Which payment gateway supports shared bank accounts?
PayPal terms and conditions for online card payments
Published: December 16, 2020
These PayPal Terms and Conditions for Online Card Payments (the "Agreement") contain the terms of a contract between you (also known as the "Merchant") and PayPal (Europe) S.àr.l. et Cie, S.C.A (“PayPal” or “we”).
PayPal Europe is licensed as a credit institution in Luxembourg and is monitored by the Luxembourg supervisory authority Commission de Surveillance du Secteur Financier (CSSF). The CSSF is based in L-1150 Luxembourg.
About this agreement
This agreement applies to you if you have registered with PayPal with your place of residence in the Federal Republic of Germany.
By integrating or using products or online card payment services, you are bound by the terms of this agreement. If you are offered any of the products, online card payment services or functionalities (including technology) mentioned in this Agreement and you choose to use them, the terms in this Agreement with respect to that product, online card payment service or functionality shall apply.
- Website Payments Pro is a set of features that comes standard with PayPal Express, Direct Payment API, Virtual Terminal and Fraud Protection Filters as standard. Optional additional services include fraud protection, advanced fraud protection filters and the subscription payments tool;
- Advanced Debit and Credit Card Payments is a set of functions consisting of the Advanced Credit and Debit Card Payments API as standard and Fraud Protection as an optional additional service. We can also offer you one of the following services as optional additional services:
- all Website Payments Pro features,
- the vaulting tool, and
- the account updater service.
- Virtual Terminal - the virtual terminal function as an independent product.
Each of the products includes one or more online card payment services. The online card payment services are:
- Direct payment API - Functionality for carrying out credit and debit card transactions, in which the card details are entered online by the cardholder.
- Advanced Credit and Debit Card Payments API is a functionality for the execution of credit and debit card transactions, in which the card details are entered online by the cardholder, as an alternative to the direct payment API.
- Virtual Terminal - Functionality that allows you to receive card payments if you manually enter the card details submitted by the cardholder.
Please download this agreement download and save You them.
1. Set up and activate your product
1.1. First steps:
In order to obtain and use your product, you must follow the steps below:
1.1.1. Complete the online application and approval process for your account, open a PayPal business account (if you don't already have one), and follow the instructions to access and use your product.
1.1.2. Integrate your product into your website's payment process if your product is Website Payments Pro or Advanced Credit and Debit Card Payments. You are not obliged to integrate your product into the payment process on your website if you only use Virtual Terminal. PayPal is not responsible for any complications resulting from the integration of your product on your website.
1.1.3. Activate your product by first using it for payment processing.
If your product is Website Payments Pro or Advanced Credit and Debit Card Payments, we may allow you to integrate and use the Direct Payments API or the Advanced Credit and Debit Card Payments API - as a PayPal hosted integration or as a self hosted integration.
We can set both hosting variants as the default setting for the integration of the Direct Payment API or the Advanced Credit and Debit Card Payments API in the payment process on your website.
1.2. Mandatory use of PayPal Express
If we offer you PayPal Express as part of your product and you choose this product, you will need to implement PayPal Express as part of your website integration. By activating PayPal Express, you agree that your website:
1.2.1. Contains a PayPal Express button, either (A) before you request the shipping / billing address and other financial information from your customers, or (B) on the same page on which you request this information, if you use only one page for your checkout.
1.2.2. Offers PayPal as a payment option along with the other payment options that you offer for PayPal Express. The PayPal logo must be displayed with the same or greater significance than the logos for other payment options
1.2.3. Offers your customers the option not to save their personal data, including email address, shipping or billing address and financial data, as part of the checkout.
We may terminate access to or use of Products and this Agreement at any time prior to the Activation Date by notifying you.
2.1 Method of Payment
You agree to pay the fees specified in this Agreement as they become due, without set-off or deduction. You allow us to deduct the fees directly from payments before they are credited to your PayPal account.
The fees are debited in the currency of the incoming payment.
2.2. Transaction fees for standard PayPal payments
2.3. Transaction fees for receiving card payments
2.4. Additional transaction fees
2.5. Monthly reports on transaction costs
PayPal provides monthly reports on the transaction costs incurred (including interchange fees) for card payments that are processed with the product. These reports can be downloaded from your PayPal account. Standard PayPal payments are not included in the reports.
