PAYPAL ONLINE CARD PAYMENT SERVICES AGREEMENT
(Previously the separate Paypal Website Payments Pro and Virtual Terminal agreement and the Advanced Credit and Debit Card Payments and Virtual Terminal agreement)
Last Updated: December 31, 2020
This PayPal Online Card Payments Services Agreement (“Agreement”) is a contract between you (“Merchant”, “you” and “your”) and PayPal, Inc. (“PayPal”, “we”, “us”, or “our”) and governs your use of the Online Card Payment Services. You must read, agree with, and accept all of the terms and conditions contained in this Agreement and the PayPal User Agreement to use any of the PayPal Services set forth herein. By continuing to use any such Services, you also agree to remain in compliance with all of the terms and conditions in this Agreement and the PayPal User Agreement, so please read all of the terms and conditions carefully.
This Agreement, the PayPal User Agreement, and any other applicable agreement(s) you have entered into with PayPal (collectively “PayPal Agreements”) shall apply to your use of the Services. If any inconsistency exists between the terms of the PayPal User Agreement and this Agreement, then, except for PayPal Checkout, the terms of this Agreement shall control in connection with your use of the Services. The terms of the PayPal User Agreement shall control for any inconsistency for PayPal Checkout.
We may amend or otherwise revise this Agreement and any applicable policies from time to time. The revised version will be effective at the time we post it unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the Policy Updates page of our website and provide you with the same length of advance notice as set forth in the PayPal User Agreement. By continuing to use our Services after any changes to this Agreement, you agree to abide and be bound by those changes. If you do not agree with any changes to this Agreement, you may, as applicable, terminate your use of the Services before such changes become effective and/or close your account.
1. Credit Report Authorization.
You understand and agree that you are providing PayPal with your “written instructions” in accordance with the Fair Credit Reporting Act, and you are authorizing and acknowledge that PayPal may obtain your personal credit report from a credit bureau for the purpose of your use of the Services. You further understand and agree that you are authorizing PayPal to obtain your credit report on an ongoing basis for account review purposes.
2. Fees and Payment Terms.
a. PayPal Services Fees. Fees for the Services may be charged on a monthly basis or per transaction. The fees you pay for the applicable Services can be found on the Fees page. All fees are in United States (“U.S.”) Dollars unless otherwise stated.
b. General Payment Terms.
i. Monthly Fees. Any applicable monthly fees for the Services will be charged in advance, unless otherwise set forth herein or on the Fees page.
ii. Transaction Fees. For fees charged per transaction, the fee amount will be deducted from the transaction amount at the time of the transaction. You are liable for all claims, expenses, fines, and liability PayPal incurs arising out of your use of the Services.
iii. Non-Refundable. All fees are non-refundable.
c. Service-Specific Payment Terms.
i. VT Terms. If you use Virtual Terminal only, you agree to allow PayPal to charge your PayPal account for fees that become due under this Agreement. In the event that PayPal is unable to recover any fee amount that is due from your PayPal account, PayPal may terminate your use of the Services within thirty (30) days of the date that the fee was due and you will remain obligated to pay PayPal for any unpaid amounts. If you use Payments Pro and choose to have your fees under this Agreement charged to your PayPal account, the terms of this Section 2.c.i. apply.
ii. Payments Advanced and Pro Payflow Terms. If you use Payments Advanced or Payments Pro Payflow, you agree to allow PayPal to charge the credit card or bank account that you provided when you registered for these Services for fees that become due under this Agreement. If you use Payments Pro and choose to have your fees under this Agreement charged to your credit card or bank account, the terms of this Section 2.c.ii. apply.
iii. Required Use of PayPal-Hosted Pages for PayPal Payments Advanced. Payments Advanced requires the exclusive use of PayPal-hosted templates on your checkout pages to process payments. If you use Payments Advanced to process payment sales or authorizations on non-PayPal hosted pages, you may be charged the higher monthly fee for using Payments Pro Payflow instead of the Payments Advanced monthly fee, but you may not receive full access to all features of Payments Pro Payflow. PayPal may implement this fee increase in its sole discretion at any time with thirty (30) days’ prior written notice to you. You agree to terminate your use of the Services if you do not agree to this fee.
d. Promotional Period. If you have signed up for the Services pursuant to a promotional period, you agree to pay any applicable monthly fee upon the expiration of a promotional period offered by PayPal.
e. Failure to Use PayPal Checkout. If you fail to comply with the requirement to use PayPal Checkout described in Section 8, you may be subject to up to a 1% fee increase to your then current Transaction Fee rate. This fee may be included in your initial rate when you first sign up for the Services, or may be added at any time by PayPal with thirty (30) days’ prior written notice of the fee increase. You agree to terminate your use of the Services if you do not agree to this fee.
f. Risk Factors Fee. If PayPal determines that your PayPal account receives, or is likely to receive, a disproportionately high number of customer complaints, Reversals, chargebacks, disputes, claims, fees, fines, penalties or other liability (collectively “Risk Factors”), you may be subject to up to a 5% fee increase above your then current Transaction Fee rate. This fee may be added to your initial rate when you first sign up for the Services, or may be added at any time by PayPal with thirty (30) days’ prior notice of the fee increase. You agree to terminate your use of the Services if you do not agree to this Fee.
g. Processing Requirements. You agree to submit only any transactions for processing which represent a bona fide, permissible transaction free of liens, claims, and encumbrances other than ordinary sales taxes; as outlined in this Agreement and in the Card Company Rules, or which accurately describes the product or services being sold or the charitable donations being made. You authorize PayPal to submit transactions to and receive settlement from American Express and to disclose transaction and merchant information to American Express to perform analytics and create reports, and for any other lawful business purposes, including commercial marketing communications purposes and important transactional or relationship communications. You also agree to ensure data quality and that any Data is processed promptly, accurately and completely, and complies with the Card Companies’ technical specifications. You agree not to process transactions or receive payments on behalf of any other party or redirect payments to any other party. You agree not to bill or collect from any cardholder for any purchase or payment on the card unless you have the right to do so under the Card Company Rules.
