PayPal Online Card Payment Services Agreement
Last Update: December 16, 2020
Last Update: December 16, 2020
This PayPal Online Card Payment Services Agreement ("Agreement") contains the terms of a contract between you (also referred to as the “Merchant”) and PayPal (Europe) Sàrl et Cie, SCA ("PayPal" or "we").
PayPal is licensed as a Luxembourg credit institution and is under the prudential supervision of the Luxembourg supervisory authority, the Commission de Surveillance du Secteur Financier (the "CSSF"). The CSSF has its registered office in L-1150 Luxembourg.
About this Agreement
This Agreement applies to you if you are registered with PayPal as resident of Italy.
By integrating or using any of the Products or Online Card Payment Services you agree to be bound by the terms of this Agreement. If you are offered and choose to use any Product, Online Card Payment Service or functionality (including technology) mentioned in this Agreement, the terms in this Agreement relating to that Product, Online Card Payment Service or functionality apply.
The Products are:
Each of the Products includes one or more Online Card Payment Services. The Online Card Payment Services are:
The User Agreement for PayPal Service (which we call here the User Agreement), Commercial Entity Agreement and Privacy Statement form part of this Agreement. See section 5 for more provisions relating to how these other legal documents apply.
We may amend, delete or add to this Agreement in line with the Change process set out in the User Agreement. If you do not agree with any Change, you may terminate this Agreement as set out in section 8 of this Agreement.
Please view download and save this Agreement.
1. Setting up and activating your Product
1.1 Getting started. To obtain and use your Product, you must first do all of the following:
PayPal Hosted Solution is offered as a PayPal Hosted Integration only. If your Product is Advanced Credit and Debit Card Payments , we may allow you to integrate and use the Advanced Credit and Debit Card Payments API as a PayPal Hosted Integration or Self Hosted Integration.
We may set either Hosting Option as your default option for integrating the Custom Card Fields API into the payment process of your website.
1.2 Cancellation. PayPal may decline your application for the Product(s) due to your credit history, PayPal history, or for any other reason in PayPal's discretion. You agree and acknowledge that we and/or our agents reserve the right in our sole discretion to reject your application and enrolment for the Product(s) and we may limit your access to or use of the Product(s) without any further obligation to you. We may terminate your access to and/or use of any or all Products and / or terminate this Agreement at any time before the Activation Date by notifying you.
2.1 How fees are paid
You agree to pay the fees in this Agreement as they become due without set-off or deduction. You authorise us to deduct our Fees from the amounts we transfer but before those funds are credited to your Account.
Except as further provided in this Agreement, you agree to pay the fees set out in the User Agreement.
Fees will be charged in the currency of the payment received.
The Fees for receiving Domestic Transactions (Selling) as outlined in the User Agreement to applies to each domestic Standard PayPal Payment you receive.
The fees called out in the User Agreement for receiving payments in your PayPal account apply to each payment you receive from a card using the Online Card Payment Services. If you opt to be charged under the Interchange Plus Fee Structure, you will be charged the fees called out in the User Agreement for receiving payments in your PayPal account plus the Interchange Fee.
The fee for Receiving Cross Border payments (Selling) applies as outlined in the User Agreement, except that it does not apply to payments received from cards using the Online Card Payment Services under the Interchange Plus Fee Structure and American Express card type transactions.
2.5. Monthly Reports on Transaction Costs
PayPal shall make available monthly reports on transaction costs (inclusive of interchange fees) for card transactions which you process with the Product. These reports will be downloadable from your PayPal account. The reports do not include any Standard PayPal Payments.
3. Choice of Interchange Plus Fee Structure and Blended Pricing Fee Structure
You may choose the fee structure applicable to you for your receipt of card payments through any of the Online Card Payment Services (including via Direct Payment API, Advanced Credit and Debit Card Payments API and/or eTerminal) by the methods or procedures that PayPal may make available to you. If you do not make an election, you will stay on your existing fee structure.
You may choose your fee structure for future transactions only, not for past transactions.
Interchange Fees are set by Visa and MasterCard. They vary for different types of cards (for example by categories and brand). PayPal shall always charge you the Interchange Fee as set by Visa and MasterCard and as passed on by its Acquirer. Single Interchange fees may change from time to time. For more information on Interchange Fees, please see MasterCard’s and Visa’s websites as well as our simplified overview.