3. Choice of the Interchange Plus and Blended Pricing fee structures
You can choose the fee structure that applies to you for receiving card payments through any online card payment service (including Direct Payment API, Advanced Credit and Debit Card Payments API, and / or Virtual Terminal) using the methods or procedures PayPal offers you to choose from represents. If you do not make a choice, your current fee structure will be retained.
You can only select your fee structure for future transactions, not for transactions that have already been completed. This means that in the event of a charge under the Interchange Plus fee structure, the respective Interchange Plus fee structure applies to both our online card payment services and PayPal Here.
The interchange fee is set by Visa and MasterCard. It differs depending on the type of credit card (e.g. categories and brands). PayPal always charges you the interbank fee in the amount specified by Visa and MasterCard and communicated by the purchaser.The interbank fee may be changed from time to time. You can find more information about interbank fees on the website of MasterCard and Visa as well as in ours simplified overview.
If you have chosen the Interchange Plus fee structure, you agree that PayPal may withhold funds in the reserve account of your PayPal account if PayPal receives a card payment to you before the money is transferred to the payment in your account. You hereby instruct PayPal to transfer these funds to your payment account only on the working day on which PayPal receives information about the interchange fee applicable to card payments. As long as the funds are in your reserve account, you will see the transaction as "pending". The proceeds from the card payment in your reserve account will only be available to you once PayPal has received information about the applicable interchange fee from its payment processor (this can already be the case on the working day following the day of the card payment by the cardholder).
4. Information security and data protection
4.1. Compliance with data security
You (as the “Merchant”) agree to follow the data protection schedule 1 below, which is an integral part of this agreement.
4.2. PCI DSS compliance
You also agree to adhere to the PCI Data Security Standard (PCI DSS). You are obliged to protect all card data that comes into your possession in accordance with PCI DSS and to create, maintain and operate your website and other systems in accordance with PCI DSS. You need to make sure that your employees are trained enough so that they are familiar with PCI DSS and can meet its requirements. PayPal is not responsible for any costs you incur in complying with PCI DSS. For more information on PCI DSS, visit the PCI Security Standards Council website at: https://www.pcisecuritystandards.org/pci_security/.
4.3. PCI DSS compliance by PayPal
PayPal guarantees that PayPal and your product adhere to the PCI DSS. However, compliance with the standard by PayPal and your product is not sufficient to ensure compliance with PCI DSS by you and your systems and processes.
4.4. 3D Secure
The requirements of the European Central Bank and the banking supervisory authority responsible for PayPal require the use of 3D Secure under certain circumstances. Card associations may also require 3D Secure to reduce excessive card transactions that have not been approved by the cardholder. PayPal may require you to implement 3D Secure for all or only certain card transactions. You agree to introduce 3D Secure upon request, provided that the respective card issuer supports 3D Secure for this card.
4.5. Price and currency
You are prohibited from making payment transactions if the amount is the result of dynamic currency conversion. This means that you cannot list items in one currency and then accept payment in another currency. If you accept payments in multiple currencies, you must show the price for each currency separately.
4.6. Compliance with data protection regulations
You (as the “Merchant”) agree to follow the data protection schedule 2 below, which is an integral part of this agreement. The data protection provisions take precedence over all other data protection provisions in this agreement.
5. Applicability of other legal documents
5.2.1. allow PayPal to set up a reserve to cover your payment obligations with regard to (credit card) chargebacks and fees,
5.3. Commercial Entity Agreement
By agreeing to this Agreement, you are agreeing to it Commercial Entity Agreements to. These are direct agreements with the acquiring institutions, PayPal's banking partners, which enable you to receive card payments and card-financed PayPal payments.
5.4. Data protection
5.5. Additional conditions for accepting American Express cards
If we allow you to accept payments using American Express credit cards, this Section 5.5 applies.
5.5.1. Commercial marketing communication
5.5.2. Direct card acceptance
You accept that American Express can request you to enter into a direct contractual relationship with American Express upon reaching certain monthly and / or annual sales figures determined by American Express for the respective period. In this case, American Express sets the prices for American Express transactions. You then pay the fees for American Express transactions directly to American Express.
