>> View all legal agreements

PayPal Advanced Credit and Debit Card Agreement (previously the PayPal Website Payments Pro - Hosted Solution and Virtual Terminal Agreement)

Last Update: October 31, 2020



About this Agreement

This Advanced Credit and Debit Card Agreement (previously the PayPal Website Payments Pro – Hosted Solution / Virtual Terminal Agreement) ("Card Agreement") is a contract between you (also referred to as the “Merchant”) and PayPal Pte. Ltd. ("PayPal", "we", "us" or "our" as the context may require). You agree that any use by you of the any of the Products (as defined below) that we offer to you will constitute your acceptance of this Card Agreement and we recommend that you store or print-off a copy of this Card Agreement.

This Card Agreement applies to your use of the following products (“Products”). To proceed with obtaining one or more of the Products below, you must read, agree with and accept all of the terms and conditions contained in this Card Agreement.

The Products are:

  1. Advanced Credit and Debit Card Payments (previously known as PayPal Website Payments Pro (Hosted Solution)): functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder, integrated into the payment process of your website pursuant to clause 1 of this Card Agreement, by being hosted entirely on PayPal’s server (rather than on your website).
  2. Custom Card Fields: a suite of functionality consisting of Custom Card Fields API as standard, and Custom Card Fields Fraud Protection, as an optional additional service. We may also offer you other Advanced Credit and Debit Card Payments functionality as part of the Custom Card Fields; and
  3. Virtual Terminal: functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given to you by the cardholder.

Each of the Products above includes one or more of the online card payment services APIs, being:

  1. Direct Payments API - Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder.
  2. Custom Card Fields API - Functionality for performing credit and debit card transactions, where the card details are entered online by the cardholder, as an alternative to the Direct Payments API.
  3. Virtual Terminal - Functionality provided by PayPal to enable you to receive a card payment by manually entering Card Data given to you by the cardholder.

We may make changes to this Card Agreement by giving notice of such change by posting a revised version of this Card Agreement on the PayPal website(s). You will be deemed to have accepted the change after you have received notice of it. We will give you 14 days’ notice of any change with the change taking effect once the 14-day notice period has passed. The 14-day notice period will not apply where a change relates to the addition of a new service, extra functionality to the existing Products, or any other change which we believe in our reasonable opinion neither reduce your rights nor increase your responsibilities. In such instances, the change will be made without notice to you and will be effective immediately at the time we post it on our website,.

If you do not agree with any changes to this Card Agreement, you may terminate this Card Agreement as set out in clause 7. If you do not object to a change by closing your PayPal account within the 14-day notice period, you will be deemed to have accepted it. While you may close your PayPal account at any time and without charge, please note that you may still be liable to us after you terminate this Card Agreement for any liabilities you may have incurred and are responsible for prior to terminating this Card Agreement and please further note our rights under the User Agreement.

Capitalised terms are defined below. Please view, download and save this Card Agreement.


Jump to section:

