PayPal Online Card Payment Services Agreement
Last Update: September 26, 2022
About this Agreement
This Online Card Payment Services Agreement (“Card Agreement”) is a contract between you ( “Merchant”, “you”, or “your”) and PayPal Hong Kong Limited ("PayPal", "we", "us" or "our" as the context may require). You agree that any use by you of the any of the Online Card Payment Services (as defined below) that we offer to you will constitute your acceptance of this Card Agreement and we recommend that you store or print-off a copy of this Card Agreement.
This Card Agreement, the PayPal User Agreement, and any other applicable agreement(s) you have entered into with PayPal (collectively “PayPal Agreements”) shall apply to your use of the Online Card Payment Services. To proceed with obtaining one or more of the Online Card Payment Services below, you must read, agree with and accept all of the terms and conditions contained in this Card Agreement.
We may amend or otherwise revise this Card Agreement and any applicable policies from time to time. The revised version will be effective at the time we post it on the PayPal Website unless otherwise noted. If our changes reduce your rights or increase your responsibilities, we will post a notice on the Policy Updates page of our Website and provide you with the same length of advance notice as set forth in the PayPal User Agreement. Advance period will not be provided where a change relates to the addition of a new service, extra functionality to the existing Services, or any other change which we believe in our reasonable opinion neither reduce your rights nor increase your responsibilities. In such instances, the change will be made without notice to you and will be effective immediately at the time we post it on our Website.
By continuing to use the Online Card Payment Services after any changes to this Card Agreement, you agree to abide and be bound by those changes. If you do not agree with any changes to this Card Agreement, you may, as applicable, terminate your use of the Online Card Payment Services as set out in clause 7 before such changes become effective and/or close your account. While you may close your PayPal account at any time and without charge, please note that you may still be liable to us after you terminate this Card Agreement for any liabilities you may have incurred and are responsible for prior to terminating this Card Agreement.
“Online Card Payment Services” means the suite of payment processing services offered by PayPal which provide merchants with the ability to accept and receive credit and debit card payments on a website or mobile application where cardholders enter their own Card Data, or by merchants manually entering Card Data given to them by a cardholder. For purposes of this Agreement, these services include Advanced Credit and Debit Card Payments, Fraud Protection, Payments Pro, and Virtual Terminal.
For the purposes of this Agreement, the Online Card Payment Services include:
- Advanced Credit and Debit Card Payments, means the suite of functionality consisting of the Advanced Credit and Debit Card Payments API (as the standard online interface) and Fraud Protection (as an optional additional Service). This suite of functionality may also include optional add-on features (e.g., integration of eligible third-party wallets) that require your acceptance of additional third-party terms before such add-on features may be used. In such cases, the additional third-party terms will be provided to you at the time of enrollment.
- Fraud Protection: The optional Service provided by PayPal to enable you to access additional risk management features that may help protect you from potentially fraudulent transactions, as described in more detail on the PayPal Website.
- Payments Pro or PayPal Payments Pro (also known as Website Payments Pro), means the suite of Services consisting of PayPal Payment Button, Direct Payments, and Virtual Terminal, as described in more detail in the PayPal developer documents . Optional additional Services include Fraud Protection and Recurring Payments, which are all more fully described on the PayPal Website.
- Virtual Terminal or VT: means the Service that enables you to receive a card payment by manually entering Card Data given to you by the customer.
Each of the Services above includes one or more of PayPal’s online card payment services APIs or SDKs.
Capitalised terms are defined in section 12 below. Please view, download and save this Card Agreement.
Jump to section:
1. Setting up and activating your Service
3. Information Security; Data Protection; Data Portability
4. User Agreement and how our legal documents apply
5. Use of PayPal Payment Button
6. Recurring Billing/Recurring Payments Consent for Certain Services
7. Proprietary Rights
8. Banking terms for Card Transactions
9. Termination and suspension
10. Fraud Protection
13. Schedule 1 – Data Security Requirements
14. Schedule 2 - Bank Agreement
15. Schedule 3 – Fraud Protection Terms
1. Setting up and activating your Service
- Getting started. To obtain and use the relevant Service, you must carry out the following:
- complete the online application process for the relevant Service, open a PayPal business account (if you do not already have one), and follow our instructions set out in PayPal's online process to access and use your Service.