5.5.3. Inspection rights
American Express can have you checked at any time to check that its rules are being followed.
5.5.4. Submission and matching rights
You authorize PayPal to submit transactions to American Express, to receive comparisons from American Express, and to share transaction and merchant data with American Express for analysis and reporting purposes and for other legitimate business purposes. This includes, among other things, commercial marketing communication and important communications about transactions and the contractual relationship. The merchant can stop accepting American Express at any time with a simple message.
5.5.5. Third party beneficiaries
Under this agreement, American Express is the third party beneficiary for the acceptance of American Express credit cards. As such, American Express has the right to enforce the terms of this Agreement directly against you with regard to the acceptance of American Express. You accept that American Express is not liable for any contractual obligations that PayPal has towards you.
5.5.6. Card template, unattended terminals and payment kiosks
You may not accept American Express credit cards for payments under this Agreement if the card is (i) presented at the physical point of purchase or transaction, (ii) used unattended (e.g. in customer-activated terminals), or (iii) is presented at a payment kiosk. In addition, you are prohibited from providing American Express customers who go to the physical location with computers or online interfaces via which the cardholders can access their PayPal account.
6. Intellectual Property and ID Codes
6.2. ID codes
PayPal will send you certain identification codes that are unique to you. You use these codes to identify yourself and to authenticate your messages and instructions to us as well as your settings in the PayPal software interfaces. The use of the codes is necessary so that the PayPal system can process the instructions submitted by you (or your website). It is your responsibility to protect the codes and prevent them from being disclosed to parties who you are not authorized to deal with PayPal on your behalf. You agree to use reasonable safeguards from PayPal to protect the security of the authorization codes. If you fail to protect the security of the codes as requested, you are required to notify PayPal as soon as possible so that PayPal can cancel and reissue the codes. PayPal may also cancel and reissue the codes if it has reason to believe that their security has been compromised and you are notified, provided that such notification can reasonably be delivered.
6.3. Information and materials relating to ownership of the PayPal Payments Pro website and Advanced Credit and Debit Card Payments
As part of your access to and use of PayPal Website Payments Pro and / or Advanced Credit and Debit Card Payments, certain information and materials (the “Pro Materials”) will be made available to you for use with the Products. All intellectual property rights that exist in the Pro Materials remain the sole property of PayPal or the respective receiving institution. You undertake not to hand over, transfer, assign, sell or resell the Pro Materials, in whole or in part, to any person.
6.4. PayPal Hosted Integrations and Your Intellectual Property
You hereby grant PayPal a royalty-free, worldwide, non-exclusive license to use your names, images, logos, trademarks, service marks and / or trade names and those of your partners ("Your brands"), Which you make available to PayPal when using the products solely for the purpose of enabling you to use the products (and in particular to customize your hosted product). You retain ownership of your trademarks and all goodwill resulting from their contractual use. You affirm that you are authorized to grant PayPal the right to use your trademarks. In the event of claims and damages that PayPal incurs through the use of your brands in connection with the products, you are continuously liable for damages to PayPal.
7.1. Fraud Protection
The deadlines in Appendix 3 apply to the application of the fraud protection.
7.2. Vaultation tool
When using the Vaultation Tool, before collecting your customers' card details, do the following:
7.2.1. You inform your customers about the following:
126.96.36.199. The information collected is stored and can be accessed by you for future customer payments, including possibly payments from "absent buyers";
188.8.131.52. The customer can update the information; and
184.108.40.206. The customer can revoke their consent.
7.2.2. You will get your customers consent to collect and use this information based on the above;
7.2.3. Make sure that when your customers give the above consent and choose to function, they do so through a conscious and recorded action, such as: .B. by clicking on an optional button or activating a field that is not marked by default.