1. Setting up and activating your Product

2. Fees

3. Information Security; Data Protection; Data Portability

4. User Agreement and how our legal documents apply

5. Software licence

6. Banking terms for Card Transactions

7. Termination and suspension

8. Fraud Protection

9. Miscellaneous

10. Definitions

11. Schedule 1 – Data Security Requirements

12. Schedule 2 – Card Agreement

13. Schedule 3 – Fraud Protection Terms


1. Setting up and activating your Product

  1. Getting started. To obtain and use the relevant Product, you must carry out the following:
    1. complete the online application process for the relevant Product, open a PayPal business account (if you do not already have one), and follow our instructions set out in PayPal's online process to access and use your Product.
    2. integrate the relevant Product into the payment process of your website, if your Product is Advanced Credit and Debit Card Payments or Custom Card Fields. You are not required to integrate your Product into the payment process of your website if you only access and use Virtual Terminal. PayPal is not responsible for any problems that could occur by integrating your Product into your 'live' website. You are solely responsible for choosing, setting, integrating and customising your Product and ensuring that it suits your needs.
    3. activate your Product by using it in a ‘live’ payment transaction for the first time.
  2. Parity among payment methods. In displaying payment options on your website, you must display the logos of PayPal and the Card Associations with size and prominence equal among themselves and among those of other payment methods. You must not display a preference for one payment method over another. In using PayPal’s logo and buttons, you also agree to comply with the logo usage standards located at: https://www.paypal.com/sg/cgi-bin/webscr?cmd=xpt/Marketing/general/OnlineLogoCenter-outside or as updated from time to time.
  3. Credit report authorisation. You agree to allow PayPal to obtain from a third party your credit history and financial information about your ability to perform your obligations under this Card Agreement in the manner set out in the PayPal Privacy Statement. PayPal will review your credit and other risk factors of your PayPal account (including but not limited to, reversals and chargebacks, customer complaints, claims) on an ongoing basis. PayPal will store, use and disclose the information obtained in conformity with PayPal’s Privacy Statement.
  4. Cancellation. PayPal may terminate your access and/or use of any Product and/or terminate this Card Agreement at any time before the Activation Date by notifying you.


2. Fees

In consideration of PayPal providing the Products to you, you agree to pay the fees in the amount and manner as agreed upon with PayPal during the application process.


3. Information Security; Data Protection; Data Portability

  1. Compliance with Data Security Schedule. You agree to comply with Schedule 1 below, which forms part of this Card Agreement.
  2. Price and currency. You may not submit payment transactions in which the amount is the result of dynamic currency conversion. This means that you may not list an item in one currency and then accept payment in a different currency. If you are accepting payments in more than one currency, you must separately list the price for each currency.
  3. Compliance with Data Protection Addendum. You (as the Merchant) and we agree to comply with the data protection addendum found here, which forms part of this Card Agreement. The terms of the Data Protection Schedule prevail over any conflicting terms in this Card Agreement relating to data protection and privacy.
  4. Data Portability. Upon any termination or expiry of this Card Agreement, PayPal agrees, upon written request from the Merchant, to provide the Merchant’s new acquiring bank or payment service provider (“Data Recipient”) with any available credit card information including personal data relating to the Merchant’s Customers (“Card Information”). In order to do so, the Merchant must provide PayPal with all requested information including proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements and is level 1 PCI compliant. PayPal agrees to transfer the Card Information to the Data Recipient so long as the following applies: (a) the Merchant provides PayPal with proof that the Data Recipient is in compliance with the Association PCI-DSS Requirements (Level 1 PCI compliant) by providing PayPal a certificate or report on compliance with the Association PCI-DSS Requirements from a qualified provider and any other information reasonably requested by PayPal; (b) the transfer of such Card Information is compliant with the latest version of the Association PCI-DSS Requirements; and (c) the transfer of such Card Information is allowed under the applicable Association Rules, and any applicable laws, rules or regulations (including data protection laws).


4. User Agreement and how our legal documents apply

  1. User Agreement applies. The terms of the User Agreement apply to you and are incorporated by reference into this Card Agreement. The term PayPal services in the User Agreement will include the applicable Products. In case of any inconsistency between this Card Agreement and the User Agreement, this Card Agreement supersedes the User Agreement, but only to the extent of that inconsistency and in relation to the relevant Product. The User Agreement can be found via a link in the footer of nearly every PayPal web page. The User Agreement includes important provisions which:
    1. permit PayPal to take a reserve to secure your obligation to pay chargebacks, reversals and fees;
    2. obligate you to follow PayPal’s Acceptable Use Policy in your use of PayPal;
    3. give legal effect to PayPal’s Privacy Statement, which governs our use and disclosure of your information and that of Shared Customers; and
    4. permit PayPal to restrict a payment or your PayPal account in circumstances listed in the User Agreement.
  2. Failed payments and Product tools. You are responsible for chargebacks, reversals and other invalidated payments as provided in the User Agreement, regardless of how you use and configure your Product, including its fraud filtering technology and similar preventive tools (if any) or your use of the Fraud Protection product. Those tools can be useful in detecting fraud and avoiding payment failures, but they do not affect your responsibility and liability pursuant to the User Agreement for chargebacks, reversals and payments which are otherwise invalidated.


