PayPal Complete Payments with Custom Card Fields and Virtual Terminal Agreement

Last Updated: April 19, 2019

 

This PayPal Complete Payments with Custom Card Fields and Virtual Terminal agreement ("CCF/VT Agreement") is a contract between you (the "Merchant") and PayPal, Inc. (“PayPal”, “we”, “us” or “our”), and applies to your use of PayPal Complete Payments with Customer Card Field ("CCF"), and your use of Virtual Terminal when you’ve integrated PayPal Complete Payments with Custom Card Fields (collectively, the "Products"). Each of the Products includes the PayPal services listed in this CCF/VT Agreement and as described more fully on our website. You must read, agree with and accept all of the terms and conditions contained in this CCF/VT Agreement. By using any of the Products, you agree to comply with all of the terms and conditions in this CCF/VT Agreement, so please read all of the terms and conditions carefully.

This CCF/VT Agreement applies in addition to the PayPal User Agreement and any other agreement to which you have entered into with PayPal (collectively "PayPal Agreements") to your use of the PayPal services through the Products. If any inconsistency exists between the terms of the PayPal User Agreement and this CCF/VT Agreement then, except for Express Checkout, the terms of this CCF/VT Agreement shall control in connection with your use of the PayPal services through any Product. The terms of the PayPal User Agreement shall control for any inconsistency for Express Checkout.

We may amend this CCF/VT Agreement at any time by posting a revised version on our website. The revised version will be effective at the time we post it. In addition, if we change the CCF/VT Agreement in a way that reduces your rights or increases your responsibilities, we will provide you with 30 Days' prior notice by posting notice on the "Policy Updates" page of our website. If you would like to receive notification by email of new Policy Updates, then you may do so by logging into your PayPal account and selecting this option by going to My Account > Profile > Account Information > Notifications. If you do not agree with any change, to the CCF/VT Agreement, you may terminate your use of the PayPal services at any time.

 

1. Credit Report Authorization.

You understand and agree that you are providing PayPal with your "written instructions" in accordance with the Fair Credit Reporting Act, and you are authorizing and acknowledge that PayPal may obtain your personal credit report from a credit bureau for the purpose of your use of these Products and PayPal services. You further understand and agree that you are authorizing PayPal to obtain your credit report on an ongoing basis for account review purposes.

 

2. Fees and Payment Terms.

a. Fees. The fees you pay for use of PayPal Complete Payments with Custom Card Fields and Virtual Terminal can be found on the Standard Transaction Fees table and are the same as described for PayPal Payments Pro and Virtual Terminal Fees; provided, however, there are no monthly fees for use of Custom Card Field or use of Virtual Terminal if you have integrated with Custom Card Field. All fees are in U.S. Dollars unless otherwise stated. The fees associated with any Express Checkout transaction submitted by you via any Product are set forth in the PayPal User Agreement. If there are any applicable monthly fees for the Products they will be charged in advance. For fees charged per transaction, the fee amount will be deducted from the transaction amount at the time of the transaction.  You are liable for all claims, expenses, fines, and liability PayPal incurs arising out of your use of the Products. All fees are non-refundable.

b. Promotional Period.  If you have signed up for the PayPal services pursuant to a promotional period, you agree to pay any applicable monthly fee upon the expiration of a promotional period offered by PayPal.

c. Failure to Use Express Checkout.  If you fail to comply with the requirement to use Express Checkout described in Section 8, you may be subject to up to a 1% fee increase to your then current Transaction Fee rate. This fee may be included in your initial rate when you first sign up for the PayPal services, or may be added at any time by PayPal with 30 days' prior written notice of the fee increase. You agree to terminate your use of the PayPal services if you do not agree to this fee.

d. Risk Factors Fee. If PayPal determines that your PayPal account receives, or is likely to receive, a disproportionately high number of customer complaints, Reversals, chargebacks, disputes, claims, fees, fines, penalties or other liability (collectively "Risk Factors"), you may be subject to up to a 5% fee increase above your then current Transaction Fee rate. This fee may be added to your initial rate when you first sign up for the PayPal services, or may be added at any time by PayPal with 30 days' prior notice of the fee increase. You agree to terminate your use of the PayPal services if you do not agree to this Fee.

