How PayPal helps keep you secure.

Apr 30 2018 | Alice Wong, Small business - North Americas, PayPal

Learn how everything we do around security aims to live up to our commitment that PayPal is the "secure way to pay and be paid." 
As a strategic business priority, we work hard every day to fight cybercrime, and we also invest heavily in trying to keep our sites and services as secure as possible. Here are just a few ways we help you stay secure:
 
1. PayPal security key.
Using the PayPal security key is optional, but it’s a highly recommended way to keep your account secure. The PayPal security key is a two-step authentication that sends you a one-time personal identification number (PIN), which is unique for each login session. You use this temporary code, and your password, to log in to your PayPal account. Activate your security key here.

2. Data encryption. 
End-to-end encryption is an important element in helping keep your data and PayPal transactions secure. Our team of security and compliance experts is dedicated to educating customers on industry standards, and implementing methods like:
  • Secure HTTPS connections and strong TLS configurations. When you register or log into PayPal from your computer or mobile device, we make sure it’s a secure HTTPS connection (HSTS), and a strong TLS configuration*. Strong TLS configurations are the current industry standard for trusted communication channels and allow your information to transmit across the internet in a secure manner. And, only allowing HTTPS connections helps to reduce your susceptibility to some passive and active attacks.
  • Key pinning. We implement key pinning when you access PayPal via an IOS or Android app. When your mobile device establishes a TLS connection, key pinning ensures it connects to a true PayPal server, instead of someone posing us.  
  • Data protection compliance. We comply with stringent data protection requirements, while in transit and at rest, such as PCI-DSS. In addition to industry and regulatory encryption requirements, PayPal’s Information Security Policies and Controls are reviewed by independent third parties to the following industry standards and guidelines: American Institute of Certified Public Accountants SSAE16 SOC1, AT101 SOC2, Sarbanes-Oxley.
3. Email confirmations. 
Anytime you send or receive a PayPal payment, we'll send you an email to confirm the transaction. If you ever receive a confirmation email for a transaction you didn't make, let us know right away, and we'll launch an investigation.
 

Our security measures help protect your information, but you should also take some steps to beef up security. There are lots of ways you can be proactive about protecting yourself from the threat of malicious software.
 
You can access additional information about protecting your online security by reviewing our FAQs at the bottom of this page.
 

The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

*TLS 1.2 or higher by the end of June 2018.

Frequently asked questions.

You get the same security you’re used to with PayPal:
  • We automatically encrypt your confidential info in transit from your computer to ours using the Secure Sockets Layer protocol (SSL) with an encryption key length of 128-bits (the highest level commercially available). Before you even register or log in to the PayPal site, our server checks that you're using an approved browser   one that uses SSL 3.0 or higher.
Learn more about how PayPal keeps your information secure here.
 
Will any of my information be shared?
The only information available publicly through your PayPal.Me link will be your Profile photo (if you have one), the name associated with the account, a cover photo if you added one, the personal note, and your city and state/country according to your preferences. 
 
This information is displayed to reassure your friends and family that they are paying the right person.
 
Someone else is using a PayPal.Me link that infringes my intellectual property rights. What can I do about that?
Use of a PayPal.Me link that infringes the intellectual property rights of a third person is prohibited under the PayPal.Me Terms and Conditions. It is our policy to deactivate any infringing links that are reported to us together with adequate supporting information. To submit a report, please follow the instructions in our Infringement Report Policy.
 
What are PayPal Confirmed Charities?
PayPal Confirmed Charities is a process for confirming that every entity that registers with PayPal as a charity is properly registered and in good-standing according to local regulations, and that these charities own the bank accounts they provide to PayPal, ensuring funds you donate reach the charity you selected. Whenever you donate through PayPal.Me, look for the ribbon symbol next to the charity name to ensure that the charity is confirmed.
The PayPal Secure FTP Server is a secure File Transfer Protocol (SFTP) server, provided to enable business partners and large merchants to programmatically retrieve results of PayPal processing in the form of output data, such as PayPal reports. You can get programmatic access to the server through any SFTP client of your choice, such as WinSCP, Cyberduck, or FileZilla.

Customers must apply for access to PayPal's secure FTP server, and once they have it, must create a unique user account.
  • If you have an Account Manager - Contact your PayPal Account Manager to sign up for access to the secure FTP server. Your Account Manager will send a notice to your primary email address when access has been granted.
  • If you don't have an Account Manager - Contact Merchant Support. Agents are available from 6:00 A.M. Central Time to 11:00 P.M. Central Time Monday through Friday, and 8:00 A.M. to 10:00 P.M. Central Time Saturday and Sunday.
  • Outside of the US  - Contact PayPal Technical Support via your local PayPal phone numbers.

Creating a secure FTP server user account
Here's how to create a secure FTP server user account once your SFTP access has been approved:
  1. Click the Settings icon next to "Log out."
  2. Click Account access under "Account & Security" on the left of the page.
  3. Click Update next to "Secure FTP."
  4. On the Secure FTP Server Users page, click Add.
  5. On the Security Measures page, confirm your identity by re-entering the full bank account number associated with your PayPal account, then click Submit.
  6. On the Create Secure FTP Server User page, choose a Name, Access Type and Password for your account. Agree to the Terms of Use, then click Create User.
  7. The Secure FTP Server Users page displays the new user information.
  • It can take up to 48 hours to create a Secure FTP Server user.
  • Once the user has been created and the Secure FTP Server is ready for use, PayPal sends an email message to the business partner’s primary email address.

Accessing reports via SFTP

The hostname of PayPal's SFTP server is reports.paypal.com. The server uses the following directory structure: ppreports/outgoing (to hold report files).

You'll find the file naming conventions for individual reports on the Secure FTP Server detailed in the Secure FTP Server Specification. This specification includes an excellent example of a UNIX shell script for retrieving reports.
Yes. Your organization is responsible for ensuring that PCI standards are met for all electronic donations, regardless of dollar amount or number of transactions. However, if your organization uses PayPal Payments, the PCI burden is lessened to PayPal because all financial transactions take place on PayPal’s secure servers. For PayPal transactions, your organization won’t have access to or be responsible for sensitive transactional data.
Connect with PayPal, formerly known as Log In with PayPal, allows customers to sign in to your website using their PayPal login credentials. Customers who click the Connect with PayPal button can sign up, log in, and buy items without having to remember another user identity. In addition, their user account data is dynamically updated. This streamlines your sign-up and sign-in processes and gives you access to PayPal's 200 million active users.

Integrating Connect with PayPal means that PayPal takes responsibility for customer financial information. Once you've integrated Connect with PayPal with your app, you can also integrate Express Checkout to provide your customers with a seamless checkout experience.

Connect with PayPal uses the OpenID Connect standard, allowing you to trust that your users are securely logged in. Your system must manage the login and logout sessions, as well as any of the user information provided through PayPal.

See Integrate Connect with PayPal for more information.
   
Here's how to integrate Connect with PayPal:
  1. Create your PayPal application. See Manage your application for details.
  2. Enable Connect with PayPal for your application. Next, learn how to Provide information for a Connect with PayPal app.
  3. Create a Connect with PayPal dynamic button to integrate to your site.