If you opt to be charged under the Interchange Plus Fee Structure you agree that you agree that, when PayPal receives a card payment for you through any of the Online Card Payment Services, PayPal may hold those funds in the Reserve Account portion of your PayPal Account before they reach the Payment Account portion of your PayPal Account. You instruct PayPal to pay those funds to your Payment Account only on the Business Day on which PayPal receives the information about the interchange fee applicable to the card payment. While the funds are held in your Reserve Account, the transaction will appear to you as “Pending” in your Account details. PayPal does not consider that the proceeds of the card payment in your Reserve Account are at your disposal until PayPal has received the information on the applicable interchange fee from our Processor (which can be within the next Business Day following the day on which the card payment was initiated by the card holder).
4. Information Security and Data Protection
4.1 Compliance with Data Security Schedule. You agree (as a "Merchant") to comply with Schedule 1 below, which forms part of this Agreement.
4.2 Your PCI DSS compliance. You also agree to comply with the PCI Data Security Standard (PCI DSS). You must protect all Card Data that comes within your control according to PCI DSS, and you must design, maintain and operate your website and other systems in conformity with PCI DSS. You must ensure that your staff are and remain sufficiently trained so that they are aware of PCI DSS and can carry out its requirements. PayPal is not responsible for any costs that you incur in complying with PCI DSS. Find more information about PCI DSS at the PCI Security Standards Council’s website here: https://www.pcisecuritystandards.org/pci_security/.
4.3 PayPal’s PCI DSS compliance. PayPal warrants that PayPal and your Product comply and will comply with PCI DSS. However, PayPal’s compliance, and your Product’s, are not sufficient to achieve compliance with PCI DSS by you and your systems and processes.
4.4 3D Secure. Requirements of the European Central Bank and PayPal’s bank regulators require use of 3D Secure in certain circumstances, and Card Associations may also require it to reduce an excessive number of Card Transactions unauthorised by the cardholder. PayPal may by notice to you require that you implement 3D Secure for all or certain specified Card Transactions. You agree to implement 3D Secure if required in such a notice, where the issuer of a particular card supports 3D Secure for that card.
4.5 Price and currency. You may not submit payment transactions in which the amount is the result of dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price for each currency.
4.6 Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 2 below, which forms part of this Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Agreement relating to data protection and privacy.
5. How our other legal documents apply
5.1 You can find this Agreement, the User Agreement, the Commercial Entity Agreements and the Privacy Statement on the Legal Agreements page by clicking the Legal link at the bottom of a PayPal web page.
5.2 User Agreement. The User Agreement forms part of this Agreement. As much as possible, this Agreement and the User Agreement should be interpreted as a consistent whole. Where a conflict of interpretation arises, this Agreement overrides the User Agreement to the extent of the conflict, except in relation to your use of any of the Products or individual Online Card Payment Services as part of our new checkout solution as set out in the User Agreement.
Capitalised words which are not defined in this Agreement are defined in that User Agreement. The definition of “Services” and “Agreement” in the User Agreement, when read together with these terms, includes the Products and this Agreement. The User Agreement includes important provisions which:
You are responsible for Chargebacks, Reversals and other invalidated payments as provided in the User Agreement, regardless of how you use and configure your Product, including its fraud filtering technology and similar preventive tools (if any). Those tools can be useful in detecting fraud and avoiding payment failures, but they do not affect your responsibility and liability pursuant to the User Agreement for Chargebacks, Reversals and payments which are otherwise invalidated.
5.3 Commercial Entity Agreement. By agreeing to be bound by this Agreement, you also agree to the Commercial Entity Agreements. These are your direct agreements with the Acquiring Institutions, PayPal’s banking partners, who enable you to receive card payments and card-funded PayPal payments.
5.4 Privacy Statement. You confirm that you have read, consented and agreed to PayPal’s Privacy Statement, which explains the information that we collect about you and your online business. In particular, you agree and consent that PayPal may obtain from a third party your credit history and financial information about your ability to perform your obligations under this Agreement; the PayPal Privacy Statement lists the companies involved in this exchange of credit-related information. PayPal will review your credit and other risk factors of your Account (reversals and chargebacks, customer complaints, claims etc.) on an ongoing basis, and we may also review your website and the products for sale on it. PayPal will store, use and disclose all information that we have about you in conformity with PayPal’s Privacy Statement.
5.5 Additional terms for American Express card acceptance
If we allow you to receive payments from American Express cards, this section 5.5 applies to you.
