directing web traffic from that website to the Service, but we may limit or revoke this permission at any time and for any reason in our sole discretion. You may not alter, modify or change these HTML logos in any way, use them in a manner that is disparaging to PayPal or the Service or display them in any manner that implies PayPal’s sponsorship or endorsement. All right, title and interest in and to the PayPal website and any content thereon is the exclusive property of PayPal and its licensors.”

  2. Sending Money – Our execution of your Payment Orders

    The last sentence of the last paragraph of section 3.1 is amended by the insertion of further detail of to clarify the extent of PayPal’s obligations regarding settlement of refund transactions. The amended sentence now reads as follows (with added wording underlined):

    “… PayPal reserves the right not to effect a payment made by you until it receives cleared funds (this also means, without limitation, that PayPal is not obliged to settle a refund transaction before having received funding for the original transaction).”

  3. Special Funding Sources

    The part of section 3.4 relating to “Special Funding Sources” is amended by the insertion of further detail about how Special Funding Sources may be used. The amended part of section 3.4 relating to “Special Funding Sources” paragraphs read as follows:

    “Special Funding Sources: Certain payments may be funded by special Funding Sources linked to your Account, such as merchant/transaction specific balance, gift vouchers or other promotional Funding Sources, the use and priority of which are subject to further terms and conditions between you and PayPal (“Special Funding Sources”).

    Your Account Overview may show the notional amount available in your Special Funding Sources to fund qualifying payments at any given time.  This amount does not constitute E-money, is not deemed part of your Balance and is not redeemable in cash - it only represents the amount of E-money which PayPal offers to issue and credit to your PayPal Account at the time of (and only to immediately fund) a qualifying PayPal payment, subject to (and only for the period outlined in) the further terms and conditions of use of that Special Funding Source.  If your PayPal payment funded by a Special Funding Source is rescinded (including, without limitation, Reversed) at a later time for any reason, PayPal will keep the amount that represents the portion of that PayPal payment that was funded by your Special Funding Source and (provided that the Special Funding Source has not already expired) reinstate the Special Funding Source.”

  4. Preferred Funding Sources when making Recurring or Automatic Payments

    Section 3.5c is amended to clarify the limitations of setting a Preferred Funding Source for your payments. The amended section 3.5c now reads as follows (presented in context with the relevant part of the root of section 3.5):

    3.5 Preferred Funding Source. If you would like to select a Preferred Funding Source you may do so in these instances:

    c. Limitations. If you have a Balance in your PayPal Account and your payment does not qualify for funding by a Special Funding Source, PayPal will use your Balance instead of your Preferred Funding Source, unless your Preferred Funding Source is eCheque or PayPal Credit. If you have a Balance and do not want to use it to fund your next payment, you must withdraw from your Balance before initiating your next payment.”

  5. Your liability for cancelled direct debits.

    We are adding a short sentence to the end of the paragraph in section 3.7 (Bank Transfers) that begins with “PayPal will make electronic transfers from your bank account…” to outline your liability to PayPal in certain cases when you cancel a direct debit.  The new sentence reads as follows:

    If you cancel any direct debit (including, without limitation, any SEPA Direct Debit), you agree to reimburse us for the value of any goods or services that you have consumed with the proceeds of that direct debit.”

  6. Restricted Activities

    Section 9.1.ag is amended to make it a restricted activity (for the avoidance of any doubt) to expose PayPal to the risk of any regulatory fines by European, US or other authorities for processing your transactions. The amended section 9.1.ag reads as follows (presented in context with its root clause):

    “9.1 Restricted Activities . In connection with your use of our website, your Account, or the Services, or in the course of your interactions with PayPal, a User or a third party, you will not:

    ag. Allow your use of the Service to present to PayPal a risk of non-compliance with PayPal’s anti-money laundering, counter terrorist financing and similar regulatory obligations (including, without limitation, where we cannot verify your identity or you fail to complete the steps to lift your sending, receiving or withdrawal limit in accordance with sections 3.3, 4.1 and 6.3. or where you expose PayPal to the risk of any regulatory fines by European, US or other authorities for processing your transactions); or

    …”