- integrate the relevant Service into the payment process of your website. You are not required to integrate your Service into the payment process of your website if you only access and use Virtual Terminal. PayPal is not responsible for any problems that could occur by integrating your Service into your 'live' website. You are solely responsible for choosing, setting, integrating and customising your Service and ensuring that it suits your needs.
- activate your Service by using it in a ‘live’ payment transaction for the first time.
- Parity among payment methods. By using the Services, PayPal permits you to directly accept debit and credit cards. In displaying payment options on your website, you must display the logos of PayPal and the Card Associations with size and prominence equal among themselves and among those of other payment methods. You must not display a preference for, nor discriminate against, one payment method over another. In using PayPal’s logo and buttons, you also agree to comply with the logo usage standards located at: https://www.paypal.com/hk/webapps/mpp/logos-buttons or as updated from time to time.
- Credit report authorisation. You authorise PayPal to provide information regarding your business and individual Card Transactions to third-parties for the purpose of facilitating the acceptance and settlement of your Card Transactions and in connection with items, including chargebacks, refunds, disputes, adjustments, and other inquiries. You agree to allow PayPal to obtain from a third party your credit history and financial information about your ability to perform your obligations under this Card Agreement in the manner set out in the PayPal Privacy Statement. PayPal will review your credit and other risk factors of your PayPal account (including but not limited to, reversals and chargebacks, customer complaints, claims) on an ongoing basis. PayPal will store, use and disclose the information obtained in conformity with PayPal’s Privacy Statement.
- Cancellation. PayPal may terminate your access and/or use of any Services and/or terminate this Card Agreement at any time before the Activation Date by notifying you.
In consideration of PayPal providing the Services to you, you agree to pay the fees in the amount and manner as agreed upon with PayPal during the application process.
3. Information Security; Data Protection; Data Portability
- Compliance with Data Security Schedule. You agree to comply with Schedule 1 below, which forms part of this Card Agreement.
- Price and currency. You may not submit payment transactions in which the amount is the result of dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price for each currency.
- Compliance with Data Protection Addendum. You (as the Merchant) and we agree to comply with the data protection addendum found here, which forms part of this Card Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Card Agreement relating to data protection and privacy.
- Data Portability. Upon any termination or expiry of this Card Agreement, PayPal agrees, upon written request from the Merchant, to provide the Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to the Merchant’s Customers (“Card Information”). In order to do so, the Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) the Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).
4. User Agreement and how our legal documents apply
- User Agreement applies. The terms of the User Agreement apply to you and are incorporated by reference into this Card Agreement. The term PayPal services in the User Agreement will include the applicable Services. In case of any inconsistency between this Card Agreement and the User Agreement, this Card Agreement supersedes the User Agreement, but only to the extent of that inconsistency and in relation to the relevant Service. The User Agreement can be found via a link in the footer of nearly every PayPal web page. The User Agreement includes important provisions which:
- permit PayPal to take a reserve to secure your obligation to pay chargebacks, reversals and fees;
- obligate you to follow PayPal’s Acceptable Use Policy in your use of PayPal;
- give legal effect to PayPal’s Privacy Statement, which governs our use and disclosure of your information and that of Shared Customers; and
- permit PayPal to restrict a payment or your PayPal account in circumstances listed in the User Agreement.
- Failed payments and Service tools. You are responsible for chargebacks, reversals and other invalidated payments as provided in the User Agreement, regardless of how you use and configure your Service, including its fraud filtering technology and similar preventive tools (if any) or your use of the Fraud Protection Service. Those tools can be useful in detecting fraud and avoiding payment failures, but they do not affect your responsibility and liability pursuant to the User Agreement for chargebacks, reversals and payments which are otherwise invalidated.
5. Use of PayPal Payment Button
If you use Advanced Credit and Debit Card Payments, Payments Pro, or Payments Pro Payflow you must use PayPal Payment Button in the following manner:
- You must include a PayPal Payment Button either: (i) before you request the shipping/billing address and other financial information from your customers, or (ii) on the same page that you collect such information if you only use one page for your checkout process.
- You must offer PayPal as a payment option together with the other payment options you offer. The PayPal acceptance mark must be displayed with equal prominence to the logos for your other payment options. You shall not discriminate against PayPal, nor discourage its use, as a payment option over any other payment option offered by you.