5.5.1 Commerical Marketing Communications. American Express may use the information obtained in your application at the time of setup to screen and/or monitor you in connection with card marketing and administrative purposes. By accepting these terms, you agree to receive commercial marketing communication from American Express. You may opt out by notice by contacting us. Visit our PayPal Help Centre page accessible from your User Agreement and most PayPal web pages to find out how to contact us. If you opt out of commercial marketing communications, you will still receive important transactional or relationship messages from American Express.
5.5.2 Direct Card Acceptance. You acknowledge that if you reach certain monthly and/or annual sales volumes relating to American Express as set by American Express for the time being and from time to time, American Express may require you to enter into a direct contractual relationship with them. In this situation, American Express will set pricing for American Express transactions, and you will pay fees for American Express transactions directly to American Express.
5.5.3 Audit Rights. American Express may conduct an audit of you at any time, for the purpose of determining compliance with the American Express Rules.
5.5.4 Submission and Settlement Rights. You authorise PayPal to submit transactions to, and receive settlement from, American Express, and to disclose transaction and merchant information to American Express to perform analytics and create reports, and for any other lawful business purposes, including commercial marketing communications purposes and important transactional or relationship communications. Merchant may terminate its acceptance of American Express at any time upon notice.
5.5.5 Third Party Beneficiary. American Express shall be a third-party beneficiary of this Agreement for purposes of American Express card acceptance. As a third-party beneficiary, American Express shall have the right to enforce directly against you the terms of this Agreement as related to American Express Card acceptance. You acknowledge and agree that American Express shall have no responsibility of liability with regard to PayPal’s obligations to you under this Agreement.
5.5.6 Card Present, Unattended Terminals and Payment Kiosks. You shall not accept American Express cards for any payment under this Agreement when the card is either (i) presented at a physical point of the purchase or transaction; (ii) used at unattended establishments (e.g., customer activated terminals) or (iii) presented at a payment kiosk. In addition, you shall be prohibited from providing or making available to any American Express cardmember that comes to its physical location, a computer or an online interface that will enable the American Express cardmember to access their PayPal Account.
6. Intellectual Property and ID codes
6.1 Licence. PayPal hereby grants to you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to (a) use your Product in accordance with the documentation provided on the PayPal Website; and to (b) use the documentation provided by PayPal for your Product and reproduce it for internal use only within your business. Your Product as licensed is subject to change and will evolve along with the rest of the PayPal system; see section 9.1. You must comply with the implementation and use requirements contained in all PayPal documentation and instructions accompanying the Product issued by PayPal from time to time (including, without limitation, any implementation and use requirements we impose on you to comply with applicable laws and card scheme rules and regulations).
6.2 ID codes. PayPal will provide you with certain identifying codes specific to you. The codes identify you and authenticate your messages and instructions to us, including operational instructions to PayPal software interfaces. Use of the codes may be necessary for the PayPal system to process instructions from you (or your website). You must keep the codes safe and protect them from disclosure to parties whom you have not authorised to act on your behalf in dealing with PayPal. You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.
6.3 Ownership of PayPal Hosted Solution and Advanced Credit and Debit Card Payments information and materials. As part of your access to, and use of PayPal Hosted Solution and/or Advanced Credit and Debit Card Payments, you will be provided with certain information and materials (the “Pro Materials”) for your use with the Products. All intellectual property rights associated with these materials remain the property of PayPal or the relevant Acquiring Institution (as the case may be). You agree to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Pro Materials to any person.
6.4 PayPal Hosted Integrations and your intellectual property. You hereby grant to PayPal a royalty-free, worldwide non-exclusive licence to use your or any of your affiliates’ names, images, logos, trademarks, service marks, and/or trade names as you may provide to PayPal when using the Products (“Your Marks”) for the sole purpose of enabling your use of the Products (including, without limitation, the customisation of your hosted Product). Title to and ownership of Your Marks and all goodwill arising from any use hereunder will remain with you. You represent and warrant that you have the authority to grant PayPal the right to use Your Marks and you shall indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any claims or losses suffered by it arising from the use of Your Marks in connection with the Products.
7.1 Fraud Protection. The terms in Schedule 3 apply to your use of Fraud Protection.
7.2 Vaulting Tool. If you use the Vaulting Tool, before collecting your customers’ Card Data, you will:
7.2.1 notify your customers that:
22.214.171.124 the information collected will be saved and retrievable by you for future payments from the customer including, potentially, “buyer not present” payments;
126.96.36.199 the customer can update the information; and
188.8.131.52 the customer can revoke the consent.