  7. PayPal Buyer Protection

    Section 13 is amended to make several improvements to the PayPal Buyer Protection policy. The amendments will:
    • improve the conditions of reimbursement under PayPal Buyer Protection by:
      • increasing the time allowed for buyers to raise a Dispute from 45 days to 180 days from the date on which payment was made (UK resident PayPal users already benefit from this improvement); and
      • extending the range of eligible purchases to cover custom made items that are claimed to be Not Received.
    • for UK resident users contracting with PayPal under the User Agreement, clarify at new section 13.4.a.k that the purchase of any wager (whether by way of backing or laying against any outcome or otherwise) and any other opportunity to benefit from a gambling activity is not an eligible purchase.
    • for all users contracting with PayPal under the User Agreement, clarify at section 13.6 that, if PayPal has reason to believe that returning an item that the buyer claims is SNAD to the Payment Recipient would result in a violation of applicable law, such as laws related to handling counterfeit items, PayPal may report the item to a competent authority. This may result in the authority taking control of and/or possession of the item from the buyer and the Payment Recipient might not receive the item back.

    Please remember that if you sell or market to buyers in other countries, you should read the PayPal Buyer Protection policies of the countries in which your target buyers are based (the relevant PayPal Buyer Protection policies are available here and are also accessible via the “Legal” or “Legal Agreements” footer on most PayPal site pages) as these policies will apply to you as a Payment Recipient or seller.  The link to the relevant PayPal Buyer Protection policies will also be included in section 13.1.
  8. Other changes

    Sections of the PayPal User Agreement have been amended to clarify existing wording and correct minor typographical errors.

 

Amendment to the PayPal Privacy Policy

Effective Date: Dec 29, 2014

  1. Information We Collect

    We have amended the part of section 3 labelled “Required Information” to outline the further information that we may request from you when you use certain functionalities provided by us and the basis on which we may use that information.

    The amended parts of section 3 labelled “Required Information” now reads as follows (presented in context with the clause heading):

    Required Information

    If you use certain functionalities provided by us (including, without limitation, PayPal POS functionality on your mobile app) we may ask you to upload a picture of you in order to provide these specific services. Your face must be recognisable. Your image is solely your responsibility.

  2. Our Use and Disclosure of Information

    The part of section 4 labelled “Disclosure to Other PayPal Customers” is amended to clarify the circumstances in and the basis upon which we may share certain elements of your information (such as your picture and the fact that you are within local reach as a customer). The amended segment of this part of section 4 now reads as follows (presented in context with the clause heading):

    Disclosure to Other PayPal Customers

    If you are using your mobile app, we may share your picture that you have stored with your mobile app with other PayPal users so that they can identify you, You license us to use your image for the above purposes on a non-exclusive, worldwide, royalty-free, transferable and sub-licensable basis.

    We may also share with other users the fact that you are within local reach as a customer.

    …”

  3. Our Use and Disclosure of Information - Disclosure to Third Parties other than PayPal Customers

    Just like most banks or financial/payment service providers, PayPal works with third-party service providers. We need to disclose user data to them from time to time so that the services our users have requested can be performed. These service providers provide important functions to us that allow us to be an easier, faster, and safer way to make payments.

    In general, the Luxembourg laws to which PayPal’s handling of user data is subject (data protection and bank secrecy) require a higher degree of transparency than most other EU laws. This is why, unlike the vast majority of providers of internet-based services or financial services in the EU, PayPal lists in its Privacy Policy every third party service provider to whom it discloses user data, together with the purpose of disclosure and type of information disclosed.

    Paragraph d of the part of section 4 labelled “Disclosure to Third Parties other than PayPal Customers” has been amended to allow PayPal to disclose certain PayPal customer information to additional third parties or for additional purposes for the purposes set out in the table below, or change the scope of purposes and data shared as set out in the table below.

    Category

    Party Name and Jurisdiction (in brackets)

    Purpose

    Data Disclosed

    Credit Reference and Fraud Agencies

    Please note that in addition to the stated purposes below, PayPal uses your personal information to detect, prevent, and/or remediate fraud or other illegal actions, or to detect, prevent or remediate violations of policies or applicable user agreements.

     

    DueDil Limited (UK)

    To receive business information for risk assessment, and compliance with anti-money laundering requirements, such as establishing the corporate structure and beneficial ownership.

    Company registration number, name and address of business, name, address, date of birth of directors.
     

    Creditsafe USA Inc. (USA)

    To receive business information for risk assessment, and compliance with anti-money laundering requirements, such as establishing the corporate structure and beneficial ownership.