- You must provide your customers with the option of not storing their personal information, including their email address, shipping/billing address, and financial information.
6. Recurring Billing/Recurring Payments Consent for Certain Services.
If you are using the Recurring Billing or Recurring Payments feature, you agree that it is your responsibility to comply with Association Rules, and applicable law, including by capturing your customers’ agreement to be billed on a recurring basis.
7. Proprietary Rights
- Intellectual Property. You acknowledge that PayPal and its licensors retain all intellectual property rights (including all patent, trademark, copyright, trade dress, trade secrets, database rights and all other intellectual property rights) and title in and to all of their confidential information; other proprietary information, products, and services; and the ideas, concepts, techniques, inventions, processes, software or works of authorship developed, embodied in, or practiced in connection with the Services and provided by PayPal hereunder, including without limitation all modifications, enhancements, derivative works, configurations, translations, upgrades, and interfaces thereto (all of the foregoing “PayPal Intellectual Property”). PayPal Intellectual Property does not include your preexisting hardware, software, data, or networks. Except as otherwise expressly provided herein, nothing in this Card Agreement shall create any right of ownership or license in, and to the other party’s intellectual property rights and each party shall continue to independently own and maintain its intellectual property rights. There are no implied licenses under this Card Agreement and any rights not expressly granted to you under this Card Agreement are reserved by PayPal or its suppliers. You shall not reverse engineer, decompile, modify in any manner, or create derivative works from the Services, Licence (below), or any PayPal Intellectual Property.
- Ownership of information and materials. As part of the Merchant’s access to, and use of the Services, the Merchant will be provided with certain information and materials (the “Materials”) for its use with the Services. All intellectual property rights associated with the Materials remain the property of PayPal or the relevant Acquiring Institution (as the case may be). The Merchant agrees to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Materials to any person.
- Licence. PayPal hereby grants to you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to
- use PayPal’s Intellectual Property, any Materials, and any information and documentation as set out on the PayPal Website from time to time solely, as required and necessary to use the Services in accordance with the terms and conditions of this Card Agreement (the “IP License” and with respect to the APIs, the “API Licence”); and to
- use the documentation provided by PayPal for your Service and reproduce it for internal use only within your business. Your Service as licensed is subject to change and will evolve along with the rest of the PayPal system; see clause 11(a). You must comply with the implementation and use requirements contained in all PayPal documentation and instructions accompanying the Service issued by PayPal from time to time (including, without limitation, any implementation and use requirements we impose on you to comply with applicable laws and Card Association rules and regulations).
- ID codes. PayPal will provide you with certain identifying codes specific to you. The codes identify you and authenticate your messages and instructions to us, including operational instructions to PayPal software interfaces. Use of those codes may be necessary for the PayPal system to process instructions from you (or your website). You must keep the codes safe and protect them from disclosure to parties whom you have not authorised to act on your behalf in dealing with PayPal. You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes; see also Schedule 1. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.
- APIs. PayPal shall make available to you its API integration and user guides and SDKs (collectively “PayPal Documentation”). You shall comply with the PayPal Documentation in connection with the integration and use of APIs. You shall keep all user ID, passwords and other access codes pertaining to the Services and API Licence confidential and secure from all unauthorised persons. You will immediately terminate the access rights of any user who ceases to act in an authorised capacity on your behalf for any reason, including because of a change in employment status or in the event of theft, loss, or authorided disclosure or misuse of that user ID. You agree to notify PayPal immediately upon learning of any unauthorised use of your user ID or password. You shall be solely responsible for (i) updating your passwords for access to the Services periodically, and (ii) creating passwords that are reasonably “strong” under the circumstances. The user ID is the property of PayPal and may be immediately revoked or terminated by PayPal if you share the same with any third party, or otherwise breach this API Licence. In connection with your use of the APIs, you are prohibited from doing any of the following: (i) selling, transferring, sublicensing, or disclosing your user ID to any third party (other than third party service providers); (ii) selling, transferring, sublicensing, and/or assigning any interest in PayPal’s confidential information accessed by the APIs; (iii) collecting any customer’s personally identifiable information that is accessed through the APIs without that customer’s express permission; (iv) providing timeshare, service bureau, application service provider, or similar services to any other third party; and (v) interfacing or connecting the Services, or the API Licence with any other computer software or system without the prior written approval of PayPal. PayPal shall have no responsibility or liability for the performance of the Services, in the event that the Services are not used in accordance with this Agreement or any instructions for use provided by PayPal.