7.3. The account updater service
7.3.1 Description. Subject to the provisions in this Section 7.3, PayPal may provide you with the Account Updater Service, for which PayPal will send the relevant card data of Eligible Cards to one or more third party sources and use the information available to PayPal to verify the relevant card data and to update. After these verifications, your customers 'applicable updated card details, if any, will be processed and stored by PayPal at your instruction and on your behalf in order for you to accept subscription payments, recurring payments, or other legitimate transactions in PayPal customers' products with the appropriate updated card details can. If the Account Updater service is made available to you, PayPal will either send you an email notification that the Account Updater service has been activated on your account (s), or PayPal will allow you to use the Account Updater Activate the service via your PayPal account settings on your account (s). You can stop using the account updater service at any time by sending PayPal a written message of your decision, or in another form as specified by PayPal.
7.3.2 Permitted use. You acknowledge and agree that the Account Updater Service is provided for the sole purpose of updating the applicable card details so that you can accept transactions in the Products. You may not use the Account Updater Service for any other purpose including, but not limited to, using any portion of the Account Updater Service data in connection with the development of any other service or product.
7.3.4 Confidentiality. You hereby agree that you will treat all information and card data provided by the account updater service, if any, as strictly confidential. You may not disclose such information or credit card information to third parties and you may only use such information or credit card information for purposes that are expressly permitted.
7.3.5. Indemnification. You indemnify PayPal from all losses resulting from a breach of your obligations under this section for the use of the Account Updater Service.
7.3.6 Accuracy of the information. You acknowledge that the Account Updater Service can only be correct to the extent that a card-issuing bank and customer participate and that many card-issuing banks and customers may not participate. You acknowledge and agree that the Account Updater Service may be based on information, card data and services provided to PayPal by third parties.
7.3.7 Termination. PayPal can terminate the account updater service at any time after a corresponding cancellation by email to you.
8. Termination and Suspension
8.1. Termination on your part
You can terminate this contract by notifying PayPal customer service 30 days in advance. You can either
If you are only using Advanced Credit and Debit Card Payments, you can use PayPal customer service as described in sections 8.1.1. And 8.1.2. as set out above, request the termination of this Agreement without notice or the immediate closure of the PayPal account that you are using with the Advanced Credit and Debit Card Payments.
You can withdraw your consent to card payments with American Express via the product at any time if you notify PayPal customer service in advance.
8.2. Termination by PayPal
PayPal can terminate this agreement and any product-specific parts of the agreement in the following ways:
8.3. Event-related termination
PayPal can terminate this contract without notice if:
8.3.1. You violate this agreement or the user agreement,
8.3.2. You fail to meet your obligations by the time they fall due,
8.3.3. You fail to pay your debts (within the meaning of the Insolvency Act 1986 para. 123), become insolvent or file for bankruptcy,
8.3.4. Attachments, seizures, foreclosures or comparable measures are initiated or enforced against you or your assets or you are served with an attachment or transfer order,
8.3.5. You become the subject of a motion, order, or resolution to liquidate, administer, bankrupt or dissolve all or a substantial portion of your business, unless a solvency business combination or reorganization is proposed on terms previously approved by PayPal
8.3.6. You lose full control of all or part of your assets as a result of the appointment of an administrator, director, trustee, bankruptcy administrator or the like;
8.3.7. You enter into or propose an amicable settlement or settlement with creditors (or a specific group of creditors),
8.3.8. There is a material, adverse change in your company, your business operations or your financial situation or
8.3.9. You provide false information when applying for your product or when dealing with us.
8.4. Effectiveness of termination.
If this Agreement or any part of it is terminated, you must immediately cease using the terminated products. PayPal can prevent you from further use after cancellation. If you continue to use a product after termination, this Agreement will continue to apply to your use of that product until you permanently cease using the product. The following sections of this Agreement will remain in effect even if this Agreement is terminated: Section 2., 4.1., 8.2., 8.4. Termination of this Agreement or any part of it will not affect the parties' rights, remedies, or obligations prior to termination. You are not entitled to a refund of any monthly fee related to any period prior to termination.
8.5. Breach of Contract and Suspension
If PayPal suspends your access to or use of PayPal Website Payments Pro or Advanced Credit and Debit Card Payments, you will be notified accordingly. The reasons for the interruption will be explained to you. If necessary, you will receive specific instructions on how to end the breach of contract and the interruption of use.If PayPal suspends your access, the use of PayPal Website Payments Pro or Advanced Credit and Debit Card Payments, this will only be withdrawn if PayPal has assured itself that You are no longer in breach of contract.