    Company registration number, name, and address of business, name, address, date of birth of directors

     

    ID Checker.nl BV (Netherlands) (Ireland)

    To verify identity; automatic data extraction from images of documents, and document validation / forgery detection. Research and testing as to appropriateness of new products and services.

    Name, address, email address, date of birth, legal form, company registration number, VAT number, proof of identity, address, ownership of a funding instrument or other documents requested by PayPal and the data contained therein for Risk / Compliance/ Credit purposes.

     

    Au10tix Limited (Cyprus)

    To verify identity; automatic data extraction from images of documents,and document validation / forgery detection. Research and testing as to appropriateness of new products and services.

    Name, address, email address, date of birth, legal form, company registration number, VAT number, documents proving identity and address, ownership of a funding instrument, or other documents requested by PayPal and the data contained therein for Risk / Compliance/ Credit purposes.

     

    Zoot Enterprises, Inc. (USA), Zoot Deutschland GmbH (Germany), Zoot Enterprises Limited (UK)

    To process technical applications and to provide a data and document gateway for account review and vetting purposes, and to exchange user information and images of documents proving identity, address and ownership of funding instrument with contracted fraud and credit reference agencies. To also aggregate data from internal and external data sources and provide statistical analysis in order to assess the risk of fraud.

    All account information and documents supplied by customers, to include information used to provide identity and address, ownership of a funding instrument, or other documents requested by PayPal and the data contained therein for Risk / Compliance / Credit purposes. This information may also include IP addresses.

    Marketing and Public Relations

     

    DemandGen AG (Germany)

    To execute e-mail marketing campaigns

    Name, email address, phone number, type of account, type, and nature of PayPal Services offered or used and relevant transaction information.

     

    StrikeAd UK Ltd. (UK), Ad-x Limited (UK), Criteo Ltd. (UK), Criteo Singapore Pte.Ltd

    To execute and measure retargeting campaigns in order to segment users for PayPal Here marketing campaigns.

    Anonymous cookie ID, Advertising ID and device ID to segment user groups for marketing purposes.

     

    Nanigans, Inc. (USA), Fiksu, Inc. (USA), Ad- X Limited (UK), Criteo Ltd. (UK), Criteo Singapore Pte.Ltd

    Help identify behaviour in the mobile app in order to guide decision about targeted marketing; to help efficiently handling and optimising mobile campaigns on social networks and elsewhere in the web

    Anonymous cookie ID, Advertising ID, and Device ID used by a specific person, events in the mobile app about the use of the mobile app by a specific user (including, without limitation, login, successful completion of the transaction), but no payment and financial information details.

    Content of advertisements to be delivered to specific users and, as appropriate, segmentation group to which such person belongs to for advertisement purposes.

    Operational services

     

    Zoot Enterprises, Inc. (USA), Zoot Deutschland GmbH (Germany), Zoot Enterprises Limited (UK)

    To process technical applications and to provide a data and document gateway for account review and vetting purposes, and to exchange user information and images of documents proving identity, address and ownership of funding instrument with contracted fraud and credit reference agencies.

    All account information and documents supplied by customers such as proofs of identity and address, ownership of a funding instrument, or other documents requested by PayPal and the data contained therein for Risk / Compliance Credit purposes.

    Group companies

     

    Private Sale GmbH (Germany),

    To provide joint customers content and services (including, but not limited to registration, transactions, failover for carrier billing accounts, and customer support), to assess risk, or to help detect, prevent and/or remediate fraud, or other potentially illegal acts and violations of policies, and to guide decisions about their products, services and communications.

    All account information.

     

  4. Other changes

    Sections of the PayPal Privacy Policy have been amended to clarify existing wording and correct typographical errors.

 

Amendment to the PayPal Website Payments Pro and Virtual Terminal Agreement

Effective Date: Jan 29, 2015

 

You can find the amended PayPal Website Payments Pro and Virtual Terminal Agreement below the version of that agreement currently in force by clicking here or accessing it via the “Legal” or “Legal Agreements” footer on most PayPal site pages.

  1. Online Card Payment Services.

    The agreement will now cover your use of any Online Card Payment Services, for which a new definition is added as follows:

    Online Card Payment Services: Functionality provided online by PayPal to enable merchants to receive payments directly from a payer’s card (without the funds passing via the payer’s PayPal Account), without the card being present at the website or other point of sale. Online Card Payment Services are integral to the Products such as Website Payments Pro and Virtual Terminal. PayPal HereTM is not an Online Card Payment Service because the card is present at a physical point of sale.”