7.2.2 obtain your customers’ consent to collect and use that information on the above basis;
7.2.3 ensure that when your customers give the above consent and opt into the feature they do so by taking a deliberate and recorded action, e.g. clicking an optional button, or checking a default-unchecked box.
7.3 Account Updater Service
7.3.1 Description. Subject to the terms of this section 7.3, PayPal may make the Account Updater Service available to you, for which PayPal will send the applicable Card Data of eligible Cards to one or more third party sources, and use information available to PayPal, to check and update the applicable Card Data. Following these checks, the applicable updated Card Data relating to your customers, if any, is processed and stored by PayPal at your direction and on your behalf to enable you to accept Recurring Billing, Recurring Payments, or other eligible transactions using the Products from its customers with the applicable updated Card Data. If the Account Updater Service is made available to you, PayPal will either provide you with email notification that the Account Updater Service has been activated on your account(s) or allow you to enable the Account Updater Service on your account(s) through your PayPal account settings. You may elect to discontinue use of the Account Updater Service at any time by providing written notice to PayPal of such election or by such other means as may be designated by PayPal.
7.3.2 Permitted Use. You acknowledge and agree that the Account Updater Service is provided solely for the purpose of updating applicable Card Data to enable your acceptance of transactions using the Products. You shall not use the Account Updater Service for any other purpose, including, without limitation, the use of any portion of the Account Updater Service data in connection with the development of any other service or product.
7.3.4 Confidentiality. You agree that you shall keep all information and Card Data provided through the Account Updater Service, if any, strictly confidential. You may not disclose any such information or Card Data to any third party and you may not use such information or Card Data for any purpose other than as may be expressly permitted.
7.3.5 Indemnification. You shall indemnify PayPal against any loss arising as a result of a breach by you of your obligations under this Section for use of the Account Updater Service.
7.3.6 Accuracy of Information. You acknowledge that the Account Updater Service may only be accurate to the extent a card issuing bank and a customer participate, and that many card issuing banks and customers may not participate. You acknowledge and agrees that the Account Updater Service may rely upon information, Card Data, and services provided to PayPal by third parties.
7.3.7 Termination. PayPal may terminate the Account Updater Service at any time upon email notice to you.
8. Termination and suspension
8.1 By you. You may terminate this Agreement by giving 30 days’ prior notice to PayPal Customer Service of your intent to either:
If you use Advanced Credit and Debit Card Payments only, you may give PayPal Customer Service immediate notice to terminate this Agreement or close the PayPal Account that you use with Advanced Credit and Debit Card Payments as outlined in sections a. and b. above.
You may stop using Advanced Credit and Debit Card Payments at any time by giving prior notice to PayPal Customer Service of your intent to stop using Advanced Credit and Debit Card Payments only. PayPal Customer Service will confirm the stoppage for you via email. This option lets you stop using Advanced Credit and Debit Card Payments and paying for any future transactions, but your PayPal Account remains open and this Agreement and the User Agreement remain in effect. You may start using Advanced Credit and Debit Card Payments again at any time subject to the terms of this Agreement as amended.
You may stop your acceptance of American Express card payments using the Products at any time by giving prior notice to PayPal Customer Service.
Visit our PayPal Help Centre page accessible from your User Agreement and most PayPal web pages to find out how to contact us so that you can take the above actions.
8.2 By PayPal. PayPal may terminate this Agreement or any Product-specific part of it by doing any of the following:
8.3 By events. PayPal may terminate this Agreement immediately without notice if you:
8.4 Effect of termination. When this Agreement or any part of it terminates, you must immediately stop using the terminated Products, and PayPal may prevent or hinder you from using it after termination. If you nevertheless use a Product after termination of this Agreement, then this Agreement will continue to apply to your use of that Product until you give effect to the termination by stopping your use of that Product. The following sections in this Agreement shall survive termination of this agreement and continue in full force and effect: sections 2, 4.1, 8.2, 8.4. Termination of this Agreement or any part of it shall not affect any rights, remedies or obligations of the parties that have accrued or become due prior to termination, and you will not be entitled to a refund of any Monthly Fee applicable to any period prior to termination.
8.5 Breach and suspension. If you breach this Agreement, the User Agreement, or a security requirement imposed by PCI DSS, PayPal may immediately suspend your use of your Product (in other words, we may render your Product temporarily inoperable). PayPal may require you to take specified corrective actions to cure the breach and have the suspension lifted, although nothing in this Agreement precludes PayPal from pursuing any other remedies it may have for breach. In addition, if PayPal reasonably suspects that you may be in breach of this Agreement or PCI DSS, PayPal may suspend your use of your Product pending further investigation.