3. Data Security; Data Protection; Data Portability.
a. General. You are fully responsible for the security of data on your website or otherwise in your possession or control. You agree to comply with all applicable laws and rules in connection with your collection, security and dissemination of any personal, financial, Card, or transaction information (defined as “Data”) on your website. You must report any Data breach or incident to PayPal and the Card Companies immediately after discovery of the incident.
b. PCI DSS Compliance.
i. Merchant PCI Compliance. You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Company data security requirements, as applicable. You agree to promptly provide us with documentation evidencing your compliance with PCI DSS, PA DSS, or other Card Company data security requirements, if requested by us. You also agree that you will use only PCI compliant service providers in connection with the storage, or transmission of Card Data. You must not store CVV2 Data at any time.
Your customers’ Card Data is handled by PayPal if: (a) your Service is Payments Advanced, or (b) your Service is Payments Pro Payflow and you choose to activate the “transparent redirect” feature and integrate the feature properly per PayPal’s instructions. In order to verify your PCI DSS compliance in connection with these Services, you must complete PCI DSS compliance certification pursuant to the requirements that we notify to you via email.
If you are accessing the Services through a platform service partner, you acknowledge that your platform service partner may offer solutions that help you comply with certain of these Merchant PCI compliance standards. While the platform service partner may help you comply or perform certain obligations on your behalf, you remain liable for compliance with these Merchant PCI Compliance standards.
ii. PayPal PCI Compliance. PayPal agrees that it shall comply with the applicable PCI DSS requirements, as such may be amended from time to time, with respect to all cardholder data received by it in connection with this Agreement. PayPal acknowledges that it is responsible for the security of cardholder data it possesses or otherwise stores, processes or transmits on behalf of the Merchant, or to the extent that they could impact the security of the Merchant’s cardholder data environment.
c. Data Usage. Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express written consent of PayPal and each Acquiring Bank and/or the Card Companies, as applicable, you agree that you will not use nor disclose the Card Data for any purpose other than to support payment for your goods and services. Card Data must be completely removed from your systems, and any other place where you store Card Data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the Card Data for the sole purpose of processing recurring payments. To the extent that Card Data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by PayPal in relationship to the Services and all Card Data will remain the property of PayPal, its Acquiring Bank or the Card Companies, as appropriate.
If you are using ACP and VT for payments received through a partner platform service provider, you may not be receiving Card Data, but may receive other confidential information about another PayPal customer in order to fulfill the transaction and you will continue to be bound by the terms of our PayPal User Agreement.
d. Password Security. You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary and you will ensure that each such employee or agent complies with the terms of this Agreement. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the Services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by PayPal, each Acquiring Bank or the Card Companies.
e. Audit. If PayPal believes that a security breach or compromise of Data has occurred, PayPal may require you to have a third-party auditor that is approved by PayPal conduct a security audit of your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within ten (10) business days of PayPal’s request, PayPal may conduct or obtain such an audit at your expense. In addition, the Card Companies may conduct an audit at any time, for the purpose of determining compliance with the Card Company Rules.
f. Compliance with Data Protection Schedule. You, as a Merchant, and PayPal agree to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Agreement relating to data protection and privacy.
g. Data Portability. Upon any termination or expiration of this Agreement, PayPal agrees, upon your written request, to provide your new Acquiring Bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to your Customers (“Card Information”). In order to do so, you must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) you provide PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).
4. Additional Terms for American Express Card Acceptance.
a. American Express may use the information obtained in your application at the time of setup to screen and/or monitor you in connection with Card marketing and administrative purposes.
b. You may be converted from this Agreement to a direct card acceptance agreement with American Express if you reach certain monthly sales volumes. Upon conversion, (i) you will be bound by American Express’ then-current Card Acceptance Agreement; and (ii) American Express will set your pricing and other fees for American Express Card acceptance.
c. By accepting these terms, you agree to receive commercial marketing communications from American Express. You may opt out by contacting PayPal at (888) 221-1161.
d. American Express shall be a third-party beneficiary of this Agreement for purposes of American Express Card acceptance. As a third-party beneficiary, American Express shall have the right to enforce directly against you the terms of this Agreement as related to American Express Card acceptance. You acknowledge and agree that American Express shall have no responsibility of liability with regard to PayPal’s obligations to you under this Agreement.
e. The American Express Merchant Operating Guide, which is incorporated herein by this reference, sets forth policies and procedures governing your acceptance of the American Express Card and can be accessed here: www.americanexpress.com/Merchantopguide.
5. Dynamic Currency Conversion.
You may not perform dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price of each product or service in each currency.