  2. Getting started.

    We are inserting the following sentence at the end of section 1.1 to clarify your integration options:

    “If your Product is Website Payments Pro, you may only integrate and use Website Payments Pro in one of the following mutually exclusive ways - either (i) as a PayPal Hosted Solution (in which PayPal operates Website Payments Pro for you as a PayPal-hosted service) or (ii) operated on your own facilities - (each option being a “Hosting Option”). PayPal may (but, notwithstanding any other provision in this Agreement, shall not be obliged to) provide both Hosting Options. PayPal may, at its sole discretion, set either Hosting Option as your default option for integrating the Direct Payments API into the payment process of your website.”

  3. Parity among payment methods.

    Section 1.3 is amended to clarify the requirements for parity among payment methods available for use on your website. The amended section 1.3 now reads as follows:

    Parity among payment methods. In displaying payment options on your website, you must display the logos of PayPal and the Card Associations with size and prominence equal among themselves and among those of any other payment methods available for use on your website. You must not display a preference for one payment method over another. “

  4. Your information.

    Section 1.4 is amended to clarify the importance of PayPal’s Privacy Policy regarding your use of the Online Card Payment Services and now reads as follows:

    “Your information. You confirm that you have read, consented and agreed to PayPal’s Privacy Policy, which explains the information that we collect about you and your online business. In particular, you agree and consent that PayPal may obtain from a third party your credit history and financial information about your ability to perform your obligations under this Agreement; the PayPal Privacy Policy lists the companies involved in this exchange of credit-related information. PayPal will review your credit and other risk factors of your Account (reversals and chargebacks, customer complaints, claims etc.) on an ongoing basis, and we may also review your website and the products for sale on it. PayPal will store, use and disclose all information that we have about you in conformity with PayPal’s Privacy Policy.”

  5. Fees

    The following text in the last paragraph of each of sections 2.1 and 2.2: ± The percentage listed is a percentage of the payment you receive. The fixed fee is charged in the currency of the payment if you have a balance in your Account in that currency. Otherwise it is charged in the currency that corresponds to the Account Nationality of your Account.” is amended to read as follows:

    “The percentage listed in the above table is a percentage of the payment you receive. The fixed fee is charged in the currency of the payment received.”

  6. Your PCI DSS compliance.

    Section 3.2 is amended to clarify your obligations regarding PCI DSS compliance and now reads as follows:

    “Your PCI DSS compliance. You also agree to comply with the PCI Data Security Standard (PCI DSS). You must protect all Card Data that comes within your control according to PCI DSS, and you must design, maintain and operate your website and other systems in conformity with PCI DSS. You must ensure that your staff are and remain sufficiently trained so that they are aware of PCI DSS and can carry out its requirements. PayPal is not responsible for any costs that you incur in complying with PCI DSS.”

  7. PayPal’s PCI DSS compliance.

    A new section 3.3 is inserted to set out the entirety of PayPal’s obligations to you regarding PCI DSS of your Product, which reads as follows:

    “PayPal’s PCI DSS compliance. PayPal warrants that PayPal and your Product comply and will comply with PCI DSS. However, PayPal’s compliance, and your Product’s, are not sufficient to achieve compliance with PCI DSS by you and your systems and processes.”

  8. 3D Secure.

    A new section 3.4 is inserted to set out your obligations regarding the implementation of 3D Secure, which reads as follows:

    “3D Secure. Requirements of the European Central Bank and PayPal’s bank regulators require use of 3D Secure in certain circumstances, and Card Associations may also require it to reduce an excessive number of Card Transactions unauthorised by the cardholder. PayPal may by notice to you require that you implement 3D Secure for all or certain specified Card Transactions. You agree to implement 3D Secure if required in such a notice, where the issuer of a particular card supports 3D Secure for that card.”