e. Processing Requirements.  You agree to submit only any transactions for processing which represent a bona fide, permissible transaction free of liens, claims, and encumbrances other than ordinary sales taxes; as outlined in this CCF/VT Agreement and in the Card Company Rules, or which accurately describes the product or services being sold or the charitable donations being made.  You authorize PayPal to submit transactions to and receive settlement from American Express and to disclose transaction and merchant information to American Express to perform analytics and create reports, and for any other lawful business purposes, including commercial marketing communications purposes and important transactional or relationship communications.  You also agree to ensure data quality and that any Data is processed promptly, accurately and completely, and complies with the Card Companies’ technical specifications.  You agree not to process transactions or receive payments on behalf of any other party, or redirect payments to any other party.  You agree not to bill or collect from any cardholder for any purchase or payment on the card unless you have the right to do so under the Card Company Rules. 
 

3. Data Security.

a. General. You are fully responsible for the security of data on your website or otherwise in your possession or control. You agree to comply with all applicable laws and rules in connection with your collection, security and dissemination of any personal, financial, Card, or transaction information (defined as "Data") on your website.  You must report any Data breach or incident to PayPal and the Card Companies immediately after discovery of the incident. 

b. Merchant PCI Compliance. You agree that at all times you shall be compliant with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Company data security requirements, as applicable. You agree to promptly provide us with documentation evidencing your compliance with PCI DSS, PA DSS, or other Card Company data security requirements, if requested by us. You also agree that you will use only PCI compliant service providers in connection with the storage, or transmission of Card Data defined as a cardholder’s account number, expiration date, and CVV2. You must not store CVV2 data at any time.  

If you are accessing the Products through a platform service partner, you acknowledge that your platform service partner may offer solutions that help you comply with certain of these Merchant PCI compliance standards. While the platform service partner may help you comply or perform certain obligations on your behalf, you remain liable for compliance with these Merchant PCI Compliance standards.

c. PayPal PCI Compliance. PayPal agrees that it shall comply with the applicable PCI DSS requirements, as such may be amended from time to time, with respect to all cardholder data received by it in connection with this Agreement.  PayPal acknowledges that it is responsible for the security of cardholder data it possesses or otherwise stores, processes or transmits on behalf of the Merchant, or to the extent that they could impact the security of the Merchant's cardholder data environment.

d. Data Usage. Unless you receive the express consent of your customer, you may not retain, track, monitor, store or otherwise use Data beyond the scope of the specific transaction. Further, unless you get the express written consent of PayPal and each Acquiring Bank and/or the Card Companies, as applicable, you agree that you will not use nor disclose the Card Data for any purpose other than to support payment for your goods and services. Card Data must be completely removed from your systems, and any other place where you store Card Data, within 24 hours after you receive an authorization decision unless you have received the express consent of your customer to retain the Card Data for the sole purpose of processing recurring payments. To the extent that Card Data resides on your systems and other storage locations, it should do so only for the express purpose of processing your transactions. All Data and other information provided to you by PayPal in relationship to the PayPal services and all Card Data will remain the property of PayPal, its Acquiring Bank or the Card Companies, as appropriate.

If you are using PayPal Complete Payments with Custom Card Fields and Virtual Terminal for payments received through a partner platform service provider, you may not be receiving Card Data, but may receive other confidential information about another PayPal customer in order to fulfill the transaction and you will continue to be bound by the terms of our User Agreement.

e. Password Security. You agree to restrict use and access to your password and log-on ID to your employees and agents as may be reasonably necessary, and will ensure that each such employee or agent complies with the terms of this CCF/VT Agreement. You will not give, transfer, assign, sell, resell or otherwise dispose of the information and materials provided to you to utilize the PayPal services. You are solely responsible for maintaining adequate security and control of any and all IDs, passwords, or any other codes that are issued to you by PayPal, each Acquiring Bank or the Card Companies.

f. Audit. If PayPal believes that a security breach or compromise of Data has occurred, PayPal may require you to have a third party auditor that is approved by PayPal conduct a security audit of your systems and facilities and issue a report to be provided to PayPal, the Acquiring Banks and the Card Companies. In the event that you fail to initiate an audit within 10 business days of PayPal's request, PayPal may conduct or obtain such an audit at your expense.  In addition, the Card Companies may conduct an audit at any time, for the purpose of determining compliance with the Card Company Rules.

g. Compliance with Data Protection Schedule. You agree (as a “Merchant”) to comply with Schedule 1 below, which forms part of this Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Agreement relating to data protection and privacy.