9.1. Future of products
PayPal reserves absolute freedom of choice with regard to (a) the future direction and development of the products, (b) product improvements and their timing and (c) the elimination of defects and the introduction of new functions. PayPal welcomes user feedback when planning its products, but is under no obligation to act accordingly. If you give us feedback, you are giving up ownership of your feedback.
9.2. Disclaimer of Warranties
Your product and all related documents are provided to you as is.
PayPal makes no warranties, express or implied, by law or otherwise, regarding:
- Of your product,
- the licensed software,
- the submitted user documentation.
Services offered by PayPal under this agreement or otherwise for your product contain no guarantee on the part of PayPal.
PayPal does not incur any obligation or liability from the provision of:
- technical advice,
- Programming advice,
- other advice or service
in connection with a product, licensed software or submitted user documents. This includes, among other things, services that support you in customizing your product.
PayPal recommends that you carefully review the product implementation as PayPal is not responsible for any damage caused by any defects it contains.
If PayPal hosts your product (i.e. we run the software for you as a web service), it does not guarantee permanent, uninterrupted and secure access to your hosted product.
PayPal is not responsible for any delays or failures in hosting your product.
You accept that the availability of your product may be restricted from time to time to allow repairs, maintenance and the introduction of new facilities or services.
Some countries do not allow the disclaimer of implied warranties, so the above disclaimer may not apply to you.
9.4. Assignment, modification and waiver
You can only assign this contract to third parties with PayPal's prior written consent. PayPal can assign, renew or otherwise transfer this contract to third parties without your consent by simple notification to you. Changes to the contract and the waiver of contractual rights require the written form and the consent of both parties.
9.5. English Law and Jurisdiction
This agreement is governed by the laws of England and Wales. Both parties submit to the non-exclusive jurisdiction of the courts of England and Wales.
„3D Secure“Means a security process that allows a card-issuing bank to authenticate the cardholder who has approved a card transaction at the time of payment. Depending on the credit card association whose logo appears on the card, 3D Secure is also marketed under other trademarks; other trademarks for 3D Secure include “Verified by Visa” and “MasterCard SecureCode”.
„Account Updater Service"Or" Account Updater Service "means a functionality that is further defined in Section 7.3.
„Acquiring institute“Means a financial institution or bank that provides services to you and PayPal to enable you to (a) accept payment from cardholders and b) receive credit from card transactions.
„Activation date"Is the date on which you completed all of the" Getting Started "listed in Section 1 above.
„Advanced Credit and Debit Card Payments"Or" Advanced Credit and Debit Card Payments "means a product as further defined in the" About this Agreement "section.
„Advanced Credit and Debit Card Payments API", Also" API for Extended Credit and Debit Card Payments ", means an online card payments service, which is further defined in the section" About this Agreement ".
„Advanced fraud protection filters"Are a technology provided by PayPal that allows you to (a) verify card payments based on criteria such as the cardholder's billing address (address verification system or AVS), the card's CVV2 data, and databases of suspicious addresses, identifiers and patterns. For more information, see the PayPal website and product documentation. The advanced fraud protection filters provide a higher level of transaction screening. Transactions can be automatically marked, checked and rejected based on the individual filter configuration.
„AVS data"Is information that is issued by the card associations' address verification system, which compares the address data of alleged cardholders with the address data that are available for the card from the credit card provider.
„Card association“Means a company or an association of financial institutions that establishes regulations to regulate card transactions in which the branded card of the company or association is involved. Examples are Visa USA, Visa Europe and the rest of Visa regions, MasterCard International Incorporated, American Express Company and similar organizations.
„Card data"Includes all personal and financial data relevant to a card transaction and the information recorded on the card itself (in writing or digitally) as well as the name and address of the cardholder and all other data required for processing card transactions.
„Card transactions“Means payments by credit or debit card, American Express Card or any other source of payment using a tangible data carrier in the possession of the payer. The products only support certain types of card transactions. Please visit the PayPal website for more information.
„Critical systems"Refers to the information technology (hardware and software) that you use to operate your products and to protect your products and online sales outlets from intrusion attempts and disruptions, and with which you save payment data and personal data, including any card data, that you share with customers are present.