6. Brand Parity.
By using the Servies, PayPal permits you to directly accept Cards. With regard to your Card acceptance, you agree to the following:
a. Where you accept Cards on your website, you will display each Card’s logo with equal size and prominence, and you shall not display a preference for, nor discriminate against, one Card over another, including your refund policies for purchases.
b. You agree to comply with the logo usage standards located at: https://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/OnlineLogoCenter-outside.
c. You authorize PayPal to provide information regarding your business and individual Card transactions to third-parties for the purpose of facilitating the acceptance and settlement of your Card transactions and in connection with items, including chargebacks, refunds, disputes, adjustments, and other inquiries.
7. Card Not Present.
You acknowledge that PayPal routes and processes transactions, as appropriate, through the Services via the relevant Card Company network(s) as remote (card not present) payments. If you accept a Card that is physically presented to you at the point of sale you acknowledge that the scope of your protection from chargebacks will be limited to the protection that is available for remote payments.
8. Required Use of PayPal Checkout, PayPal Credit.
a. If you use ACP, Payments Advanced, Payments Pro, or Payments Pro Payflow you must use PayPal Checkout in the following manner:
1. You must include a PayPal Checkout button either: (i) before you request the shipping/billing address and other financial information from your customers or (ii) on the same page that you collect such information if you only use one page for your checkout process.
2. You must provide your customers with the option of not storing their personal information, including their email address, shipping/billing address, and financial information.
b. If you use ACP or Payments Advanced, you must offer PayPal Credit as a payment option on your hosted checkout page as automatically enabled by PayPal. Any offers associated with PayPal Credit that you present outside of the hosted checkout page must be displayed in the manner prescribed and instructed by PayPal and approved by PayPal prior to posting.
9. Fraud Protection.
a. General. Subject to the terms set forth in this Agreement, PayPal’s Fraud Protection may be made available to Merchants who use ACP and Payments Pro as a fraudulent transaction management tool to help you screen potentially fraudulent transactions based on the settings you may adopt. In the case of Payments Pro, Fraud Protection Services may be made available instead of, or in addition to, Risk Controls, Fraud Management Filters, or Fraud Protection Services described in this Agreement.
The Fraud Protection tool may help Merchant screen potentially fraudulent transactions based on Fraud Protection setting the Merchant selects to adopt. For example, the tool allows you to set filter rules, i.e., to instruct PayPal which transactions PayPal will decline on your behalf based on abstract criteria.
PayPal may provide suggestions or recommendations regarding which filters and settings to use that may be appropriate for your business. These suggestions may take into account your profile and past transaction history.
If you are provided access to Fraud Protection, then it is your responsibility to set the filter rules. Please note: If you set these filter rules too restrictively, you might lose sales volume. We advise you to monitor your filter rules and settings on an ongoing basis. If you use Payments Advanced or Payments Pro Payflow, you may use our Fraud Protection Services. If you use our Fraud Protection Services, you are responsible for setting preferences for the PayPal Fraud Protection Services. It is your responsibility to determine which transactions the Fraud Protection Services will accept or reject based on the authentication information provided by PayPal.
b. No Warranty or Limitation of Liability. We do not represent or warrant that Fraud Protection is error-free or that it will identify all potentially fraudulent transaction activity. PayPal shall not be liable for your losses (such as loss of profits) or damages. The sections of the PayPal User Agreement on “Indemnification and Limitation of Liability” and “Disclaimer of Warranty and Release” apply to your use of Fraud Protection.
c. Data Protection. Merchant may only use Fraud Protection for the purpose of managing its fraudulent transaction risk and for no other purpose. You acknowledge that Fraud Protection does not provide Consumer Reports under the Fair Credit Reporting Act, and you will not use it, or let any other person use it, for the determination of eligibility for personal, family or household credit, loan, employment, or other purpose that would make the results from Fraud Protection be deemed Consumer Reports under the Fair Credit Reporting Act. You may not share use of Fraud Protection with any other person, nor may you disclose to any person the categories provided in Fraud Protection or the results generated from your use of Fraud Protection.
d. Terms Supplemental. These terms supplement the PayPal User Agreement that governs your use of PayPal’s services in general. PayPal reserves the right to suspend, change or cancel PayPal’s Fraud Protection at any time as it may determine in its sole discretion. PayPal reserves the right to add additional terms and conditions for continued use of Fraud Protection.
10. Risk Controls for Certain Services.
If you use Payments Advanced, Payments Pro, Payments Pro Payflow and VT (as standalone Services), you may be able to elect to use our Risk Controls which provide you the option of changing our certain controls to accept transactions with a higher likelihood of risk. Eligibility for Risk Controls is determined in PayPal’s sole discretion. The following terms apply to your use of the Risk Controls:
a. Liability. If you adjust your Risk Controls, in addition to your existing liability for fraudulent transactions, you are liable for all additional risk. It is your responsibility to adjust the Risk Controls to determine whether you want to accept or decline such transactions. You may adjust the Risk Controls on the Risk Controls Overview Page on the PayPal website. If you would like to remove your ability to access Risk Controls, please contact your account manager.
b. Expanding Acceptance. You may adjust your Risk Controls to accept certain payments, including:
i. Direct Payments or Virtual Terminal Payments that are unable to verify the cardholder’s address through the Address Verification Services. This is also referred to as “AVS No Match.”
ii. Direct Payments or Virtual Terminal Payments that do not include a card security code. This is also referred to as “Card Security Code Not Submitted”.
iii. All payment types that failed PayPal’s proprietary risk models.
c. Expanding Declines. You may adjust your Risk Controls to decline payments, including:
i. Direct Payments or Virtual Terminal Payments where the address entered by the cardholder only partially matches the information stored by the issuing bank.
ii. Direct Payments or Virtual Terminal Payments where the Address Verification Service is unsupported or unavailable at the time the payment is processed.
d. Transaction Reviews. You may adjust your Risk Controls to review and manually accept payments. Reviewing a payment prevents the funds from being transferred to your Account until you review the payment. If you do not accept a payment within thirty (30) days, it will be reversed. Note that not all payment types can be reviewed.
e. Rejecting Transactions. You may not reject a transaction unless, based on various combinations of authentication information, you reasonably determine that the individual requesting the transaction is misrepresenting his or her identity.