If PayPal suspends your access to or use of PayPal Hosted Solution or Advanced Credit and Debit Card Payments, PayPal will notify you and explain the basis of PayPal’s actions in suspending your use of your Product, and may specify corrective actions to cure the breach and have the suspension lifted. PayPal’s suspension of your access or use of PayPal Hosted Solution or Advanced Credit and Debit Card Payments will remain in effect and until such time as PayPal is satisfied that you have remedied the applicable breach(es).
9.1 Future of the Products. PayPal retains sole and absolute discretion in determining (a) the future course and development of the Products, (b) which improvements to make in them and when, and (c) whether and when defects are to be corrected and new features introduced. PayPal welcomes feedback from users in planning the future of the Products but is not required to act in accordance with any feedback received. In giving us feedback, you agree to claim no intellectual property interest in your feedback.
9.2 No warranty. Your Product and all accompanying documentation are provided to you on an “as is” basis.
PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to:
Nothing provided by PayPal under this Agreement or otherwise for your Product has PayPal’s authorisation to include a warranty.
No obligation or liability will arise out of PayPal’s rendering of:
in connection with any Product, licensed software and user document provided. This includes, among other matters, services that may assist you with the customisation of your Product.
PayPal recommends that you test the implementation of your Product thoroughly as PayPal is not responsible for any loss caused by a defect in it.
If PayPal hosts your Product (in other words, we run the software for you as a web service), PayPal does not guarantee continuous, uninterrupted or secure access to your hosted Product.
PayPal will not be liable for any delay or failure in hosting your Product.
You acknowledge the availability of your Product for use may be occasionally limited to allow for repairs, maintenance or the introduction of new facilities or services.
Some countries do not allow the disclaimer of implied warranties, so the foregoing disclaimers might not apply to you.
9.3 Indemnity. You agree to indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any direct loss, damage and liability, and from any claim, demand or cost (including reasonable attorneys’ fees) incurred in relation to any third party (including a Shared Customer) and arising out of your breach of this Agreement, the User Agreement and the documents incorporated in it by reference (including the Acceptable Use Policy), or the violation of any law.
9.4 Assignment, amendment and waiver. You may not assign this Agreement without first obtaining PayPal’s written consent. PayPal may assign, novate or otherwise transfer this agreement without your consent by notifying you. Neither party may amend this Agreement or waive any rights under it except in a written document signed by both parties.
9.5 English law and jurisdiction. This Agreement is governed by the laws of England and Wales. You and we submit to the non-exclusive jurisdiction of the courts of England and Wales.
Capitalised terms not listed in this sections are defined in the User Agreement.
3D Secure: A security procedure that enables a card-issuing bank to authenticate the cardholder authorising a Card Transaction at the time a payment is made. 3D Secure has other brand names depending on the Card Association whose branding appears on the card; brand names for 3D Secure include Verified by Visa and MasterCard SecureCode.
Account Updater Service: A functionality as further defined in section 7.3.
Acquiring Institution: means a financial institution or bank that provides services to you and PayPal to enable you to (a) accept payment by cardholders using cards: and (b) receive value in respect of Card Transactions.
Activation Date: The date on which you complete all of the steps for “Getting started” as listed in section 1 above.
Advanced Credit and Debit Card Payments: A Product as further defined in the About your Agreement section.
Advanced Credit and Debit Card Payments API: An Online Card Payment Service as further defined in the About your Agreement section.
Advanced Fraud Management Filters : Technology provided by PayPal to enable you to (a) check a card payment against criteria such as the cardholder’s billing address (Address Verification Service or AVS), the card’s CVV2 Data, and databases of suspicious addresses, identifiers, and patterns. See the PayPal Website and product documentation for further information. Advanced Fraud Management Filters offer a greater level of transaction screening, and transactions can be automatically flagged, reviewed or declined based on how you configure the filters.
AVS Data: Information returned by the Address Verification System operated by or on behalf of Card Associations, which compares address data provided by an apparent cardholder with address data on file for the card at the card issuer.
Card Association: A company or consortium of financial institutions which promulgates rules to govern Card Transactions that involve the card that carries the company’s or the consortium’s brand. Examples include Visa USA, Visa Europe, and the other Visa regions; Mastercard International Incorporated; American Express Company and similar organisations.
Card Data: All personal or financial information relevant to a Card Transaction, including information recorded on the card itself (whether in human-readable form or digitally), together with the cardholder’s name and address and any other information necessary for processing a Card Transaction.