- No warranty. The Services and all accompanying documentation are provided to you on an “as is” basis. To the extent permitted by law, PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to your Service, the licensed software or user documentation provided, including without limitation any warranties of title, non-infringement, merchantability or fitness for a particular purpose. PayPal makes no warranty that the services will be continuous or error-free. PayPal does not guarantee, represent or warrant that the Services and related features that enable you to detect or minimize fraudulent transactions will discover or prevent all non-valid or fraudulent transactions. PayPal is not responsible for any non-valid or fraudulent transactions that are processed.. Nothing provided by PayPal under this Card Agreement or otherwise for your Service has PayPal’s authorisation to include a warranty, and no obligation or liability will arise or grow out of PayPal’s rendering of technical, programming or other advice or service in connection with any Service, licensed software and user document provided (including, without limitation, services that may assist you with the customisation of your Service). PayPal recommends that you test the implementation of the applicable Services thoroughly as PayPal is not responsible for any loss caused by the implementation of the Services.
- PayPal Hosted Integrations and your intellectual property. You hereby grant to PayPal a royalty-free, worldwide non-exclusive licence to use your or any of your affiliates’ names, images, logos, trademarks, service marks, and/or trade names as you may provide to PayPal when using the Services (“Your Marks”) for the sole purpose of enabling your use of the Services (including, without limitation, the customisation of your hosted Service). Title to and ownership of Your Marks and all goodwill arising from any use hereunder will remain with you. You represent and warrant that you have the authority to grant PayPal the right to use Your Marks and you shall indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any claims or losses suffered by it arising from the use of Your Marks in connection with the Services.
8. Banking terms for Card Transactions
PayPal utilises services from banking partners in processing Card Transactions, including both direct payments to you from a card as well as Card Transactions that fund a PayPal payment to you. Schedule 2 below applies in relation to those services. In accepting this Card Agreement, you also accept the terms for Card Transactions in Schedule 2, the terms of which form part of this Card Agreement.
9. Termination and suspension
- By you. You may terminate this Card Agreement at will by doing either of the following:
- Giving 30 days’ notice to PayPal Customer Service of your intent to terminate this Card Agreement. PayPal Customer Service will confirm termination via email. This option lets you stop using your Service and paying for it, but your PayPal account remains open and its User Agreement remains in effect; or
- Closing the PayPal account that you use with your Service (see the User Agreement for more information).
- By PayPal. PayPal may terminate this Card Agreement at will by doing any of the following:
- Giving you 30 days’ notice by email to your registered email address associated with your PayPal account of PayPal’s intent to terminate this Card Agreement. Unless otherwise notified, this option does not affect your User Agreement and your PayPal account remains open.
- Terminating the User Agreement that applies to the PayPal account used with your Service.
- By events. PayPal may terminate this Card Agreement immediately without notice if you:
- Breach this Card Agreement or the User Agreement;
- Become unable to pay or perform your obligations under, this Card Agreement or any of the PayPal Agreements that apply to the Services;
- Become unable to pay your debts, admit your inability to pay your debts or otherwise become insolvent;
- Have any execution, attachment or similar action taken, levied or enforced against you or your assets, or if any garnishee order is issued or served on you;
- Become the subject of any petition presented, order made or resolution passed for the liquidation, administration, bankruptcy or dissolution of all or a substantial part of your business, except where solvent amalgamation or reorganisation is proposed on terms previously approved by PayPal;
- Lose full and unrestricted control over all or part of its assets because of the appointment of a receiver, manager, trustee, liquidator or similar officer;
- Enter into or proposes any composition or arrangement concerning your debts with your creditors (or any class of its creditors);
- A material adverse change occurs in your business, operations, or financial condition; or
- You provide inaccurate information in applying for your Service or in your dealings with us;
- We decide, in our discretion, that you become ineligible for the Services because there is a high level of risk associated with your PayPal account or for any other reason, or upon request by any Acquiring Institution or any of the Card Associations; or
- You violate any Association Rules as they may be amended by the Card Associations from time to time.