11. Fraud Management Filters for Certain Services.
If you use Payments Advanced, Payments Pro, Payments Pro Payflow and VT (as a standalone Service), you may be able to elect to use our fraud management filters. Fraud management filters allow you to accept or reject transactions with a higher likelihood of risk. If you would like to restrict the ability to access fraud management filters, please contact your account manager. Note, not all transactions will be reviewed and there is no guarantee that fraud management filters will prevent losses.
a. Liability. If you adjust your fraud management filters, in addition to your existing liability for fraudulent transactions, you are liable for all additional risk. It is your responsibility to adjust the fraud management filters to determine whether you want to accept or decline such transactions.
b. Adjustments. You may adjust your fraud management filters to accept, flag, review or deny certain payments, including:
i. Direct Payments or Virtual Terminal Payments that are unable to verify the cardholder’s address through the Address Verification Services. This is also referred to as “AVS No Match”.
ii. Direct Payments or Virtual Terminal Payments that do not include a card security code. This is also referred to as “Card Security Code Not Submitted”.
iii. Direct Payments and Virtual Terminal Payments that failed PayPal’s proprietary risk models.
iv. Direct Payments and Virtual Terminal Payments where the address entered by the cardholder only partially matches the information stored by the issuing bank.
v. Direct Payments and Virtual Terminal Payments where the Address Verification Service is unsupported or unavailable at the time the payment is processed.
c. Transaction Reviews. Reviewing a payment prevents the funds from being transferred to your Account until you decide to accept that payment. If you do not accept a payment within thirty (30) days, it will be reversed.
d. Rejecting Transactions. You may not reject a transaction unless, based on various combinations of authentication information, you reasonably determine that the individual requesting the transaction is likely not the consumer they are representing themselves to be.
12. Chargeback Protection Services.
- General. To be eligible for Chargeback Protection Services, you need to have a PayPal Business account, and you must be approved by PayPal for such Chargeback Protection Services. Applications for Chargeback Protection Services will be assessed by PayPal, and we may accept or reject applications at our sole discretion. If you currently use Fraud Protection, you will need to turn off Fraud Protection before your use of the Chargeback Protection Services will be considered for approval (because you may not use Fraud Protection if you use Chargeback Protection Services and vice versa).
If you are approved for Chargeback Protection Services, you will not suffer a loss resulting from unauthorized chargebacks in relation to “Eligible Chargebacks” made on “Eligible Transactions” (both as defined below). This means, in the event of an Eligible Chargeback, you will keep the transaction amount and will not pay any chargeback fee.
We will accordingly waive our right to recover our unauthorized chargeback losses pursuant to the PayPal User Agreement (under ‘Your Liability’) and will not charge a chargeback fee pursuant to the PayPal User Agreement.
Chargeback Protection Services are provided with two options – “Effortless Chargeback Protection” and “Chargeback Protection” (both as defined below).
- Eligible Chargebacks. Chargeback Protection Services only provide coverage for unauthorized chargebacks filed for specified reasons relating to transactions not authorized by the cardholder, as determined by PayPal (“Eligible Chargebacks”).
Chargeback Protection Services do not provide any coverage for chargebacks filed for the following reasons: (i) Item was not received; or (ii) Item is significantly not as a described.
- Eligible Transactions. Chargeback Protection Services only provide coverage for Eligible Chargebacks on card transactions processed by PayPal that meet the criteria set forth below (“Eligible Transactions”):
- Card transactions processed via the ACP and Payments Pro SDKs (as applicable and available); and
- Card transactions for goods and services that are not (1) excluded under the terms of the PayPal User Agreement, including but not limited to the Acceptable Use Policy, or (2) “Ineligible Transactions” (as defined below).
- Ineligible Transactions. Chargeback Protection Services do not provide any coverage for the following items or transactions (“Ineligible Transactions”):
- Vehicles with a motor, especially automobiles, motorcycles, boats, and aircraft.
- Items equivalent to cash (including, without limitation, stored value items such as gift cards and pre-paid cards).
- Payments made in respect of financial products and investments.
- Payments made in respect of gold (whether in physical form or in exchange-traded form).
- PayPal Mass Payments transactions.
- Items equivalent to cash (including without limitation stored value items such as gift cards and pre-paid cards).
- Payments made in respect of financial products and investments.
- Disbursements on eBay.
- Any other transactions determined to be ineligible by PayPal in its sole discretion.
- Chargeback Protection Services Options. Chargeback Protection Services are available as two different options:
- “Effortless Chargeback Protection” where you will not be required to provide proof of fulfilment of an order for goods or services that is subject to an unauthorized chargeback in order for you to be eligible for coverage for such unauthorized chargeback; or
- “Chargeback Protection” where you will be required to provide proof of fulfilment of an order for goods or services that is subject to an unauthorized chargeback within 10 days (or such time period as otherwise specified by PayPal) of such unauthorized chargeback being received for approval in order for you to be eligible for coverage for such unauthorized chargeback.