  9. User Agreement applies.

    Section 4.1 is amended to clarify the role of the User Agreement in this agreement and now reads as follows:

    “User Agreement applies. You acknowledge and agree that the User Agreement, and not this Agreement, is the “framework contract” between you and PayPal as defined in laws transposing the Payment Services Directive (2007/64/EC)(. The terms of the User Agreement also apply to you and are incorporated by reference into this Agreement. The definition of “Services” in the User Agreement shall be amended to include your Product, and the definition of “Agreement” shall include this Agreement. In case of any inconsistency between this Agreement and the User Agreement, this Agreement supersedes the User Agreement, but only to the extent of that inconsistency. Where this Agreement and the User Agreement both specify a fee for the same action, the fee specified in this Agreement will apply rather than the fee in the User Agreement. The User Agreement can be found via a link in the footer of nearly every PayPal web page. The User Agreement includes important provisions which:

    1. Permit PayPal to take a Reserve to secure your obligation to pay Chargebacks, Reversals and fees;
    2. Obligate you to follow PayPal’s Acceptable Use Policy in your use of PayPal;
    3. Give legal effect to PayPal’s Privacy Policy, which governs our use and disclosure of your information and that of Shared Customers; and
    4. Permit PayPal to restrict a payment or your PayPal Account in circumstances listed in the User Agreement.”
  10. ID codes.

    Section 5.2 has been amended to clarify the use of identifying codes and your obligations in relation to them and now reads as follows:

    “ID codes. PayPal will provide you with certain identifying codes specific to you. The codes identify you and authenticate your messages and instructions to us, including operational instructions to PayPal software interfaces. Use of the codes may be necessary for the PayPal system to process instructions from you (or your website). You must keep the codes safe and protect them from disclosure to parties whom you have not authorised to act on your behalf in dealing with PayPal. You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.”

  11. Ownership of PayPal Website Payments Pro information and materials.

    A new section 5.3 is inserted to set out your obligations regarding the use of information and materials provided to you when using PayPal Website Payments Pro, which reads as follows:

    “Ownership of PayPal Website Payments Pro information and materials. As part of Merchant’s access to, and utilisation of PayPal Website Payments Pro, Merchant will be provided with certain information and materials (the “Pro Materials”) which are able to be used by Merchant to use PayPal Website Payments Pro. All intellectual property rights associated with the Pro Materials remain the property of PayPal or the relevant Acquiring Institution (as the case may be). Merchant agrees to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Pro Materials to any person.”

  12. No warranty

    The text that used to sit at section 5.3 is moved to a new section 8.2 and we are inserting a further paragraph after it, so that it reads as follows:

    No warranty. Your Product and all accompanying documentation are provided to you on an “as is” basis. PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to your Product, the licensed software or user documentation provided. Nothing provided by PayPal under this Agreement or otherwise for your Product has PayPal’s authorisation to include a warranty, and no obligation or liability will arise out of PayPal’s rendering of technical, programming or other advice or service in connection with any Product, licensed software and user document provided (including, without limitation, services that may assist you with the customisation of your Product). PayPal recommends that you test the implementation of your Product thoroughly as PayPal is not responsible for any loss caused by a defect in it.

    If PayPal hosts your Product (in other words, we run the software for you as a web service), PayPal does not guarantee continuous, uninterrupted or secure access to your hosted Product. PayPal will not be liable for any delay or failure in hosting your Product. You acknowledge the availability of your Product for use may be occasionally limited to allow for repairs, maintenance or the introduction of new facilities or services.”

  13. Data Security Requirements

    Schedule 1 (dealing with Data Security Requirements) has been amended to read as follows:

    “Schedule 1

    Data Security Requirements

    Website Payment Pro and Virtual Terminal enable you to accept payments online directly from debit and credit cards, which are payment instruments whose security depends on controlling the disclosure of Card Data. A person who has sufficient Card Data can send or receive a card payment charged to the cardholder’s account without necessarily having the cardholder’s authorisation for the payment. To prevent your Shared Customers from having their Card Data misused, you must keep Card Data secret at all times. Laws transposing the Data Protection Directive also require you to keep a Shared Customer’s personal data secure.

    PayPal strongly recommends that you obtain the services of a competent professional expert in information security to advise you and assist in securing your website and any other points of sale.