5. Software licence

  1. Licence. PayPal hereby grants to you a non-exclusive, non-transferable, revocable, non-sublicenseable, limited license to
    1. use your Product in accordance with the documentation provided by us and as set out on the PayPal Website from time to time; and to
    2. use the documentation provided by PayPal for your Product and reproduce it for internal use only within your business. Your Product as licensed is subject to change and will evolve along with the rest of the PayPal system; see clause 9(a). You must comply with the implementation and use requirements contained in all PayPal documentation and instructions accompanying the Product issued by PayPal from time to time (including, without limitation, any implementation and use requirements we impose on you to comply with applicable laws and card scheme rules and regulations).
  2. ID codes. PayPal will provide you with certain identifying codes specific to you. The codes identify you and authenticate your messages and instructions to us, including operational instructions to PayPal software interfaces. Use of those codes may be necessary for the PayPal system to process instructions from you (or your website). You must keep the codes safe and protect them from disclosure to parties whom you have not authorised to act on your behalf in dealing with PayPal. You agree to follow reasonable safeguards advised by PayPal from time to time in order to protect the security of those identifying codes; see also Schedule 1. If you fail to protect the security of the codes as advised, you must notify PayPal as soon as possible, so that PayPal can cancel and re-issue the codes. PayPal may also cancel and re-issue the codes if it has reason to believe that their security has been compromised, and after notifying you whenever notice can reasonably be given.
  3. No warranty. Your Product and all accompanying documentation are provided to you on an “as is” basis. To the extent permitted by law, PayPal does not give or offer any warranty, express or implied, by operation of law or otherwise, in relation to your Product, the licensed software or user documentation provided. Nothing provided by PayPal under this Card Agreement or otherwise for your Product has PayPal’s authorisation to include a warranty, and no obligation or liability will arise or grow out of PayPal’s rendering of technical, programming or other advice or service in connection with any Product, licensed software and user document provided (including, without limitation, services that may assist you with the customisation of your Product). PayPal recommends that you test the implementation of the applicable Products thoroughly as PayPal is not responsible for any loss caused by the implementation of the Products.
  4. Ownership of Advanced Credit and Debit Card Payments and Custom Card Fields information and materials. As part of the Merchant’s access to, and use of Advanced Credit and Debit Card Payments and/or Custom Card Fields, the Merchant will be provided with certain information and materials (the “Materials”) for its use with the Products. All intellectual property rights associated with the Materials remain the property of PayPal or the relevant Acquiring Institution (as the case may be). The Merchant agrees to not give, transfer, assign, novate, sell, resell (either partly or in whole) the Materials to any person.
  5. PayPal Hosted Integrations and your intellectual property. You hereby grant to PayPal a royalty-free, worldwide non-exclusive licence to use your or any of your affiliates’ names, images, logos, trademarks, service marks, and/or trade names as you may provide to PayPal when using the Products (“Your Marks”) for the sole purpose of enabling your use of the Products (including, without limitation, the customisation of your hosted Product). Title to and ownership of Your Marks and all goodwill arising from any use hereunder will remain with you. You represent and warrant that you have the authority to grant PayPal the right to use Your Marks and you shall indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any claims or losses suffered by it arising from the use of Your Marks in connection with the Products.


6. Banking terms for Card Transactions

PayPal utilises services from banking partners in processing Card Transactions, including both direct payments to you from a card as well as Card Transactions that fund a PayPal payment to you. Schedule 2 below applies in relation to those services. In accepting this Card Agreement, you also accept the terms for Card Transactions in Schedule 2, the terms of which form part of this Card Agreement.