 

4. Additional Terms for American Express Card Acceptance.

a. American Express may use the information obtained in your application at the time of setup to screen and/or monitor you in connection with Card marketing and administrative purposes.

b. You may be converted from this CCF/VT Agreement to a direct card acceptance agreement with American Express if you reach certain monthly sales volumes.   Upon conversion, (i) you will be bound by American Express' then-current Card Acceptance Agreement; and (ii) American Express will set your pricing and other fees for American Express Card acceptance. 

c. By accepting these terms, you agree to receive commercial marketing communications from American Express.   You may opt out by contacting PayPal at (888) 221-1161. 

d. American Express shall be a third party beneficiary of this CCF/VT Agreement for purposes of American Express Card acceptance.  As a third party beneficiary, American Express shall have the right to enforce directly against you the terms of this CCF/VT Agreement as related to American Express Card acceptance.  You acknowledge and agree that American Express shall have no responsibility of liability with regard to PayPal’s obligations to you under this CCF/VT Agreement.

 

5. Dynamic Currency Conversion.

You may not perform dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price of each product or service in each currency.

 

6. Brand Parity.

By using the Products, PayPal permits you to directly accept Cards. With regard to your Card acceptance, you agree to the following:

a. Where you accept Cards on your website, you will display each Card's logo with equal size and prominence, and you shall not display a preference for, nor discriminate against, one Card over another, including your refund policies for purchases.

b. You agree to comply with the logo usage standards located at: http://www.paypal.com/cgi-bin/webscr?cmd=xpt/general/OnlineLogoCenter-outside.

c. You authorize PayPal to provide information regarding your business and individual Card transactions to third parties for the purpose of facilitating the acceptance and settlement of your Card transactions and in connection with items, including chargebacks, refunds, disputes, adjustments, and other inquiries.

 

7. Card Not Present.

You acknowledge that PayPal processes transactions through the Products as remote (card not present) payments. If you accept a Card that is physically presented to you at the point of sale you acknowledge that the scope of your protection from Chargebacks will be limited to the protection that is available for remote payments.

 

8. Required Use of Express Checkout, PayPal Credit

a. If you use Custom Card Fields you must use Express Checkout in the following manner:

  1. You must include a PayPal Express Checkout button either: (i) before you request the shipping/billing address and other financial information from your customers or (ii) on the same page that you collect such information if you only use one page for your checkout process.

  2. You must offer PayPal as a payment option together with the other payment options you offer. The PayPal acceptance mark must be displayed with equal prominence to the logos for your other payment options. You shall not discriminate against PayPal, nor discourage its use, as a payment option over any other payment option offered by you.

  3. You must provide your customers with the option of not storing their personal information, including their email address, shipping/billing address, and financial information.

b. If you use Custom Card Fields you must offer PayPal Credit as a payment option on your hosted checkout page as automatically enabled by PayPal. Any offers associated with PayPal Credit that you present outside of the hosted checkout page must be displayed in the manner prescribed and instructed by PayPal and approved by PayPal prior to posting.
 

9.  Fraud Protection

a. General. PayPal’s Fraud Protection may be made available to you as a fraudulent transaction management tool to help you screen potentially fraudulent transactions based on the settings you may adopt.  The tool allows you to set filter rules, i.e., to instruct PayPal which transactions we will decline on your behalf based on abstract criteria.

We may provide suggestions or recommendations regarding what filters and settings to use that may be appropriate for your business.  These suggestions take into account your profile and past transaction history.

If you are provided access to Fraud Protection, then it is your responsibility to set the filter rules. Please note: If you set these filter rules too restrictively, you might lose sales volume. We advise you to monitor your filter rules and settings on an ongoing basis.

b. No Warranty or Limitation of Liability. We do not represent or warrant that Fraud Protection is error-free or that it will identify all potentially fraudulent transaction activity.  PayPal shall not be liable for your losses (such as loss of profits) or damages.  The sections of the PayPal User Agreement on “Indemnification and Limitation of Liability” and “Disclaimer of Warranty and Release” apply to your use of Fraud Protection.

c. Data Protection. You may only use Fraud Protection for the purpose of your management of fraud risk and for no other purpose.  You acknowledge that Fraud  Protection does not provide Consumer Reports under the Fair Credit Reporting Act, and you will not use it, or let any other person use it, for the determination of eligibility for personal, family or household credit, loan, employment, or other purpose that would make the results from Fraud Protection be deemed Consumer Reports under the Fair Credit Reporting Act.  You may not share use of Fraud Protection with any other person, nor may you disclose to any person the categories provided in Fraud Protection or the results generated from your use of Fraud Protection.

d.  These terms supplement the PayPal User Agreement that governs your use of PayPal’s services in general.  PayPal reserves the right to suspend, change or cancel PayPal’s Fraud Protection at any time as it may determine in its sole discretion.  PayPal reserves the right to add additional terms and conditions for continued use of Fraud Protection.
 