„CVV2 data“Refers to the three-digit number that is printed to the right of the card number under the signature on the back of the card. (With American Express, the code has four digits and is not embossed and can be found above the card number on the front of the American Express card.) The CVV2 data is uniquely linked to a specific card.
„Data breach"Is a breach or malfunction of a computer system in which the credit card data is stored and in which (a) all or part of the card data in the system is exposed, altered or destroyed, or (b) a qualified information security expert believes it represents a significant risk exists that all or part of the card data in the system is revealed, changed or destroyed. Credit card data is revealed by unauthorized circumventing the usual access controls of the system or by disclosing the data to unauthorized persons.
„Direct Payments API", Also" Direct Payment API ", means an online card payment service, which is further defined in the section" About this Agreement ".
"PayPal Express refers to a feature that accelerates online checkout in retail stores using information provided by PayPal. For more information on PayPal Express, see the PayPal website as well as in the documents that PayPal provides for PayPal Website Payments Pro and Advanced Credit and Debit Card Payments.
„Fraud Protection"Or" Fraud Protection "is a technology provided by PayPal that allows you to (a) verify card payments based on criteria such as the cardholder's billing address (address verification system or AVS), the card's CVV2 data, and databases of suspicious addresses, identifiers and patterns . The technology is offered in the Advanced Credit and Debit Card Payments API as an alternative to the advanced fraud protection filters.
„General Data Protection Regulation“Refers to Regulation (EU) 2016/679 (General Data Protection Regulation) or its successor provisions as well as all other laws on data protection for citizens and residents of the Member State of the European Economic Area in which you are resident or your company is based.
„Hosting option“Means (i) a PayPal-hosted integration and (ii) a self-hosted integration.
„Monthly fee“Is a monthly fee as set out in Section 2 above.
„Online card payment services", Also" Online Card Payment Services ", is a function provided by PayPal online that allows merchants to receive payments directly from the payer's card (without the money being processed through the payer's PayPal account) and for which the card is based does not need to be presented on the website or at the point of sale. Online card payment services are an integral part of the products. The online card payment services are listed and defined in the "About this Agreement" section.
„Integration hosted by PayPal“Means that PayPal's Direct Payments API and Advanced Credit and Debit Card Payments API, as described in Section 1, are included in the payment process The functionality (including the card entry field) is operated entirely via PayPal servers (and not via your website).
„PayPal website“Means the PayPal website for the country in which you are located. In the case of the UK, the PayPal website is currently available at http://www.PayPal.co.uk. You can find information on PayPal websites in other countries via a link on each PayPal website.
„PCI DSS“Is a data protection standard for the payment card industry that contains the requirements of the card associations to ensure data security for card transactions. The PCI DSS is online at https://www.pcisecuritystandards.org/retrievable.
„product"Or"Your product“Means the product made available to you and used by you after acceptance of this agreement. The products are listed and further defined in the "About this Agreement" section.
„Qualified security surveyor“Has the meaning given in the PCI DSS.
„Subscription Payments“Means a technology provided by PayPal for setting up payments that recur at certain intervals with the consent of the payer. For more information, see the PayPal website and product documentation.
„Self-hosted integration“Means that the Direct Payments API or PayPal's Advanced Credit and Debit Card Payments API as described in Section 1 is integrated into the payment process of your website. The functionality (including the card input field) is operated at least partially via your website.
„Common customer“Means a person who has a PayPal account and who is also your customer.
„Ordinary PayPal payments“Means all payments that you receive from another PayPal account, without a PayPal account involved, or via local payment sources.
"The Vaultation tool“Refers to an API-based technology provided by PayPal to enable you to save and retrieve card data for payments that recur at certain intervals or with certain frequencies from the payer. For more information, see the PayPal website and product documentation.
„Virtual Terminal“Is a function provided by PayPal that allows you to receive card payments by manually entering the card details submitted by the cardholder. Virtual Terminal is an online card payment service and is also a stand-alone product which is further described in the "About this Agreement" section.
„Website Payments Pro"Means a product described in more detail in the" About this Agreement "section.