7. Termination and suspension

  1. By you. You may terminate this Card Agreement at will by doing either of the following:
    1. Giving 30 days’ notice to PayPal Customer Service of your intent to terminate this Card Agreement. PayPal Customer Service will confirm termination via email. This option lets you stop using your Product and paying for it, but your PayPal account remains open and its User Agreement remains in effect; or
    2. Closing the PayPal account that you use with your Product (see the User Agreement for more information).
  2. By PayPal. PayPal may terminate this Card Agreement at will by doing any of the following:
    1. Giving you 30 days’ notice by email to your registered email address associated with your PayPal account of PayPal’s intent to terminate this Card Agreement. Unless otherwise notified, this option does not affect your User Agreement and your PayPal account remains open.
    2. Terminating the User Agreement that applies to the PayPal account used with your Product.
  3. By events. PayPal may terminate this Card Agreement immediately without notice if you:
    1. Breach this Card Agreement or the User Agreement;
    2. Become unable to pay or perform your obligations as they fall due;
    3. Become unable to pay your debts, admit your inability to pay your debts or otherwise become insolvent;
    4. Have any execution, attachment or similar action taken, levied or enforced against you or your assets, or if any garnishee order is issued or served on you;
    5. Become the subject of any petition presented, order made or resolution passed for the liquidation, administration, bankruptcy or dissolution of all or a substantial part of your business, except where solvent amalgamation or reorganisation is proposed on terms previously approved by PayPal;
    6. Lose full and unrestricted control over all or part of its assets because of the appointment of a receiver, manager, trustee, liquidator or similar officer;
    7. Enter into or proposes any composition or arrangement concerning your debts with your creditors (or any class of its creditors);
    8. A material adverse change occurs in your business, operations, or financial condition; or
    9. You provide inaccurate information in applying for your Product or in your dealings with us.
  4. Effect of termination. When this Card Agreement terminates, you must immediately stop using the terminated Product, and PayPal may prevent or hinder you from using it after termination. If you nevertheless use a Product after termination of this Card Agreement, then this Card Agreement will continue to apply to your use of that Product until you give effect to the termination by stopping your use of that Product. The following clauses in this Card Agreement will survive termination of this Card Agreement and continue in full force and effect: Clauses 2, 5(a) and 9. Termination of this Card Agreement will not affect any rights, remedies or obligations of the parties that have accrued or become due prior to termination, and you will not be entitled to a refund of any Monthly Fee paid prior to termination.
  5. Breach and suspension. If you breach this Card Agreement, the User Agreement, or a security requirement imposed by PCI DSS, PayPal may immediately suspend your use of your Product. PayPal may require you to take specified corrective actions to cure the breach and have the suspension lifted, although nothing in this Card Agreement precludes PayPal from pursuing any other remedies it may have for breach. In addition, if PayPal reasonably suspects that you may be in breach of this Card Agreement or PCI DSS, PayPal may suspend your use of your Product pending further investigation.


8. Fraud Protection

If you are offered and choose to use the Fraud Protection product, the terms in Schedule 3 below will apply to your use of that functionality.


9. Miscellaneous

  1. Future of the Products. PayPal retains sole and absolute discretion in determining
    1. the future course and development of the Products,
    2. which improvements to make in them and when, and
    3. whether and when defects are to be corrected and new features introduced.
    4. PayPal welcomes feedback from users in planning the future of the Products but is not required to act in accordance with any feedback received. In giving us feedback, you agree to claim no intellectual property interest in your feedback.
  2. Indemnity. You agree to indemnify PayPal and keep PayPal fully indemnified on a continuing basis from any direct loss, damage and liability, and from any claim, demand or cost (including reasonable lawyers’ fees) incurred in relation to any third party (including a Shared Customer) and arising out of your breach of this Card Agreement, the User Agreement and the documents incorporated in it by reference (including the Acceptable Use Policy), or the violation of any law.
  3. Assignment, amendment and waiver. You may not assign this Card Agreement without first obtaining PayPal’s written consent. PayPal may assign, novate or otherwise transfer this Card Agreement without your consent by notifying you. Neither party may amend this Card Agreement or waive any rights under it except in a written document signed by both parties.
  4. Governing law and jurisdiction. This Card Agreement is governed by the laws of Singapore. The parties submit to the non-exclusive jurisdiction of the courts of Singapore.