10. No Warranty.

THE PRODUCTS AND THE PAYPAL SERVICES AND ALL ACCOMPANYING DOCUMENTATION ARE PROVIDED TO YOU ON AN "AS IS" BASIS WITHOUT ANY WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION ANY WARRANTIES OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. PAYPAL MAKES NO WARRANTY THAT THE PAYPAL SERVICES WILL BE CONTINUOUS OR ERROR-FREE. PayPal does not guarantee, represent or warrant that the PayPal services and related features that enable you to detect or minimize fraudulent transactions will discover or prevent all non-valid or fraudulent transactions. PayPal is not responsible for any non-valid or fraudulent transactions that are processed.

 

11. Reserves and other Protective Actions.

If, in our sole discretion, we believe there may be a high level of risk associated with you, your PayPal account, your business model, or your transactions we may take certain actions in connection with your Account and/or your use of the PayPal services.

a. Reserves. PayPal, in its sole discretion, may place a Reserve on funds held in your PayPal account when PayPal believes there may be a high level of risk associated with your Account. If PayPal places a Reserve on funds in your PayPal account, they will be shown as “pending” in your PayPal Balance. If your PayPal account is subject to a Reserve, PayPal will provide you with notice specifying the terms of the reserve. The terms may require that a certain percentage of the amounts received into your PayPal account are held for a certain period of time, or that a certain amount of money is held in reserve. PayPal may change the terms of the Reserve at any time by providing you with notice of the new terms.

b. Additional Actions. We may take other actions we determine are necessary to protect against the risk associated with your PayPal account including requesting additional collateral from you such as a letter of credit or a personal guarantee. PayPal may contact your customers, on your behalf, in the event that PayPal is investigating potential fraud.

c. Information. In order to determine the risk associated with your PayPal account, PayPal may request at any time, and you agree to provide, any information about your business, operations or financial condition. We reserve the right to reassess your eligibility for any Product if your business is materially different from the information you provided in your application.

 

12. Termination.

a. By Merchant. You may terminate your use of the PayPal services at any time.  Merchant may terminate its acceptance of American Express at any time upon notice. 

b. By PayPal. PayPal may terminate your use of the PayPal services if:

1. You fail to comply with the terms of, or are unable to pay or perform your obligations under, this CCF/VT Agreement or any of the PayPal Agreements that apply to the PayPal services;

2. We decide, in our discretion, that you become ineligible for the PayPal services because there is a high level of risk associated with your PayPal account or for any other reason, or upon request by any Acquiring Bank or any of the Card Companies.

3. You violate any Card Company Rule as they may be amended by the Card Companies from time to time.

c. Effect of Termination. If your use of any Product is terminated, your use of the PayPal services associated with that Product will immediately end. You agree to complete all pending Card transactions, immediately remove all logos for Cards, and stop accepting new transactions through the Product. If your use of any Product is terminated, you will not be refunded the remainder of any applicable Monthly Fees that you have paid for such Product.

 

13. PayPal is Your Agent for Receiving Payment.

You represent and warrant to PayPal that each transaction that you process through the PayPal Complete Payments with Custom Card Field or Virtual Terminal services is solely in payment for your provision of bona fide goods and/or services to your customers (each, a “Payor”). You hereby designate PayPal, and PayPal hereby agrees to serve, as your limited agent for the sole purpose of receiving such payments on your behalf from your Payors. You agree that upon PayPal receiving payment from a Payor: (a) you shall be deemed to have received payment from such Payor, (b) such Payor’s obligation to you in connection with such payment shall be satisfied in full, (c) any claim you have for such payment against such Payor shall be extinguished and (d) you are obligated to deliver the applicable goods and/or services to the Payor, in each case regardless of whether or when PayPal remits such payment to you. PayPal will remit to you in accordance with this Agreement, or apply as an offset to any obligation you may have to PayPal, any such payments it receives on your behalf. Any receipt provided to the Payor shall be binding on you and shall satisfy all applicable regulatory requirements. This paragraph states the entirety of PayPal’s duties as your agent for receipt of payment, and no other duties shall be implied by PayPal’s undertaking to act in that capacity.