- Effect of termination. When this Card Agreement terminates, you agree to complete all pending Card Transactions, immediately remove all logos for cards, and stop accepting new transactions through the terminated Service, and PayPal may prevent or hinder you from using it after termination. If you nevertheless use a Service after termination of this Card Agreement, then this Card Agreement will continue to apply to your use of that Service until you give effect to the termination by stopping your use of that Service. The following clauses in this Card Agreement will survive termination of this Card Agreement and continue in full force and effect: Clauses 2, 5(a) and 9. Termination of this Card Agreement will not affect any rights, remedies or obligations of the parties that have accrued or become due prior to termination, and you will not be entitled to a refund of any Monthly Fee paid prior to termination.
- Breach and suspension. If you breach this Card Agreement, the User Agreement, or a security requirement imposed by PCI DSS, PayPal may immediately suspend your use of your Service. PayPal may require you to take specified corrective actions to cure the breach and have the suspension lifted, although nothing in this Card Agreement precludes PayPal from pursuing any other remedies it may have for breach. In addition, if PayPal reasonably suspects that you may be in breach of this Card Agreement or PCI DSS, PayPal may suspend your use of your Service pending further investigation.
10. Fraud Protection
If you are offered and choose to use the Fraud Protection Service, the terms in Schedule 3 below will apply to your use of that functionality.
- Future of the Services. PayPal retains sole and absolute discretion in determining
- the future course and development of the Services,
- which improvements to make in them and when, and
- whether and when defects are to be corrected and new features introduced.
- PayPal welcomes feedback from users in planning the future of the Services but is not required to act in accordance with any feedback received. In giving us feedback, you agree to claim no intellectual property interest in your feedback.
- Indemnity. You agree to indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any direct loss, damage and liability, and from any claim, demand or cost (including reasonable lawyers’ fees) incurred in relation to any third party (including a Shared Customer) and arising (i) out of your breach of this Card Agreement, the User Agreement and the documents incorporated in it by reference (including the Acceptable Use Policy), (ii) your use of the Services, including, without limitation, chargebacks, refunds, and Card Association fines and penalties; (iii) your fraudulent transaction or data incidents, or (iv) the violation of any law.
- Assignment, amendment and waiver. You may not assign this Card Agreement without first obtaining PayPal’s written consent. PayPal may assign, novate or otherwise transfer this Card Agreement without your consent by notifying you. Neither party may amend this Card Agreement or waive any rights under it except in a written document signed by both parties. Our failure to act with respect to a breach by you or others does not waive our right to act with respect to subsequent or similar breaches.
- Compliance with Laws. You agree to comply with all applicable laws, rules, or regulations, including the Association Rules.
- Governing law and jurisdiction. This Card Agreement is governed by the laws of Hong Kong. The parties submit to the non-exclusive jurisdiction of the courts of Hong Kong.
Capitalised terms not listed in this clause are defined in the User Agreement or above in this Card Agreement.
- Acquiring Institution: means a financial institution or bank that provides services to you to enable you to (a) accept payment by cardholders using cards; and (b) receive value in respect of Card Transactions.
- Activation Date: The date on which you complete all of the steps for “Getting started” as listed in clause 1(a) above.
- Association Rules: the applicable obligations, rules and guidelines issued by Visa USA, Europe, Asia Pacific, Canada and other Visa regions, MasterCard International Incorporated, American Express Company or other applicable Card Associations, including, without limitation, the Visa Cardholder Information Security Program (CISP), Visa Account Information Security Program (AISP), the MasterCard Site Data Protection Program and PCI DSS. Further information can be found by visiting the following URLs: www.visaeurope.com, www.visaeurope.com/en/businesses__retailers/payment_security/overview.aspx and https://www.mastercard.com/sdp.
- AVS: Information returned by the “Address Verification System” operated by or on behalf of Card Associations, which compares address data provided by an apparent cardholder with address data on file for the card at the card issuer.
- Card Association: A company or group of financial institutions which promulgates rules to govern Card Transactions via cards and payment networks that carry the company’s or the group’s brand. Examples include (where applicable) Visa USA, Visa Europe, and the other Visa regions; MasterCard International Incorporated; American Express Company and similar organisations.