10. Definitions

Capitalised terms not listed in this clause are defined in the User Agreement or above in this Card Agreement.

a. Acquiring Institution: means a financial institution or bank that provides services to you to enable you to (a) accept payment by cardholders using cards; and (b) receive value in respect of Card Transactions.

b. Activation Date: The date on which you complete all of the steps for “Getting started” as listed in clause 1(a) above.

c. AVS: Information returned by the “Address Verification System” operated by or on behalf of Card Associations, which compares address data provided by an apparent cardholder with address data on file for the card at the card issuer.

d. Card Association: A company or consortium of financial institutions which promulgates rules to govern Card Transactions that involve the card that carries the company’s or the consortium’s brand. Examples include (where applicable) Visa USA, Visa Europe, and the other Visa regions; MasterCard International Incorporated; American Express Company and similar organisations.

e. Card Data: All personal or financial information relevant to a Card Transaction, including information recorded on the card itself (whether in human-readable form or digitally), together with the cardholder’s name and address and any other information necessary for processing a Card Transaction.

f. Card Transaction: A payment made using a credit or debit card, an American Express card, or any other payment method using a physical data-carrying item intended to be held in the payor’s possession. The Products support only certain types of Card Transactions; see the PayPal Website for more information.

g. CVV2 Data: The three-digit number printed to the right of the card number in the signature panel area on the back of the card. (For American Express cards, the code is a four-digit unembossed number printed above the card number on the front of the American Express card.) The CVV2 Data are uniquely associated with each individual plastic card and ties the card account number to the plastic.

h. Fraud Protection: Technology provided by PayPal to enable you to check a card payment against criteria such as the cardholder’s billing address (Address Verification Service or AVS), the card’s CVV2 Data, and databases of suspicious addresses, identifiers, and patterns, offered together with the applicable Product.

i. Monthly Fee: A fee payable on a monthly basis as required in clause 2 above.

j. PayPal Website: means www.paypal.com/sg.

k. PCI DSS: Payment Card Industry Data Security Standard, i.e. specifications prescribed by Card Associations to ensure the data security of Card Transactions. A copy of PCI DSS is available online from https://www.pcisecuritystandards.org.

l. Shared Customer: A person who both has a PayPal account and is also your customer.

m. User Agreement: The contract entered into online as part of the online registration process required to open a PayPal account. The current User Agreement is to be found via a link from the footer of nearly every page on the PayPal Website. It includes certain policies, notably the Acceptable Use Policy and Privacy Policy, which are also listed on the PayPal Website.


Schedule 1 – Data Security Requirements

Data Security Requirements


  1. Merchant's Security Codes obligations
    1. The Merchant acknowledges and agrees that it is solely responsible for maintaining adequate security and control of any and all IDs, passwords or other security codes (collectively, the “Security Codes”) that are issued to the Merchant by PayPal or the Acquiring Institution.
    2. The Merchant agrees to restrict use of, and access to, the Merchant’s Security Codes to the Merchant’s employees, agents or contractors as may be reasonably necessary to allow Merchant to use any applicable Product and to ensure that such persons comply with the provisions set out in this Schedule or the other security advice provided to the Merchant by PayPal or the Acquiring Institution (as the case may be).


  1. Merchant’s obligations to comply with Data Security requirements
    1. The Merchant acknowledges and agrees that it is fully responsible for the security of data on its website or otherwise within its possession or control.
    2. The Merchant agrees to do the following with respect to its processing of its customers’ personal identifiable information and the collection, security and dissemination of data on the Merchant’s website:
      1. comply with all applicable laws and regulations;
      2. comply with the applicable obligations, rules and guidelines issued by Visa USA, Europe, Asia Pacific, Canada and other Visa regions, MasterCard International Incorporated, American Express Company or other applicable Card Associations and the “Association Rules”, including, without limitation, the Visa Cardholder Information Security Program (CISP), Visa Account Information Security Program (AISP), the MasterCard Site Data Protection Program and PCI DSS. Further information can be found by visiting the following URLs: www.visaeurope.com, www.visaeurope.com/en/businesses__retailers/payment_security/overview.aspx and https://www.mastercard.com/sdp.
      3. PCI/DSS include the requirements that the Merchant must, without limitation:
        1. install and maintain a firewall configuration to protect data;
        2. not use vendor supplied defaults for system passwords and other security parameters;
        3. protect stored data;
        4. encrypt transmission of cardholder data and sensitive information across public networks;
        5. use and regularly update anti-virus software;
        6. develop and maintain secure systems and applications
        7. restrict access to data by business need-to-know;
        8. assign a unique ID to each person with computer access;
        9. restrict physical access to cardholder data;
        10. track and monitor all access to network resources and cardholder data;
        11. regularly test security systems and procedures; and
        12. maintain a policy that addresses information security.