Card Transaction: A payment made using a credit or debit card, an American Express card, or any other payment method using a physical data-carrying item intended to be held in the payer’s possession. The Products support only certain types of Card Transactions; see the PayPal Website for more information.
Critical Systems: The information technology (both hardware and software) that you employ to operate your Products, to protect them and your online points of sale against intrusion and interference, and to store payment-related and personal data, including any Card Data that you retain and all personal data about Shared Customers.
CVV2 Data: The three-digit number printed to the right of the card number in the signature panel area on the back of the card. (For American Express cards, the code is a four-digit unembossed number printed above the card number on the front of the American Express card.) The CVV2 Data are uniquely associated with each individual plastic card and ties the card account number to the plastic.
Data Breach: An intrusion into or malfunction of a computer system in which Card Data are stored, and which intrusion or malfunction either (a) exposes, modifies or destroys all or part of the Card Data in the system, or (b) runs a significant risk, in the opinion of a qualified expert in information security, of exposing, modifying or destroying all or part of the Card Data in the system. Card Data are exposed where they are released from the normal access controls of the system without authorisation, or where they are actually disclosed to one or more unauthorised persons.
Fraud Protection: Technology provided by PayPal to enable you to (a) check a card payment against criteria such as the cardholder’s billing address (Address Verification Service or AVS), the card’s CVV2 Data, and databases of suspicious addresses, identifiers, and patterns, offered together with the Advanced Credit and Debit Card Payments API as an alternative to the Advanced Fraud Management Filters.
General Data Protection Regulation: Regulation (EU) 2016/679 (General Data Protection Regulation) or any successor to it, together with all other laws about the privacy of citizens or residents of the member state of the European Economic Area in which you reside or are established as a business enterprise.
Direct Payments API: An Online Card Payment Service as further defined in the About your Agreement section
eTerminal: Functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given you by the cardholder. eTerminal is one of the Online Card Payment Services and also a standalone Product as further defined in the About Your Agreement section.
Express Checkout: Functionality for expediting online retail checkout by using information provided to you by PayPal. Details about Express Checkout appear on the PayPal Website and in the documentation that PayPal provides for PayPal Hosted Solution and Advanced Credit and Debit Card Payments.
Hosting Option: Any of the following: (i) a PayPal Hosted Integration; or (ii) a Self Hosted Integration.
Monthly Fee: A fee payable on a monthly basis as required in section 2 above.
Online Card Payment Services: Functionality provided online by PayPal to enable merchants to receive payments directly from a payer’s card (without the funds passing via the payer’s PayPal Account), without the card being present at the website or other point of sale. Online Card Payment Services are integral to the Products. The Online Card Payment Services are listed and further defined in the About your Agreement section.
PayPal Hosted Integration: PayPal’s Direct Payments API or Advanced Credit and Debit Card Payments API integrated into the payment process of your website pursuant to section 1, with that functionality being operated (including the card entry field being hosted) entirely on PayPal’s server (rather than on your website).
PayPal Hosted Solution: A Product as further defined in the About your Agreement section.
PayPal Website: The website provided by PayPal for the country in which you reside. In the case of Italy, the PayPal Website is currently at http://www.paypal.it. References to PayPal Websites for other countries can be found via a link from any other PayPal Website.
PCI DSS: Payment Card Industry Data Security Standard, which consists of specifications prescribed by Card Associations to ensure the data security of Card Transactions. A copy of PCI DSS is available online from https://www.pcisecuritystandards.org/.
Product: "Your Product" means whichever one of the Products you access and use after accepting this Agreement. The Products are listed and further defined in the About your Agreement section.
Qualified Security Assessor has the meaning given it in PCI DSS.
Recurring Payments Tool: Technology provided by PayPal for setting up payments that recur at specified intervals or frequencies with authorisation from the payer. See the PayPal Website and product documentation for further information.
Self Hosted Integration: PayPal’s Direct Payments API or Advanced Credit and Debit Card Payments API integrated into the payment process of your website pursuant to section 1, with that functionality being operated (including the card entry field being hosted) at least in part on your website.
Shared Customer: A person who has a PayPal Account and is also your customer.
Standard PayPal Payments: All Payments which you receive from another PayPal account or payments via PayPal’s Account Optional Service or from Local Payment Methods.
Vaulting Tool: API-based technology provided by PayPal to enable you to store and retrieve card details for payments that recur at specified intervals or frequencies with authorisation from the payer. See the PayPal Website and product documentation for further information.