- Card Data: All personal or financial information relevant to a Card Transaction, including information recorded on the card itself (whether in human-readable form or digitally), together with the cardholder’s name and address and any other information necessary for processing a Card Transaction.
- Card Transaction: A payment made using a credit or debit card, an American Express card, or any other payment method using a physical data-carrying item intended to be held in the payor’s possession. The Services support only certain types of Card Transactions; see the PayPal Website for more information.
- CVV2 Data: The three-digit number printed to the right of the card number in the signature panel area on the back of the card. (For American Express cards, the code is a four-digit unembossed number printed above the card number on the front of the American Express card.) The CVV2 Data are uniquely associated with each individual plastic card and ties the card account number to the plastic.
- Monthly Fee: A fee payable on a monthly basis as required in clause 2 above.
- PayPal Payment Button: means where PayPal is a payment option on a Merchant’s website at checkout, with payments being processed by PayPal through the PayPal APIs and funded directly from a user’s PayPal account.
- “PayPal Services” or “Services” means the Online Card Payment Services or other offerings identified or otherwise provided pursuant to this Card Agreement. Such services may be described more fully on our Website.
- PayPal Website: means www.paypal.com/sg.
- PCI DSS: Payment Card Industry Data Security Standard, i.e. specifications prescribed by Card Associations to ensure the data security of Card Transactions. A copy of PCI DSS is available online from https://www.pcisecuritystandards.org.
- Recurring Billing means the optional feature that, with the consent of your customer, enables you to set up payments that recur at specified intervals and frequencies, as described in more detail on the PayPal Website.
- Recurring Payments means the optional feature that, with the consent of your customer, enables you to set up payments that recur at specified intervals and frequencies, as described in more detail on the PayPal Website.
- Shared Customer: A person who both has a PayPal account and is also your customer.
Schedule 1 – Data Security Requirements
Data Security Requirements
- Merchant's Security Codes obligations
- The Merchant acknowledges and agrees that it is solely responsible for maintaining adequate security and control of any and all IDs, passwords or other security codes (collectively, the “Security Codes”) that are issued to the Merchant by PayPal or the Acquiring Institution.
- The Merchant agrees to restrict use of, and access to, the Merchant’s Security Codes to the Merchant’s employees, agents or contractors as may be reasonably necessary to allow Merchant to use any applicable Service and to ensure that such persons comply with the provisions set out in this Schedule or the other security advice provided to the Merchant by PayPal or the Acquiring Institution (as the case may be).
- Merchant’s obligations to comply with Data Security requirements
- The Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
- The Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website:
- comply with all applicable laws and regulations;
- comply with the Association Rules;
- comply with the Payment Card Industry Data Security Standards (PCI DSS), the Payment Application Data Security Standards (PA DSS), and any Card Association data security requirements, as applicable, including without limitation:
- install and maintain a firewall configuration to protect data;
- not use vendor supplied defaults for system passwords and other security parameters;
- protect stored data;
- encrypt transmission of cardholder data and sensitive information across public networks;
- use and regularly update anti-virus software;
- develop and maintain secure systems and applications
- restrict access to data by business need-to-know;
- assign a unique ID to each person with computer access;
- restrict physical access to cardholder data;
- track and monitor all access to network resources and cardholder data;
- regularly test security systems and procedures; and
- maintain a policy that addresses information security.
At PayPal’s request, the Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. The Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing the Services will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. The Merchant must design, maintain and operate its website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS. The Merchant agrees to independently arrange, at its own expense, evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction. If the Merchant does not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at the Merchant’s expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal accounts.
- undertake non penetrative scans (either quarterly or annually depending on the volume of the Merchant’s annual transactions as notified by either PayPal or the Acquiring Institution to the Merchant) of the Merchant’s web accessible ports and an on site audit if the Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor.
For details of Visa and MasterCard Qualified Security Assessors log onto: http://www.mastercard.com/us/sdp/serviceproviders/compliant_serviceprovider.html or https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
- notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. The Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
- provide PayPal with all information or access to records as needed by PayPal to ensure the Merchant’s compliance with this paragraph 3; and
- notify PayPal immediately of any security breach to the Merchant’s records or system as it relates to the Merchant’s access to, and/or utilisation of the Services.