- Chargeback Protection Services Fees. The fees for the Chargeback Protection Services will vary depending on the Chargeback Protection Services option you select.
You may change your selected Chargeback Protection Services option at any time by notifying us. The change will take effect immediately but will only affect Eligible Chargebacks made after you have paid the additional Chargeback Protection fee. For the purpose of illustration:
If you change your selection from the “Effortless Chargeback Protection” option to the “Chargeback Protection” option, but an unauthorized chargeback was filed in relation to a transaction performed prior to such selection change, you must still pay the higher “Effortless Chargeback Protection” fee on such transaction, but you will not be required to provide proof of fulfilment for such transaction. For any unauthorized chargebacks filed after such selection change, you will only have to pay the lower “Chargeback Protection” fee, but you will be required to provide proof of fulfilment in accordance with the “Chargeback Protection” requirements.
- Chargeback Recovery by PayPal. If you have provided us with incorrect information (for example, with respect to your business type) during the application process for Chargeback Protection Services or during sign up for a PayPal account, we are entitled to recover all our chargeback losses from you (including for past transactions prior to us discovering that the information provided was wrong). We are also entitled to recover all our chargeback losses from you if you violate the PayPal User Agreement (for example, if you engage in a Restricted Activity) or if you violate this Agreement.
13. Account Updater Service for Certain Services.
If you use Payments Advanced, Payments Pro, Payments Pro Payflow and VT (as a standalone Service), you may be able to elect to use our Account Updater Service.
a. Description. Subject to the terms of this Section, the Account Updater Service allows PayPal to send the applicable Card Data of eligible Cards to one or more third party sources, and use information available to PayPal, to check and update the applicable Card Data. Following these checks, the applicable updated Card Data relating to Merchant’s customers, if any, is processed and stored by PayPal at Merchant’s direction and on the Merchant’s behalf for (i) recurring transactions using the Recurring Billing or Recurring Payments or (ii) other eligible transactions using the Services. PayPal will either provide Merchants with email notification that the Account Updater Service has been activated on such Merchants’ account(s) or allow Merchants to enable the Account Updater Service on their account(s) through their PayPal account settings. Merchants may elect to discontinue use of the Account Updater Service at any time by providing written notice to PayPal of such election or by such other means as may be determined by PayPal regarding the requirements for such Merchants to discontinue use of the Account Updater Service.
b. Permitted Use. Merchant acknowledges and agrees that the Account Updater Service is provided solely for the purpose of updating applicable Card Data to enable Merchant’s acceptance of transactions using the applicable Services. Merchant shall not use the Account Updater Service for any other purpose, including, without limitation, the use of any portion of the Account Updater Service data in connection with the development of any other service or product.
d. Accuracy of Information. Merchant acknowledges that the Account Updater Service may only be accurate to the extent a card issuing bank and a customer participate, and that many card issuing banks and customers may not participate. Merchant acknowledges and agrees that the Account Updater Service may rely upon information, Card Data, and services provided to PayPal by third parties.
e. Cessation of Account Updater Service. PayPal may immediately cease offering or providing the Account Updater Service to Merchants at any time upon email notice to Merchants.
14. Recurring Billing/Recurring Payments Consent for Certain Services.
This section applies if you use Payments Advanced, Payments Pro, Payments Pro Payflow and VT (as a standalone Service). If you are using the Recurring Billing or Recurring Payments feature you agree that it is your responsibility to comply with Card Company Rules, applicable law, including the Electronic Funds Transfer Act (Reg E), including by capturing your customers’ agreement to be billed on a recurring basis.
15. No Warranty.
THE SERVICES AND ALL ACCOMPANYING DOCUMENTATION ARE PROVIDED TO YOU ON AN “AS IS” BASIS WITHOUT ANY WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. PAYPAL MAKES NO WARRANTY THAT THE SERVICES WILL BE CONTINUOUS OR ERROR-FREE. PayPal does not guarantee, represent or warrant that the Services and related features that enable you to detect or minimize fraudulent transactions will discover or prevent all non-valid or fraudulent transactions. PayPal is not responsible for any non-valid or fraudulent transactions that are processed.
16. Reserves and other Protective Actions.
If, in our sole discretion, we believe there may be a high level of risk associated with you, your PayPal account, your business model, or your transactions we may take certain actions in connection with your Account and/or your use of the Services.
a. Reserves. PayPal, in its sole discretion, may place a Reserve on funds held in your PayPal account when PayPal believes there may be a high level of risk associated with your Account. If PayPal places a Reserve on funds in your PayPal account, they will be shown as “pending” in your PayPal Balance. If your PayPal account is subject to a Reserve, PayPal will provide you with notice specifying the terms of the reserve. The terms may require that a certain percentage of the amounts received into your PayPal account are held for a certain period of time, or that a certain amount of money is held in reserve. PayPal may change the terms of the Reserve at any time by providing you with notice of the new terms.
b. Additional Actions. We may take other actions we determine are necessary to protect against the risk associated with your PayPal account including requesting additional collateral from you such as a letter of credit or a personal guarantee. PayPal may contact your customers, on your behalf, in the event that PayPal is investigating potential fraud.
c. Information. In order to determine the risk associated with your PayPal account, PayPal may request at any time, and you agree to provide, any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any Service if your business is materially different from the information you provided in your application.
a. By Merchant. You may terminate your use of the Services at any time. Merchant may terminate its acceptance of American Express at any time upon notice.
b. By PayPal. PayPal may terminate your use of the Services if:
1. You fail to comply with the terms of, or are unable to pay or perform your obligations under, this Agreement or any of the PayPal Agreements that apply to the Services;
2. We decide, in our discretion, that you become ineligible for the Services because there is a high level of risk associated with your PayPal account or for any other reason, or upon request by any Acquiring Bank or any of the Card Companies.