User Agreement: The contract entered into online as part of the online registration process required to open a PayPal Account. The current User Agreement is to be found via a link from the footer of nearly every page on the PayPal Website. It includes certain policies, notably the Acceptable Use Policy, which are also listed on the PayPal Website.
PayPal Hosted Solution, Advanced Credit and Debit Card Payments and eTerminal enable you to accept payments online directly from debit and credit cards, which are payment instruments whose security depends on controlling the disclosure of Card Data. A person who has sufficient Card Data can send or receive a card payment charged to the cardholder’s account without necessarily having the cardholder’s authorisation for the payment. To prevent your Shared Customers from having their Card Data misused, you must keep Card Data secret at all times. The General Data Protection Regulation also requires you to keep a Shared Customer’s personal data secure.
PayPal strongly recommends that you obtain the services of a competent professional expert in information security to advise you and assist in securing your website and any other points of sale.
Principles of Data Security
What to do in case of a Data Breach
Card Data and PCI DSS
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant. Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION
1.1 The following terms have the following meanings when used in this Schedule:
"Card Information" is defined in Section 2.15 of this Schedule.
"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule is a data subject.
"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.
"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.
"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.
"Data Recipient" is defined in Section 2.15 of this Schedule.
"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.
"personal data" has the meaning given to it in the Data Protection Laws.
"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.
"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.
1.2 Schedule. This Schedule comprises (i) sections 1 to 2, being the main body of the Schedule; (ii) Attachment 1; and (iii) Attachment 2.
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:
2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;
2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.
2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:
2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and
2.3.2 responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.
2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).
2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.
2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.
2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.
2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.
2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.
2.10 Sub-processors. Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.
2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).
3 EU STANDARD CONTRACTUAL CLAUSES RELATED TERMS
3.1 Application. The EU Standard Contractual Clauses are set out in Attachment 3 (the “EU Standard Contractual Clauses”). The EU Standard Contractual Clauses apply only to Customer Data that is transferred by Merchants established in the European Economic Area (“EEA”) or Switzerland to any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR) in which PayPal may store and process Customer Data.
3.2 Instructions. This Schedule and the Agreement are Data Exporter’s complete and final instructions to Data Importer for the processing of Customer Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the EU Standard Contractual Clauses, the Data Exporter gives the following instructions: (a) to process Customer Data in accordance with the Agreement; and (b) to process Customer Data initiated by Merchants in their use of the Services during the Term. These instructions also describe the duration, object, scope and purpose of the processing.
3.3 Audits and Certifications. The Parties agree that the audits described in Clause 5(f), Clause 11 and Clause 12(2) of the EU Standard Contractual Clauses shall be fulfilled in the following manner: the provisions of paragraph 2.11 of this Schedule shall also apply to the Data Importer as if it were PayPal.
3.4 Certification of Deletion. The Parties agree that the certification of deletion of personal data that is described in Clause 12(1) shall be provided by the Data Importer to the Data Exporter only upon Data Exporter’s request.
3.5 Liability. The Parties agree that all liabilities between them (and in respect of Data Importer, such liabilities shall be aggregated with those of PayPal so that collectively their cumulative joint liability is capped at the level set out in the Agreement) under this Schedule and the EU Standard Contractual Clauses will be subject to the terms of the Agreement (including as to limitation of liability), except that such limitations of liability will not apply to any liability that Data Importer may have to data subjects under the third party rights provisions of the EU Standard Contractual Clauses.
3.6 Exclusion of third party rights. Subject to paragraph 4.6, PayPal shall be granted third party rights in relation to obligations expressed to be for the benefit of the Data Importer or PayPal in this Schedule and Data Subjects are granted third party rights under the EU Standard Contractual Clauses. All other third party rights are excluded.
For and on behalf of (insert Merchant legal name)…………………………………
Name of signatory……………………………………. Title of signatory……………………………………
For and on behalf of PayPal (Europe) S.á.r.l. et Cie, S.C.A.
Name of signatory……………………………………..Title of signatory……………………………………. Date…………………………………………………
Technical and Organizational Measures
The following technical and organizational measures will be implemented:
Data Processing of Customer Data
Categories of data subjects
Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.
Subject-matter of the processing
The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.
Nature and purpose of the processing
PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.
Type of personal data
Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:
Advanced Credit and Debit Card Payments
A Billing address
Card or payment instrument type (optional)
Card Primary Account Number (PAN)
Card Verification Value (CVV)
Card expiration date
Special categories of data (if relevant)
The transfer of special categories of data is not anticipated.