- The Merchant agrees to not store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association Rule or guidance.
- The Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with the Merchant, the Merchant will allow a third party forensic auditor certified by the Card Associations to conduct a security review of the Merchant’s systems, controls and facilities and to issue a report to PayPal and the Card Associations. If the Merchant fails to initiate such a process after PayPal’s requesting it to do so, the Merchant authorises PayPal to take such action at the Merchant’s expense.
- PayPal may immediately suspend the Merchant’s access to or use of any of the Services or terminate without notice this Card Agreement upon notice of the Merchant potentially breaching or breaching any provision set out in this paragraph 3.
- If PayPal suspends your access to or use of any Service, PayPal will set out in a notice to the Merchant and explain the basis of PayPal’s actions in suspending the Merchant, including measures reasonably calculated to rectify the breach. PayPal’s suspension of the Merchant’s access or use of any Services will remain in effect and until such time as PayPal is satisfied that the Merchant has remedied the applicable breach(es).
- PayPal's obligations to keep data secure
When processing the personal data of cardholders whose transaction data the Merchant submits to PayPal, PayPal will, at all times, ensure that the security measures employed in respect of the storage, transmission or any other processing of such personal data:
- comply with all applicable laws and regulations; and
- employ industry standard or better encryption and security methods as being appropriate for use by financial institutions.
- Merchant's use of cardholder information
- The Merchant agrees to only use, disclose or process, any cardholder information obtained in connection with a Card Transaction (including the names, addresses and card account numbers of cardholders) including for the purposes of authorising, completing and settling Card Transactions and resolving any chargeback or reversal disputes, retrieval requests or similar issues involving Card Transactions. The Merchant will only be able to process cardholder information differently than set out in this paragraph if the Merchant obtains the prior written consent from PayPal and each applicable Card Association, card issuing bank and cardholder or as otherwise pursuant to a court order or otherwise required by law.
- The Merchant agrees to:
- establish and maintain sufficient controls for, limit access to and render unreadable prior to discarding, all records containing cardholder account numbers and card imprints;
- not sell or disseminate any cardholder information obtained in connection with a Card Transaction held in a database or otherwise (including the names, addresses and card account numbers of cardholders);
- not retain or store magnetic stripe data or hardcopies containing cardholder data (including faxes) after a transaction has been authorised; and
- not reproduce any electronically captured signature of a cardholder except on PayPal’s specific request (upon such a request the Merchant agrees to comply).
- The Merchant acknowledges that Association Rules prohibit the sale or disclosure of databases containing Cardholder account numbers, personal information or other Card Association transaction information to third parties as an asset of a failed business. In such cases, the Merchant agrees that transaction information is to be returned to the Acquiring Institution or acceptable proof of destruction of this data is provided.
- The Merchant agrees that it is responsible and liable for compliance with this paragraph by any third-party processor, hosting service or other agent of the Merchant engaged in the processing or storage of cardholder data. The Merchant agrees to notify PayPal in writing of any third party engaged by any third party processor, hosting service or other agent prior to the Merchant engaging them and further immediately notify PayPal in writing of any access to transaction data by any unauthorised person.
- Unless the Merchant receives and records the express consent of the cardholder:
- the Merchant may not retain, track, monitor or store any Card Data, or use Card Data beyond the scope of the specific transaction for which Card Data was given, and
- the Merchant must completely remove all Card Data from its systems, and any other place where it stores Card Data, within 24 hours after it receives an authorisation decision relevant to that Card Data.
- If, with the cardholder’s consent, the Merchant retains Card Data, it may do so only to the extent that the Card Data are necessary for processing payment transactions. The Merchant must never give or disclose the retained Card Data to anyone, not even as part of the sale of its business. Moreover, and regardless of anything to the contrary, the Merchant must never retain or disclose the CVV2 Data, not even with the cardholder’s consent.
- Merchant’s use of a Technical Service Provider
- The Merchant may utilise third parties to perform certain the Merchant obligations set out in this Schedule with our express written consent which may contain conditions as to the Merchant’s use of such a person (each such a party known as a “Technical Service Provider”). To be eligible for consent, each Technical Service Provider must (among other things) be registered with the applicable Card Association.