 

14. General.

a. Law and Forum for Disputes. Except as otherwise agreed by the parties or as described in the PayPal User Agreement, you agree that any claim or dispute you may have against PayPal must be resolved by a court located in either Santa Clara County, California, or Omaha, Nebraska. You agree to submit to the personal jurisdiction of the courts located within Santa Clara County, California, or Omaha, Nebraska for the purpose of litigating all such claims or disputes. This CCF/VT Agreement shall be governed in all respects by the laws of the State of California, without regard to conflict of law provisions.

b. Indemnification. You agree to defend, indemnify and hold PayPal, its parent, officers, directors and employees harmless from any claim or demand (including attorneys’ fees) made or incurred by any third party due to or arising (i) out of your breach of this CCF/VT Agreement; (ii) your use of the Products or the PayPal services accessed through the Products; (iii) your fraudulent transaction or data incidents.

c. No Waiver. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches.

d. Compliance with Laws.  You agree to comply with all applicable laws, rules, or regulations, including the Card Company Rules.

e. Data Use. PayPal shall have the right (i) to use the Data it receives from you as necessary to perform the PayPal services; (ii) to collect and process the Data subject to applicable law to use internally for record keeping, internal reporting, analytics, fraud detection and support purposes; (iii) to compile and disclose Data in the aggregate where your individual or user Data is not identifiable, including calculating Merchant averages by region or industry; and (iv) to provide the Data as required by the Card Companies, the Acquiring Banks, law or court order, or to defend PayPal’s rights in a legal dispute.

f.  Complete Agreement. This CCF/VT Agreement, along with the PayPal User Agreement and any applicable policies and agreements on the Legal Agreements page on the PayPal website, sets forth the entire understanding between you and PayPal with respect to the your use of the Products and the PayPal services accessed through the Products. If any provision of this CCF/VT Agreement is held to be invalid or unenforceable, such provision shall be struck and the remaining provisions shall be enforced. In addition, your acceptance of Card transactions via a Product is also subject to a Commercial Entity Agreement you have with each of the Acquiring Banks.

 

15. Definitions.

"Acquiring Bank" means each of the financial institutions PayPal partners with to process your Card payments, including your Direct Payments and Virtual Terminal Payments, and each of your Card funded Express Checkout payments, and with whom you entered into a Commercial Entity Agreement.

"American Express" means American Express Travel Related Services Company, Inc. and its affiliates.

"API" means PayPal’s proprietary application programming interfaces used to interface with the PayPal systems in order to use certain PayPal services.

"Card Companies" means a company or group of financial institutions that promulgate rules to govern Card Transactions via bankcard and payment networks including MasterCard, Visa, Discover, American Express, and the debit networks.

“Card Company Rules” means the rules and regulations governing acceptance of Cards. Rules are available VisaMasterCardAmerican Express, and Discover.

"Cards" means Visa, MasterCard, American Express, Discover, and debit network branded payment cards.

"CVV2 Data" means the three or four digit number printed to the right of the Card number in the signature panel on the back of the Card. On American Express Cards, it is printed on the front of the Card above the Card number.

"Data" has the meaning provided in Section 3(a).

"Direct Payment" means a payment processed by PayPal through the Direct Payment API that is funded directly by a Card and not through a PayPal account.

"Express Checkout" means the PayPal service where PayPal is a payment option on a merchant’s website at checkout, with payments being processed by PayPal through the Express Checkout API and funded directly from a User’s PayPal account.

"Fixed Fee" means the portion of the Transaction Fees that is a fixed monetary amount and not a percentage of the payment amount.

"Fraud Protection " means the optional service associated with Custom Card Fields, that allows you to access additional risk management features to help protect you from fraud and chargebacks, as described in more detail on the PayPal website.

"Monthly Sales Volume" means the total payment volume processed by you through any Product using any payment method.

“PayPal Agreements" has the meaning provided in the second paragraph of this CCF/VT Agreement.