3. You violate any Card Company Rule as they may be amended by the Card Companies from time to time.
c. Effect of Termination. If your use of any Service is terminated, you agree to complete all pending Card transactions, immediately remove all logos for Cards, and stop accepting new transactions through such Service. You will not be refunded the remainder of any applicable Monthly Fees that you have paid for such Service.
18. PayPal is Your Agent for Receiving Payment.
You represent and warrant to PayPal that each transaction that you process through the ACP, PayPal Payments Pro, or VT Services is solely in payment for your provision of bona fide goods and/or services to your customers (each, a “Payor”). You hereby designate PayPal, and PayPal hereby agrees to serve, as your limited agent for the sole purpose of receiving such payments on your behalf from your Payors. You agree that upon PayPal receiving payment from a Payor: (a) you shall be deemed to have received payment from such Payor, (b) such Payor’s obligation to you in connection with such payment shall be satisfied in full, (c) any claim you have for such payment against such Payor shall be extinguished and (d) you are obligated to deliver the applicable goods and/or services to the Payor, in each case regardless of whether or when PayPal remits such payment to you. PayPal will remit to you in accordance with this Agreement or apply as an offset to any obligation you may have to PayPal, any such payments it receives on your behalf. Any receipt provided to the Payor shall be binding on you and shall satisfy all applicable regulatory requirements. This paragraph states the entirety of PayPal’s duties as your agent for receipt of payment, and no other duties shall be implied by PayPal’s undertaking to act in that capacity.
a. Law and Forum for Disputes. Except as otherwise agreed by the parties or as described in the PayPal User Agreement, you agree that any claim or dispute you may have against PayPal must be resolved by a court located in either Santa Clara County, California, or Omaha, Nebraska. You agree to submit to the personal jurisdiction of the courts located within Santa Clara County, California, or Omaha, Nebraska for the purpose of litigating all such claims or disputes. This Agreement shall be governed in all respects by the laws of the State of California, without regard to conflict of law provisions.
b. Indemnification. You agree to defend, indemnify and hold PayPal, its parent, officers, directors and employees harmless from any claim or demand (including attorneys’ fees) made or incurred by any third-party due to or arising (i) out of your breach of this Agreement; (ii) your use of the Services, including, without limitation, chargebacks, refunds, and Card Company fines and penalties; (iii) your fraudulent transaction or data incidents.
c. No Waiver. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches.
d. Compliance with Laws. You agree to comply with all applicable laws, rules, or regulations, including the Card Company Rules.
e. Complete Agreement. This Agreement, along with the PayPal User Agreement and any applicable policies and agreements on the Legal Agreements page on the PayPal website, sets forth the entire understanding between you and PayPal with respect to your use of the Services. If any provision of this Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. In addition, your acceptance of Card transactions via a Service is also subject to a Commercial Entity Agreement you have with each of the Acquiring Banks.
“Account Monitoring Service” means the optional Service associated with Payments Pro Payflow that receives notifications of suspicious activity, as described in more fully on the PayPal website.
“Account Updater Service” means the Service in which PayPal may update applicable customer Card Data of eligible Cards using information and third-party sources available to PayPal, as further described in Section 13. In providing this Service, PayPal may obtain, on Merchant’s behalf, applicable updated customer Card Data of eligible Cards from participating card issuing banks and other third-party sources for use in the processing of Merchant’s Recurring Billing, Recurring Payments, or other eligible transactions using the Services.
“Acquiring Bank” means each of the financial institutions PayPal partners with to process your Card payments, including your Direct Payments and VT Payments, and each of your Card funded PayPal Checkout payments, and with whom you entered into a Commercial Entity Agreement.
“Advanced Credit and Debit Card Payments” means the suite of functionality consisting of the Advanced Credit and Debit Card Payments API (as the standard online interface) and Fraud Protection (as an optional additional Service).
“Advanced Fraud Management Filters” means the optional feature associated with Payments Pro and Virtual Terminal that allows you to use additional filters and toggles to help protect you from fraud and chargebacks, as described in more detail on the PayPal website.
“Agreement” has the meaning provided in the first paragraph of this Agreement.
“American Express” means American Express Travel Related Services Company, Inc. and its affiliates.
“API” means PayPal’s proprietary application programming interfaces used to interface with the PayPal systems in order to use certain Services.
“Buyer Authentication Service” means the optional Service associated with Payments Pro Payflow that enables you to integrate Visa’s Verified by Visa and MasterCard’s SecureCode into Payments Pro Payflow, as described in more detail on the PayPal website.
“Card Company(ies)” means a company or group of financial institutions that promulgate rules to govern Card Transactions via bankcard and payment networks including, but not limited to, MasterCard, Visa, Discover, American Express, as well as US debit networks, including Star, Nyce, Pulse, and Accel.
“Card Company Rules” means the rules and regulations governing acceptance of Cards. Rules are available for Visa, MasterCard, American Express, Discover, and for Star, Nyce, Pulse, and Accel upon request, each as updated from time to time.
“Card Data” means a cardholder’s account number, expiration date, and CVV2.
“Card(s)” means payment cards branded with the logos of (i) Visa, MasterCard, American Express, Discover; and (ii) US debit networks, including Star, Nyce, Pulse, and Accel.