Duration of Processing
The term of the Agreement.
EU STANDARD CONTRACTUAL CLAUSES
Controller to Processor export of personal data (from EEA countries)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Name of the data exporting organisation: ………………………………………..
Other information needed to identify the organisation: …………………………… (the data exporter)
Name of the data importing organisation: Paypal, Inc
Address: 2211 North First Street, San Jose, CA 95131
Other information needed to identify the organisation: …………………………… (the data importer)
each a “party”; together “the parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.
For the purposes of the Clauses:
Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Third-party beneficiary clause
Obligations of the data exporter
The data exporter agrees and warrants:
Obligations of the data importer
The data importer agrees and warrants:
o (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
o (ii) any accidental or unauthorised access, and
o (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
Mediation and jurisdiction
1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
o (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
o (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.
Cooperation with supervisory authorities
The Clauses shall be governed by the law of the Member State in which the data exporter is established.
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Obligation after the termination of personal data processing services
On behalf of the data exporter:
Name (written out in full): …………………………………………….
Other information necessary in order for the contract to be binding (if any):
Signature…………………………………………….(stamp of organisation)
On behalf of the data importer (Paypal, Inc):
Name (written out in full): …………………………………………….
Address: 2211 North First Street, San Jose, CA 95131
Signature……………………………………………. (stamp of organisation)
APPENDIX 1 TO THE EU STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is: Merchant
An entity that uses the Data importer’s services in respect of its Customers
The data importer is: Paypal, Inc
A payment services provider which in relation to the Braintree services provides a payment gateway so that Merchant can provide Customer credit card and other details to banks and other payment service providers to process payments from Customers
The personal data transferred concern the following categories of data subjects:
The data exporter’s Customers
Categories of data
The personal data transferred concern the following categories of data:
Customer name, amount to be charged, card number, CSV, post code, country code, address, email address, fax, phone, website, expiry date, shipping details, tax status
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable, unless Merchant configures the service to capture such data.
The personal data transferred will be subject to the following basic processing activities:
The receipt and storage of Personal Data in the performance of the Services during the Term of the Agreement.
APPENDIX 2 TO THE EU STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The technical and organizational measures are set forth at Attachment 1 to this Amendment.
The Fraud Tool is made available to you as a fraudulent transaction management tool to help you screen potentially fraudulent transactions based on the settings you adopt in the Fraud Tool. The tool allows you to set filter rules, i.e. to instruct us about which transactions the tool shall decline on your behalf based on abstract criteria.
We may provide suggestions or recommendations regarding what filters and settings in the Fraud Tool to use that may be appropriate for your business. These suggestions take into account your past transaction history.
It is your responsibility to set the filter rules. Please note: If you set these filter rules too restrictively, you might lose sales volume. We advise you to monitor your filter rules and settings on an ongoing basis.
We do not represent or warrant that the Fraud Tool is error-free or that it will identify all potentially fraudulent transaction activity.
We are not liable for your losses (such as loss of profits) or damages arising from or related to your use of the Fraud Tool, to the extent that applicable law allows.
Sections 15.3 and 15.4 of the User Agreement apply.
You may only use the Fraud Tool for the purpose of your management of fraud risk and for no other purpose.
You may not share use of the Fraud Tool with any other person, nor may you disclose to any person the categories provided in the Fraud Tool or the results generated from your use of the Fraud Tool.
Despite your settings on the Fraud Tool, We always retain the right to decline or suspend any transaction pursuant to the terms of the User Agreement.
These terms supplement the User Agreement that governs your use of our services in general. The definition of our Services in the User Agreement, when read together with these terms, includes the Fraud Tool.
We may amend, delete or add to these terms in line with the Change process set out in the User Agreement. If you do not agree with any Change, you may terminate these terms.
You may terminate these terms at any time by removing the Fraud Tool from your integration and following any other integration-related steps which we may make available to you. This lets you stop using the Fraud Tool, but otherwise your Account remains open and the User Agreement (and any other relevant agreements relating to the provision of Services to you) remains in effect.
We may, at any time, for any reason and (where possible) with reasonable prior notice, terminate, cancel or suspend the Service to the extent it relates to our Fraud Tool without liability towards you.
These terms survive any termination to the extent and for so long as we require to: (i) deal with matters arising from your use of the Fraud Tool prior to termination; and/or (ii) comply with applicable laws and regulations.