"PayPal Credit" means the open-end, consumer credit account issued by Synchrony Bank. It is available to US consumers who are of legal age in their state of residence and is subject to credit approval.

"PayPal User Agreement" means the online agreement you entered into with PayPal when you opened your PayPal account, as it may have been amended from time to time. The PayPal User Agreement currently in effect can be accessed via the Legal Agreements link in the footer of nearly every page on the PayPal website.

"Products" has the meaning provided in the first paragraph of this CCF/VT Agreement.

"CCF/VT Agreement" has the meaning provided in the first paragraph of this CCF/VT Agreement.

"Recurring Payments" means the optional feature associated with PayPal Complete Payments Custom Card Fields and Virtual Terminal that, with the consent of your customer, enables you to set up payments that recur at specified intervals and frequencies, as described in more detail on the PayPal website.

"Transaction Fees" means the fees provided in Section 2(b) of this CCF/VT Agreement. Note, if you use certain optional PayPal services, certain additional fees may apply to your transactions on a per transaction basis, as outlined in Section 2(c); however, these are not included in this definition.

"Virtual Terminal" means the PayPal service that enables you to receive a Card payment by manually entering Card Data given to you by a customer.

"Virtual Terminal Payment" means a payment processed by PayPal through the Virtual Terminal flows that is funded directly by a Card and not through a PayPal account.

 

SCHEDULE 1

DATA PROTECTION SCHEDULE

This Data Protection Schedule applies only to the extent that PayPal acts as a processor or Sub-processor to Merchant.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the Agreement.

1 DEFINITIONS AND INTERPRETATION

1.1 The following terms have the following meanings when used in this Schedule:

"Card Information" is defined in Section 2.15 of this Schedule.

"Customer" means a European Union customer of Merchant who uses the PayPal services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Merchant of the PayPal services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments and any other data protection laws, regulations, regulatory requirements and codes of conduct of EU Member States applicable to PayPal's provision of the PayPal services.

"Data Recipient" is defined in Section 2.15 of this Schedule.

"PayPal Group" means PayPal and all companies in which PayPal or its successor directly or indirectly from time to time owns or controls.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by PayPal and/or its affiliates in the processing of personal data.

1.2 Schedule. This comprises (i) sections 1 to 2, being the main body of the schedule; (ii) Attachment 1; (iii) Attachment 2; and (iv) Attachment 3 (with its appendixes).

 

2 PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES

2.1 Merchant data controller. With regard to any Customer Data to be processed by PayPal in connection with this Agreement, Merchant will be a controller and PayPal will be a processor in respect of such processing. Merchant will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be, processed.

2.2 Merchant written instructions. PayPal shall only process Customer Data on behalf of and in accordance with Merchant’s written instructions. The Parties agree that this Schedule is Merchant's complete and final written instruction to PayPal in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between PayPal and Merchant, including agreement of any additional fees payable by Merchant to PayPal for carrying out such additional instructions. Merchant shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with Merchant's instructions will not cause PayPal to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. Merchant hereby instructs PayPal to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the PayPal services to Merchant and its Customer;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 PayPal cooperation. In relation to Customer Data processed by PayPal under this Agreement, PayPal shall co-operate with Merchant to the extent reasonably necessary to enable Merchant to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as Merchant requires in relation to:

2.3.1. assisting Merchant in the preparation of data protection impact assessments to the extent required of Merchant under Data Protection Laws; and

2.3.2  responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data processed by PayPal. The objective of processing Customer Data by PayPal is the performance of the PayPal services pursuant to the Agreement. PayPal shall process the Customer Data in accordance with the specified duration, purpose, type and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent Merchant, in its use of the PayPal services, does not have the ability to correct, amend, block or delete Customer Data, as required by Data Protection Laws, PayPal shall comply with any commercially reasonable request by Merchant to facilitate such actions to the extent PayPal is legally permitted to do so. To the extent legally permitted, Merchant shall be responsible for any costs arising from PayPal’s provision of such assistance.

2.7 Data Subject Requests. PayPal shall, to the extent legally permitted, promptly notify Merchant if it receives a request from a Customer for access to, correction, amendment or deletion of that Customer’s personal data. Merchant shall be responsible for responding to all such requests. If legally permitted, PayPal shall provide Merchant with commercially reasonable cooperation and assistance regarding such Customer's request and Merchant shall be responsible for any costs arising from PayPal’s assistance.