        At PayPal’s request, the Merchant must provide PayPal with evidence to PayPal’s satisfaction that it is in compliance with PCI DSS. The Merchant acknowledges and agrees that nothing in this Card Agreement nor PayPal providing the PayPal Website Payment Pro and/or Virtual Terminal Product will constitute compliance by the Merchant to the PCI DSS whether via a third party “Qualified Security Assessor” and such compliance services are not provided under the scope of this Card Agreement. The Merchant must design, maintain and operate its website and other systems in conformity with PCI DSS. PayPal is not responsible for any costs that you incur in complying with PCI DSS. The Merchant agrees to independently arrange, at its own expense, evidence from a Qualified Security Assessor or otherwise to PayPal’s satisfaction. If the Merchant does not initiate a security audit within 10 business days of PayPal’s request, PayPal may conduct or obtain such an audit at the Merchant’s expense. PayPal may advise Shared Customers, if PayPal has reason to believe that a fraud or other illegitimate activity may be occurring or may have occurred, and if PayPal reasonably believes that the fraud or other illegitimate activity may affect those Shared Customers’ PayPal accounts.

      4. undertake non penetrative scans (either quarterly or annually depending on the volume of the Merchant’s annual transactions as notified by either PayPal or the Acquiring Institution to the Merchant) of the Merchant’s web accessible ports and an on site audit if the Merchant processes six million Visa and/or MasterCard/Maestro transactions annually which must be completed by a Qualified Security Assessor.

        For details of Visa and MasterCard Qualified Security Assessors log onto: http://www.mastercard.com/us/sdp/serviceproviders/compliant_serviceprovider.html or https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf.
      5. conspicuously post a privacy policy on the Merchant’s website which complies with the laws, regulations, rules and guidelines referred to in sub-paragraphs 3(b)(i) and 3 (b)(ii) and which is consistent with good business practice;
      6. notify PayPal of any agent, including any web hosting service, gateway, shopping cart or other third party provider, that has access to cardholder data and ensure that such agent is compliant with PCI DSS and all current legal obligations associated with the collection, security and dissemination of data and the processing of personal information. The Merchant will be liable to PayPal for any and all damages, losses, costs, expenses and/or claims made to, or suffered by, PayPal as a result of a breach by such third parties obligations under this sub-paragraph;
      7. provide PayPal with all information or access to records as needed by PayPal to ensure the Merchant’s compliance with this paragraph 3; and
      8. notify PayPal immediately of any security breach to the Merchant’s records or system as it relates to the Merchant’s access to, and/or utilisation of the Products.
    3. The Merchant agrees to not store any personal identification number data, AVS (address verification service) data or card validation codes (for example, the three digit values printed in the signature panel of most cards and the four digit code printed on the front of the American Express card) of any cardholder or any other payment method information of any cardholder (whether received electronically, verbally, by fax, hardcopy or otherwise) and will be liable for any fines associated with the breach of any relevant Association Rule or guidance.
    4. The Merchant acknowledges and agrees that if PayPal receives notice of a security breach or compromise of cardholder data in connection with the Merchant, the Merchant will allow a third party forensic auditor certified by the Card Associations to conduct a security review of the Merchant’s systems, controls and facilities and to issue a report to PayPal and the Card Associations. If the Merchant fails to initiate such a process after PayPal’s requesting it to do so, the Merchant authorises PayPal to take such action at the Merchant’s expense.
    5. PayPal may immediately suspend the Merchant’s access to or use of any of the Products or terminate without notice this Card Agreement upon notice of the Merchant potentially breaching or breaching any provision set out in this paragraph 3.
    6. If PayPal suspends your access to or use of any Product, PayPal will set out in a notice to the Merchant and explain the basis of PayPal’s actions in suspending the Merchant, including measures reasonably calculated to rectify the breach. PayPal’s suspension of the Merchant’s access or use of any Products will remain in effect and until such time as PayPal is satisfied that the Merchant has remedied the applicable breach(es).
  1. PayPal's obligations to keep data secure