Principles of Data Security

  1. Design and development. You must design and develop your Critical Systems and all payment‑related processes so that they are secure from intrusion and interference by unauthorised persons.   All users of your systems must be required to authenticate themselves to your Critical Systems, and those Systems must limit the access and powers of their users. You must also organise your business so as to segregate critical duties and create controls and checkpoints in your operations, rather than place too much unchecked power over your systems and operations in one person. Never give a user more power over your systems and processes than the minimum necessary for the user to perform his or her assigned role.
  2. Protection against intrusion. You must divide your operations into two basic categories, (1) those functions available to all users including those outside your organisation, and (2) those available only to trusted people within your organisation. You must employ a firewall to block untrusted users from the using internal-only functions of your Critical Systems. Your web servers and other external-facing portions of your Critical Systems must use well developed and thoroughly tested technology, and make available externally only those functions which are necessary for Shared Customers and other external users to use. Strip your external-facing servers of all superfluous functions to protect (harden) them and reduce their vulnerability to external attack.
  3. Access controls. Your Critical Systems must restrict access to Card Data and all other personal or important data to only trusted persons within your organisation, and no such person should have greater access to such data than is necessary for that person to perform his or her role. Your systems must track and log all access, use, modification and deletion of Card Data and other personal or important data so that you maintain an audit trail of all such actions. You must also limit access to your Critical Systems and the resources on which they depend such as networks, firewalls, and databases.
  4. Data minimisation. As a general principle, you should gather and retain no more Card Data or other sensitive data than you need. Holding Card Data and personal data creates a risk of liability to you, and you can reduce that risk by taking and holding less data. If you store Card Data, consider carefully the need to do so: PayPal must refund a payment which lacks its payer’s authorisation, and if the user will authorise a further payment, the user will generally also give you up-to-date Card Data again, so you may have little need to store Card Data for future use. Card Data that you do not have is data that you cannot spill if you suffer a Data Breach.
  5. Changes and testing. Except in emergencies, avoid changing Critical Systems without first planning, testing, and documenting the change, unless the change is routine (e.g. adding a user, changing a password, updating inventory and prices). For major systemic changes or those which can impact the security or availability of your Critical Systems, planned changes should be escalated for approval by high-ranking managers other than the planners of those changes. Implement planned changes in your production systems only after they have been thoroughly tested in a non production environment. Conduct all such testing under the supervision of the your risk management department or others in your company with particular responsibility for its losses.
  6. Audits. You must audit the operations and security of your Critical Systems at least once a year. This systems audit must be distinct from any audit of your finances. Use trusted and independent experts to audit your Critical Systems, and if you use your employees as auditors, ensure their independence by protecting their employment from retaliation and by isolating them from the work of administering, operating, changing and testing your Critical Systems.
  7. Outsourcing and organisational control. You must ensure that all persons who have access to your Critical Systems, or who design, develop, operate, maintain, change, test and audit your Critical Systems comply with this Agreement and PCI DSS. You are responsible to ensure compliance even if such persons are not your employees.

What to do in case of a Data Breach

  1. Data Breach. If you experience a Data Breach, you agree to do all of the following:
    1. Take whatever action you can to stop the Data Breach and mitigate its consequences immediately after discovering the Data Breach.
    2. Notify PayPal as soon as possible after discovering the Data Breach by contacting your account manager (if one is assigned to you) or contacting our Customer Service (details of how to contact us are on the "Contact Us" page). If you cannot simultaneously do (a) and notify PayPal, then do (a) first and then notify PayPal.
    3. Notify all Shared Customers whose Card Data has been exposed or which is likely to have been exposed, so that those Shared Customers can take steps to prevent misuse of the Card Data. You further agree to complete this notification immediately after you perform (a) and (b) above, to notify PayPal when you have completed this notification, and to provide a list of Shared Customers whom you have notified. If you fail to complete this step promptly after the Data Breach, PayPal may notify Shared Customers of the Data Breach, and will identify the Shared Customers from your PayPal Account records of who has paid you using a card.
    4. If requested by PayPal, have an independent third party auditor, approved by PayPal, conduct a security audit of your Critical Systems and issue a report. You agree to comply with PayPal’s request under this clause at your own expense. You must provide a copy of the auditor’s report to PayPal, and PayPal may provide copies of it to the banks (including, without limitation, Acquiring Institutions) and Card Associations involved in processing card transactions for PayPal. If you do not initiate a security audit with 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at your expense. See also Schedule 1 on Audit.
    5. Cooperate with PayPal and follow all reasonable instructions from PayPal to avoid or mitigate consequences of the Data Breach, to improve your Critical Systems so that they satisfy the requirements this Agreement, and to help prevent future Data Breaches. However, PayPal shall not require you to do more than this Agreement requires, unless the additional measures are reasonable in light of the risk to Shared Customers and the best practices of online retailing.
    6. Resume normal operation of your Critical Systems only when you have ascertained how the Data Breach occurred and taken all reasonable steps to eliminate the vulnerabilities that made the Data Breach possible or which could make other Data Breaches possible;
    7. Report the Data Breach to law enforcement authorities, cooperate in any investigation that they undertake, and cooperate as the authorities may request in order to identify and apprehend the perpetrator of the Data Breach.
    8. Refrain from using Card Data that have been exposed or modified in the Data Breach. However, this clause does not prevent you from obtaining and using Card Data again from Shared Customers affected by the Data Breach, after the vulnerabilities in your Critical Systems have been remedied pursuant to (f) above.