“Chargeback Protection Services” means the Service that may provide coverage against a loss resulting from certain eligible unauthorized chargebacks, as further described herein.
“CVV2 Data” means the three or four digit number printed to the right of the Card number in the signature panel on the back of the Card. On American Express Cards, it is printed on the front of the Card above the Card number.
“Data” has the meaning provided in Section 3.a.
“Direct Payment” means a payment processed by PayPal through the Direct Payment API that is funded directly by a Card and not through a PayPal account.
“Data Recipient” has the meaning provided in Section 3.g.
“PayPal Checkout” means the Service where PayPal is a payment option on a Merchant’s website at checkout, with payments being processed by PayPal through the PayPal Checkout APIs and funded directly from a User’s PayPal account.
“Fixed Fee” means the portion of the Transaction Fees that is a fixed monetary amount and not a percentage of the payment amount, as identified on the Fees page.
“Fraud Protection” means the optional Service associated with ACP and Payments Pro that allows you to access additional risk management features that may help protect you from potentially fraudulent transactions, as described in more detail on the PayPal website.
“Fraud Protection Services” means the optional Service associated with Payments Advanced and Payments Pro Payflow, that allows you to access additional risk management features to help protect you from fraud and chargebacks.
“Monthly Sales Volume” means the total payment volume processed by you through any Service using any payment method, which is used for determination of fees as set forth on the Fees page.
“Online Card Payment Services” means the suite of payment processing services offered by PayPal which provide merchants with the ability to accept and receive credit and debit card payments on a website or mobile application where cardholders enter their own Card Data, or by merchants manually entering Card Data given to them by a cardholder. For purposes of this Agreement, these services include Payments Advanced, Payments Pro, Payments Pro Payflow, Advanced Credit and Debit Card Payments, and Virtual Terminal.
“Payments Advanced” means PayPal Payments Advanced (also known as Website Payments Pro Payflow Link Edition), which is the suite of Services consisting of PayPal Checkout, PayPal Credit, and Direct Payments Services as standard, and that provides PayPal-hosted checkout, as described in more detail on the PayPal website. Optional additional Services include Fraud Protection Services and Recurring Billing, which are all more fully described on our website.
“Payments Pro” means PayPal Payments Pro (Website Payments Pro), which is also known as Website Payments Pro, and is the suite of Services consisting of PayPal Checkout, Direct Payments, Virtual Terminal, and Fraud Management filters as standard, as described in more detail on the PayPal website. Optional additional Services include Advanced Fraud Management Filters, Fraud Protection and Recurring Payments, which are all more fully described on our website.
“Payments Pro Payflow” means PayPal Payments Pro (Website Payments Pro Payflow Edition), which is also known as Website Payments Pro Payflow Edition, and is the suite of Services consisting of PayPal Checkout, PayPal Credit, Direct Payments, and Virtual Terminal services as standard, and that provides full checkout page customization, as described in more detail on the PayPal website. Optional additional Services include Fraud Protection Services and Recurring Billing, which are all more fully described on our website.
“Payor” has the meaning provided in Section 18.
“PayPal Agreements” has the meaning provided in the “What’s Covered in This Agreement” section of this Agreement.
“PayPal Credit” means the open-end, consumer credit account issued by Synchrony Bank. It is available to U.S. consumers who are of legal age in their state of residence and is subject to credit approval.
“PayPal Services” or “Services” means the Online Card Payment Services or other offerings identified or otherwise provided pursuant to this Agreement. Such services may be described more fully on our website.
“PayPal User Agreement” means the online agreement you entered into with PayPal when you opened your PayPal account, as it may have been amended from time to time. The PayPal User Agreement currently in effect can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.
“Recurring Billing” means the optional feature associated with Payments Advanced and Payments Pro Payflow that, with the consent of your customer, enables you to set up payments that recur at specified intervals and frequencies as described in more detail on the PayPal website.
“Recurring Payments” means the optional feature associated with ACP, Payments Pro and VT that, with the consent of your customer, enables you to set up payments that recur at specified intervals and frequencies, as described in more detail on the PayPal website.
“Risk Controls” means the optional feature available to certain users of the applicable Services that provide a Merchant with the option of changing certain controls to accept or decline transactions with a higher likelihood of risk.
“Risk Factors” has the meaning provided for in Section 2.f.
“Transaction Fees” means the fees provided in Section 2.b.ii. of this ACP/VT Agreement. Note, if you use certain optional Services, certain additional fees may apply to your transactions on a per transaction basis, as outlined in Section 2(c); however, these are not included in this definition.
“Virtual Terminal” or “VT” means the Service that enables you to receive a Card payment by manually entering Card Data given to you by a customer.
“VT Payment” or “Virtual Terminal Payment” means a payment processed by PayPal through the Virtual Terminal flows that is funded directly by a Card and not through a PayPal account.
DATA PROTECTION SCHEDULE
This Data Protection Schedule applies only to the extent that PayPal acts as a Service Provider to you.
Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.
1 DEFINITIONS AND INTERPRETATION; SCHEDULE COMPOSITION
1.1 Definitions and Interpretation. The following terms have the following meanings when used in this Schedule:
“Customer” means your customers who use the Services in the United States and, for the purposes of this Schedule, are data subjects.
“Customer Data” means the Personal Data that the Customer provides to you and you pass on to PayPal through the use by you of the Services.