    When processing the personal data of cardholders whose transaction data the Merchant submits to PayPal, PayPal will, at all times, ensure that the security measures employed in respect of the storage, transmission or any other processing of such personal data:

    1. comply with all applicable laws and regulations; and
    2. employ industry standard or better encryption and security methods as being appropriate for use by financial institutions.


  1. Merchant's use of cardholder information
    1. The Merchant agrees to only use, disclose or process, any cardholder information obtained in connection with a Card Transaction (including the names, addresses and card account numbers of cardholders) including for the purposes of authorising, completing and settling Card Transactions and resolving any chargeback or reversal disputes, retrieval requests or similar issues involving Card Transactions. The Merchant will only be able to process cardholder information differently than set out in this paragraph if the Merchant obtains the prior written consent from PayPal and each applicable Card Association, card issuing bank and cardholder or as otherwise pursuant to a court order or otherwise required by law.
    2. The Merchant agrees to:
      1. establish and maintain sufficient controls for, limit access to and render unreadable prior to discarding, all records containing cardholder account numbers and card imprints;
      2. not sell or disseminate any cardholder information obtained in connection with a Card Transaction held in a database or otherwise (including the names, addresses and card account numbers of cardholders);
      3. not retain or store magnetic stripe data or hardcopies containing cardholder data (including faxes) after a transaction has been authorised; and
      4. not reproduce any electronically captured signature of a cardholder except on PayPal’s specific request (upon such a request the Merchant agrees to comply).
    3. The Merchant acknowledges that Association Rules prohibit the sale or disclosure of databases containing Cardholder account numbers, personal information or other Card Association transaction information to third parties as an asset of a failed business. In such cases, the Merchant agrees that transaction information is to be returned to the Acquiring Institution or acceptable proof of destruction of this data is provided.
    4. The Merchant agrees that it is responsible and liable for compliance with this paragraph by any third-party processor, hosting service or other agent of the Merchant engaged in the processing or storage of cardholder data. The Merchant agrees to notify PayPal in writing of any third party engaged by any third party processor, hosting service or other agent prior to the Merchant engaging them and further immediately notify PayPal in writing of any access to transaction data by any unauthorised person.
    5. Unless the Merchant receives and records the express consent of the cardholder:
      1. the Merchant may not retain, track, monitor or store any Card Data, or use Card Data beyond the scope of the specific transaction for which Card Data was given, and
      2. the Merchant must completely remove all Card Data from its systems, and any other place where it stores Card Data, within 24 hours after it receives an authorisation decision relevant to that Card Data.
    6. If, with the cardholder’s consent, the Merchant retains Card Data, it may do so only to the extent that the Card Data are necessary for processing payment transactions. The Merchant must never give or disclose the retained Card Data to anyone, not even as part of the sale of its business. Moreover, and regardless of anything to the contrary, the Merchant must never retain or disclose the CVV2 Data, not even with the cardholder’s consent.