Data protection

  1. You as data controller. You confirm that you are the data controller (as defined in the Data Protection Directive) for all personal data of Shared Customers that you collect and store.
  2. Your compliance with European privacy laws. You agree to comply with all applicable laws and regulations, including without limitation, the laws of your country that transpose the Data Protection Directive or any successor to it and any rules or guidance by the data protection regulator of your country.

Card Data and PCI DSS

  1. Retention of Card Data. Unless you receive and record the express consent of the cardholder, you may not retain, track, monitor or store any Card Data. You must completely and securely destroy all Card Data that you retain or hold within 24 hours after you receive an authorisation decision from the issuer relevant to that Card Data.

    If, with the cardholder’s consent, you briefly retain Card Data, you may do so only to the extent that the Card Data are necessary for processing payment transactions with the cardholder’s authorisation. You must never give or disclose the retained Card Data to anyone, not even as part of the sale of your business. Moreover, and regardless of anything to the contrary, you must never retain or disclose the card verification and identification data printed in the signature stripe on the back of the card (i.e. the CVV2 Data), not even with the cardholder’s consent.
  2. Card Data that you must not store. Notwithstanding the immediately preceding clause, you agree to not store any personal identification number (PIN) data, AVS Data, CVV2 Data, or data obtained from the magnetic stripe or other digital storage facility on the card (unless that data is also printed or embossed on the front of the card). of any cardholder Card associations may impose fines if you violate this clause, which reflects card association rules. In this clause, ‘store’ means retain in any form, whether digital, electronic, paper-based, or otherwise, but does not include temporary capture and holding of data while it is actively being processed (but not afterwards).
  3. Merchant’s use of Card Data. You agree not to use or disclose Card Data except for the purposes of obtaining authorisation from the card issuer, completing and settling the Card Transaction for which the Card Data was given to you, together with resolving any Chargeback or Reversal Dispute, or similar issues involving Card Transactions. PayPal is required by banking laws to refund payments lacking the payer’s authorisation, so your use of Card Data to carry out a Card Transaction must be authorised by the cardholder or it will subject to Reversal.
  4. Secure storage and disposal of Card Data. You agree to:
    1. establish and maintain sufficient controls for limiting access to all records containing Card Data;
    2. not sell or disclose to a third party any Card Data or any information obtained in connection with a Card Transaction;
    3. keep no Card Data on paper or in portable digital storage devices such as USB memory devices or removable disks;
    4. not reproduce any electronically captured signature of a cardholder except on PayPal’s specific request; and
    5. destroy Card Data either by destroying the medium on which the Card Data are stored or by erasing or rendering the Card Data completely and irreversibly unintelligible and meaningless.
    If you transfer your business, Card Data and any information you have about Card Transactions is not transferable under Card Association rules as an asset of the business. In such cases, you agree to provide the Card Data and any transactional data to PayPal if it requests. If PayPal does not request such data, you must destroy it when your business transfers.
  5. PCI DSS audit. If PayPal so requests, you agree that a Qualified Security Assessor may conduct a security audit of your systems, controls and facilities and issue a report to PayPal and the Associations. You agree to cooperate fully in the conduct of this audit, and to provide any information and access to your systems required by the auditor for the performance of the audit. You also agree to bear the reasonable expenses of this audit. If you fail to initiate such an audit after PayPal requests you to do so, you authorise PayPal to take such action at the Merchant’s expense, or PayPal may immediately suspend your use of your Product. You will receive a copy of the audit report, and PayPal must also receive a copy and provide a copy to any Acquiring Institution or Card Association that requests a copy.”