- If the Merchant is permitted to utilise a Technical Service Provider, the Merchant agrees and will procure that the Technical Service Provider will comply with the provisions relating to data and information security as set out in this Schedule (including, without limitation, PCI DSS requirements) as they apply to storing, processing or transmitting cardholder data to PayPal.
- Prior to, or from the appointment of a Technical Service Provider, the Merchant agrees to:
- notify PayPal in writing of the details of the Technical Service Provider that engages in, or proposes to engage in, the processing, storing or transmitting of Cardholder data on the Merchant’s behalf, regardless of the manner or duration of such activities;
- provide satisfactory evidence to PayPal that the Technical Service Provider is registered with the applicable Card Association;
- comply with any requirements of the Technical Service Provider including, without limitation, complying with any requirements relating with respect to the Technical Service Provider’s services, hardware or software and obtaining any required end user consents for transmission of data through the Technical Service Provider; and
- at PayPal’s discretion, provide PayPal with permission to register the Merchant with the relevant Technical Service Provider (as required).
- The Merchant agrees that it is solely responsible for the relationship with the Technical Service Provider and any data transmitted or made available to the Technical Service Provider. The Merchant’s failure to comply with the provisions set out in this paragraph 7, or the failure of the Technical Service Provider or gateway processor to register and/or comply with the applicable data security requirements may result in fines or penalties which the Merchant is liable for. PayPal may immediately terminate this Card Agreement upon the Merchant breaching this paragraph 7.
Schedule 2 - Bank Agreement
PayPal uses services from third parties to process card transactions. The relevant card agreements are located at https://www.paypal.com/hk/webapps/mpp/ua/ceagreement-full?locale.x=en_HK (Commercial Entity Agreement for PayPal Payment Card Funded Processing Services).
Schedule 3 – Fraud Protection Terms
- How the Fraud Protection works
- The Fraud Protection is made available to you as a fraudulent transaction management tool to help you screen potentially fraudulent transactions based on the settings you adopt in the Fraud Protection. The tool allows you to set filter rules, i.e. to instruct us about which transactions the tool shall decline on your behalf based on abstract criteria. In order to use the Fraud Protection, you must follow our instructions to actively turn on the Fraud Protection.
- We may provide tips regarding what filters and settings in the Fraud Protection to use that may be appropriate for your business. These suggestions take into account your past transaction history.
- Notwithstanding the above, if you use Fraud Protection, it is your responsibility to determine, and set the final filter rules.
- No Warranty and Limitation of Liability
- We do not represent or warrant that the Fraud Protection is error-free or that it will identify all potentially fraudulent transaction activity. This is simply a tool that would assist you with identifying potential fraudulent transactions.
- We are not liable for your losses (such as loss of profits) or damages arising from or related to your use of the Fraud Protection, to the extent that applicable law allows. The sections of the User Agreement on “Indemnification and Limitations of Liability” and “Disclaimer of Warranty & Release” apply to your use of Fraud Protection.
- Data Protection
- You may only use the Fraud Protection for the purpose of your management of fraud risk and for no other purpose.
- You may not share use of the Fraud Protection with any other person, nor may you disclose to any person the categories provided in the Fraud Protection or the results generated from your use of the Fraud Protection.
- Despite your settings on the Fraud Protection, we always retain the right to decline or suspend any transaction pursuant to the terms of the User Agreement.
- These terms supplement the User Agreement that governs your use of our services in general. The term PayPal services in the User Agreement, when read together with these terms, includes the Fraud Protection, when applicable.
- We may amend, delete or add to these terms in line with any change process set out in the Card Agreement. If you do not agree with any change, you may terminate these terms.
- You may terminate these terms under this Schedule 3 at any time by removing the Fraud Protection from your integration and following any other integration-related steps which we may make available to you. This lets you stop using the Fraud Protection, but otherwise your PayPal account remains open and the Card Agreement (and any other relevant agreements relating to the provision of Services and/or PayPal services to you) remains in effect.
- We may, at any time, for any reason and (where possible) with reasonable prior notice, terminate, cancel or suspend a Service to the extent it relates to our Fraud Protection without liability towards you.
- These terms survive any termination to the extent and for so long as we require to: (i) deal with matters arising from your use of the Fraud Protection prior to termination; and/or (ii) comply with applicable laws and regulations.