  1. Merchant’s use of a Technical Service Provider
    1. The Merchant may utilise third parties to perform certain the Merchant obligations set out in this Schedule with our express written consent which may contain conditions as to the Merchant’s use of such a person (each such a party known as a “Technical Service Provider”). To be eligible for consent, each Technical Service Provider must (among other things) be registered with the applicable Card Association.
    2. If the Merchant is permitted to utilise a Technical Service Provider, the Merchant agrees and will procure that the Technical Service Provider will comply with the provisions relating to data and information security as set out in this Schedule (including, without limitation, PCI DSS requirements) as they apply to storing, processing or transmitting cardholder data to PayPal.
    3. Prior to, or from the appointment of a Technical Service Provider, the Merchant agrees to:
      1. notify PayPal in writing of the details of the Technical Service Provider that engages in, or proposes to engage in, the processing, storing or transmitting of Cardholder data on the Merchant’s behalf, regardless of the manner or duration of such activities;
      2. provide satisfactory evidence to PayPal that the Technical Service Provider is registered with the applicable Card Association;
      3. comply with any requirements of the Technical Service Provider including, without limitation, complying with any requirements relating with respect to the Technical Service Provider’s services, hardware or software and obtaining any required end user consents for transmission of data through the Technical Service Provider; and
      4. at PayPal’s discretion, provide PayPal with permission to register the Merchant with the relevant Technical Service Provider (as required).
    4. The Merchant agrees that it is solely responsible for the relationship with the Technical Service Provider and any data transmitted or made available to the Technical Service Provider. The Merchant’s failure to comply with the provisions set out in this paragraph 7, or the failure of the Technical Service Provider or gateway processor to register and/or comply with the applicable data security requirements may result in fines or penalties which the Merchant is liable for. PayPal may immediately terminate this Card Agreement upon the Merchant breaching this paragraph 7.


Schedule 2 - Card Agreement

Card Agreements

PayPal uses services from third parties to process card transactions. The relevant card agreements are located at https://www.paypal.com/al/webapps/mpp/ua/ceagreement-full?locale.x=en_AL (Commercial Entity Agreement for PayPal Payment Card Funded Processing Services).


Schedule 3 – Fraud Protection Terms

Terms of use of the Fraud Protection Functionality

  1. How the Fraud Protection works
    1. The Fraud Protection is made available to you as a fraudulent transaction management tool to help you screen potentially fraudulent transactions based on the settings you adopt in the Fraud Protection. The tool allows you to set filter rules, i.e. to instruct us about which transactions the tool shall decline on your behalf based on abstract criteria. In order to use the Fraud Protection, you must follow our instructions to actively turn on the Fraud Protection.
    2. We may provide tips regarding what filters and settings in the Fraud Protection to use that may be appropriate for your business. These suggestions take into account your past transaction history.
    3. Notwithstanding the above, it is your responsibility to determine, and set the final filter rules.
  2. No Warranty and Limitation of Liability
    1. We do not represent or warrant that the Fraud Protection is error-free or that it will identify all potentially fraudulent transaction activity. This is simply a tool that would assist you with identifying potential fraudulent transactions.
    2. We are not liable for your losses (such as loss of profits) or damages arising from or related to your use of the Fraud Protection, to the extent that applicable law allows.
  3. Data Protection
    1. You may only use the Fraud Protection for the purpose of your management of fraud risk and for no other purpose.
    2. You may not share use of the Fraud Protection with any other person, nor may you disclose to any person the categories provided in the Fraud Protection or the results generated from your use of the Fraud Protection.
  4. Miscellaneous
    1. Despite your settings on the Fraud Protection, we always retain the right to decline or suspend any transaction pursuant to the terms of the User Agreement.
    2. These terms supplement the User Agreement that governs your use of our services in general. The term PayPal services in the User Agreement, when read together with these terms, includes the Fraud Protection, when applicable.
    3. We may amend, delete or add to these terms in line with any change process set out in the Card Agreement. If you do not agree with any change, you may terminate these terms.
    4. You may terminate these terms under this Schedule 3 at any time by removing the Fraud Protection from your integration and following any other integration-related steps which we may make available to you. This lets you stop using the Fraud Protection, but otherwise your PayPal account remains open and the Card Agreement (and any other relevant agreements relating to the provision of Products and/or PayPal services to you) remains in effect.
    5. We may, at any time, for any reason and (where possible) with reasonable prior notice, terminate, cancel or suspend a Product to the extent it relates to our Fraud Protection without liability towards you.
    6. These terms survive any termination to the extent and for so long as we require to: (i) deal with matters arising from your use of the Fraud Protection prior to termination; and/or (ii) comply with applicable laws and regulations.