2.8 Training. PayPal undertakes to provide training as necessary from time to time to the PayPal personnel with respect to PayPal's obligations in this Schedule to ensure that the PayPal personnel are aware of and comply with such obligations.

2.9 Limitation of Access. PayPal shall ensure that access by PayPal's personnel to Customer Data is limited to those personnel performing PayPal services in accordance with the Agreement.

2.10 Sub-processors.  Merchant specifically authorizes the engagement of members of the PayPal Group as Sub-processors in connection with the provision of the PayPal services. In addition, Merchant generally authorizes the engagement of any other third parties as Sub-processors in connection with the provision of the PayPal services. When engaging any Sub-processor, PayPal will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule PayPal shall make available to Merchant a current list of Sub-processors for the respective PayPal services with the identities of those Sub-processors.

2.11 Audits and Certifications. Where requested by Merchant, subject to the confidentiality obligations set forth in the Agreement, PayPal shall make available to Merchant (or Merchant’s independent, third-party auditor that is not a competitor of PayPal or any members of PayPal or the PayPal Group) information regarding PayPal’s compliance with the obligations set forth in this Schedule in the form of the third-party certifications and audits (if any) set forth in the Privacy Policy set out on our website. Merchant may contact PayPal in accordance with the Agreement to request an on-site audit of the procedures relevant to the protection of personal data. Merchant shall reimburse PayPal for any time expended for any such on-site audit at PayPal’s then-current professional PayPal services rates, which shall be made available to Merchant upon request. Before the commencement of any such on-site audit, Merchant and PayPal shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Merchant shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by PayPal. Merchant shall promptly notify PayPal with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. PayPal shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the PayPal services. Since PayPal provides the PayPal services to all Merchants uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to PayPal’s entire customer base hosted out of the same data center and subscribed to the same service. Merchant understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, PayPal is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the PayPal services.
 
2.13 Security Incident Notification. If PayPal becomes aware of a Security Incident in connection with the processing of Customer Data, PayPal will, in accordance with Data Protection Laws: (a) notify Merchant of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d)  deliver its notification to Merchant's administrators by any means PayPal selects, including via email. Merchant is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

2.14 Deletion. Upon termination or expiry of the Agreement, PayPal will delete or return to Merchant all Customer Data processed on behalf of the Merchant, and PayPal shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2.15 Data Portability. Upon any termination or expiry of this Agreement, PayPal agrees, upon written request from Merchant, to provide Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to Merchant’s Customers (“Card Information”). In order to do so, Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including Data Protection Laws).

 

ATTACHMENT 1
Technical and Organizational Measures

The following technical and organizational measures will be implemented:

  1. Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;
  2. Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;
  3. Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;
  4. Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;
  5. Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;
  6. Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;
  7. Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;
  8. Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;
  9. Measures taken to safeguard data by creating backup copies.

ATTACHMENT 2
Data Processing of Customer Data

Categories of data subjects

Customer Data – The personal data that the Customer provides to Merchant and Merchant passes on to PayPal through the use by the Customer of the PayPal services.

Subject-matter of the processing

The payment processing services offered by PayPal which provides Merchant with the ability to accept credit cards, debit cards, and other payment methods on a website or mobile application from Customers.

Nature and purpose of the processing

PayPal processes Customer Data that is sent by the Merchant to PayPal for purposes of obtaining verification or authorization of the Customer’s payment method as payment to the Merchant for the sale goods or services.

Type of personal data

Customer Data – Merchant shall inform PayPal of the type of Customer Data PayPal is required to process under this Agreement. Should there be any changes to the type of Customer Data PayPal is required to process then Merchant shall notify PayPal immediately. PayPal processes the following Customer Data, as may be provided by the Merchant to PayPal from time to time:

 

Virtual Terminal

PayPal Complete Payments with Custom Card Field

Full name

X

X

Shipping address

X

X

A Billing address

X

X

Email address

X

X

Telephone number

X

X

Fax number

 

 

Government ID number

 

 

Bank account number and bank routing number

 

 

Card or payment instrument type (optional)

X

X

Card Primary Account Number (PAN)

X

X

Card Verification Value (CVV)

X

X

Card expiration date

X

X

Business tax ID

 

 

IP address

 

X

 

Special categories of data (if relevant)

The transfer of special categories of data is not anticipated.

Duration of Processing

The term of the Agreement.