“Data Protection Laws” means any data protection laws, regulations, and regulatory requirements applicable to PayPal’s provisions of the Services, including without limitation, the California Consumer Privacy Act of 2018 (CCPA), including any implementing regulations issued by the California Attorney General.
“Personal Data” means any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“process”, “processes”, and “processed” means any operation or set of operations performed upon Personal Data, including collection, recording, retention, sharing, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction.
“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by PayPal.
“Service Provider” shall have the meaning set forth in the CCPA.
1.2 Schedule Composition. This Schedule 1 is comprised of (i) sections 1 to 2, being the main body of the schedule and(ii) Attachment 1.
2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1 PayPal as a Service Provider.
2.1.1 PayPal is your Service Provider with respect to Customer Data, including the Personal Data of Customers and other natural persons, households, and entities only for the purposes specified in the Agreement. You agree to provide to PayPal only the Customer Data that is necessary for PayPal to provide the payment processing services. The parties acknowledge and agree that PayPal is permitted to use, reproduce and process Customer Data and payment transaction data for the following limited purposes:
- as reasonably necessary to provide and improve the payment processing services to you and your customers, including fraud protection tools;
- to monitor, prevent, and detect fraudulent payment transactions, and to prevent harm to you, PayPal, and to third parties;
- to comply with legal or regulatory obligations applicable to the Processing and retention of payment data to which PayPal is subject, including applicable anti-money laundering and identity verification obligations;
- to analyze, develop and improve PayPal’s products and services;
- internal usage, including but not limited to, data analytics and metrics;
- to compile and disclose Customer Data and payment transaction data in the aggregate where your individual or user Personal Data is not identifiable, including calculating your averages by region or industry;
- complying with applicable legal requirements and assisting law enforcement agencies by responding to requests for the disclosure of information in accordance with laws; and
- any other purpose that PayPal notifies you and in accordance with Data Protection Laws.
2.1.2 PayPal shall comply with the requirements of the Data Protection Laws with respect to the use of Personal Data under this Agreement and shall not knowingly do anything or knowingly permit anything to be done with respect to the Personal Data which might lead to a breach by you of the Data Protection Laws.
2.1.3 With regard to any Customer Data to be processed by PayPal in connection with this Agreement, you will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.
2.1.4 The Parties acknowledge and agree that valuable consideration, monetary or otherwise, is being provided for the payment processing services being rendered by PayPal and not in exchange for you providing Personal Data in connection with the payment processing services.
2.1.5 Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA or applicable Data Protection Laws, PayPal is prohibited from collecting, retaining, using, selling or disclosing Personal Information except as necessary for the purpose of performing the payment processing services specified in the Agreement between the parties.
2.2 Customer Requests. PayPal shall, to the extent legally permitted, promptly notify you in the event PayPal receives a request from a Customer for access to, or correction, amendment, or deletion of, that Customer’s Personal Data. PayPal shall not respond to any such Customer request without your prior written consent except to confirm that the request relates to you and you hereby consent to such communication with your Customer by PayPal. PayPal shall provide you with commercially reasonable cooperation and assistance in relation to the handling of a Customer’s request for access to that Customer’s Personal Data, provided that such cooperation and assistance is legally permitted and to the extent you do not have access to such Customer Data through your use of the payment processing services. PayPal and you acknowledge and agree that PayPal is authorized under applicable law to retain and process such Customer Data pursuant to applicable law, including, without limitation, any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the CCPA (including without limitation, those exceptions, limitations, exemptions and/or exclusions set forth in California Civil Code § 1798.145).
2.3 PayPal Personnel. PayPal shall ensure that its personnel engaged in the processing of Customer Data are informed of the confidential nature of the Customer Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Such confidentiality obligations shall survive the termination of the applicable personnel’s engagement. PayPal undertakes to provide its personnel with training as necessary from time to time with respect to PayPal’s obligations in this Addendum so that PayPal personnel are aware of, and comply with, such obligations. Access by PayPal’s personnel to Customer Data is limited to those personnel performing payment processing services in accordance with the Agreement.
2.4 Technical and Organizational Measures. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Addendum to keep Customer Data secure and to protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the payment processing services. You understand and agree that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the payment processing services. In the event of any detrimental change, PayPal shall provide a notification together with any necessary documentation to you by email or publication on a website easily accessible by you.
2.5 Security Incidents. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data and if there is a reasonable likelihood of materially harm to a material part of the PayPal systems relating to the payment processing services provided to you, PayPal will, in accordance with Data Protection Laws: (a) notify you of the Security Incident promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
2.5.1 Details of Security Incident. Notifications made under this Section will describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks.
2.5.2 Communication. PayPal will deliver its notification of any Security Incident to one or more of your administrators via email. You are solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.
2.6 Deletion. Upon termination or expiration of the Agreement, PayPal will delete or return to you all Customer Data processed on behalf of you, and PayPal shall delete existing copies of such Customer Data except where authorized by Data Protection Laws or necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.
2.7 Certification. The Parties will at all times comply with applicable Data Protection Laws. PayPal hereby certifies that it understands and agrees to the terms of this Data Protection Schedule in this Agreement.
2.8 Merchant Notices. You undertake to provide all notices and obtain all consents necessary for PayPal’s use of Personal Data set out above.
TECHNICAL AND ORGANIZATIONAL MEASURES
The following technical and organizational measures will be implemented:
1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
6. Measures taken to guarantee the checking and recording of the identity of third-parties to whom the data can be transmitted by transmission facilities;
7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported; and
9. Measures taken to safeguard data by creating backup copies.