Data protection regulations
With Website Payments Pro, Advanced Credit and Debit Card Payments, and Virtual Terminal, you can accept online payments direct from debit and credit cards. These are payment instruments, the security of which depends on controlling the disclosure of card details; a person with sufficient card details can send or receive a card payment that is debited to the cardholder's account without requiring the cardholder's authorization to make the payment To prevent the card data of your mutual customers from being misused, you must keep the card data secret at all times. The General Data Protection Regulation also stipulates that you must protect the personal data of a mutual customer.
PayPal strongly recommends that you seek the services of a knowledgeable information security expert who can advise and assist you in securing your website and other points of sale.
Data security principles
1. Design and development
Design and develop your critical systems and all payment-related processes so that you are protected from interference and disruption by unauthorized persons. All users of your systems have to authenticate themselves in the critical systems. In the systems, the access and other authorizations of the users must be restricted. Set up your organizational structure so that important tasks are separated from one another and control points are set up in your company. Don't put too many uncontrolled powers over your systems and operations in the hands of one person. Never give your users more than the authority over your systems and processes that is absolutely necessary for their respective role.
2. Protection against intrusion attempts
Divide your processes into two categories: (1) functions that are available to all users, including users outside your company, and (2) functions that are only available to trusted people in your company. Install a firewall to prevent untrusted users from using internal functions of your critical systems. Use mature and carefully tested technology for your web server and other externally accessible components of your critical systems and only make those functions available externally that are required for common customers and other external users. In order to protect you, free your externally accessible servers of all superfluous functions and thus reduce their vulnerability to external attacks.
3. Access controls
In your critical systems, access to card data and all other personal and relevant data must be restricted to trustworthy persons in your company. Nobody should have more extensive access to this data than is necessary for the respective area of responsibility. All accesses, uses, changes and deletions of card data and other personal and relevant data must be tracked and logged in your systems in order to ensure an audit trail for all such activities. You are also required to restrict access to your critical systems and the resources on which they depend - such as B. networks, firewalls and databases.
4. Data minimization
The basic rule is: only enter and save the card data and other sensitive data that you need. The safekeeping of card data and personal data entails a liability risk. You can reduce this by saving as little data as possible. When storing card details, first check the real need: PayPal is required to reimburse payments for which the payer's consent is missing. If the user approves another payment, they will usually also provide you with their current card details so that you do not have to save them for future use. Card data that is not stored with you cannot be stolen in the event of a data protection breach.
5. Changes and tests
Only change critical systems in emergencies. Always plan, test and document changes in advance, unless they are routine changes (e.g. Adding a user, changing a password, updating the inventory and price adjustments). For major system changes and those that could affect the security and availability of your critical systems, the planned changes should be presented to high-level managers for approval. These must not be identical to the planners of the respective changes. Do not make planned changes to your production systems until they have been carefully tested outside of the production environment. Carry out such tests under the supervision of your risk management team or other persons in your company who are authorized to do so.
6. Examinations (audits)
You are required to review the operation and security of your critical systems at least once a year. This system check must be carried out separately from financial audits. Hire trusted, independent experts to review your critical systems. If you use your own employees as auditors, ensure their independence by protecting them from reprisals and not entrusting them with the administration, operation, modification or testing of your critical systems in parallel.
7. Outsourcing and organizational control
Ensure that all persons who have access to your critical systems or who design, develop, operate, maintain, modify, test or review your critical systems comply with this Agreement and the PCI DSS. It is your responsibility to ensure compliance even if these people are not directly employed by you.
Procedure in the event of a data breach
8. Data breaches
If there is a data breach, you agree to take the following measures:
a. Once you become aware of the data breach, take all necessary measures to stop the data breach and limit its consequences.
b Notify PayPal as soon as possible after discovering the data breach. To do this, contact your account manager (if one has been assigned to you) or contact our customer service (whose contact details can be found at"Contact" If (a) and a notification from PayPal are not possible at the same time, do (a) first and then notify PayPal.
c. Notify all joint customers whose card details have been or could be disclosed. In this way, customers can take measures to prevent their card data from being misused. You further undertake to provide this notification immediately upon completion of (a) and (b) and to notify PayPal immediately thereafter, providing a list of the joint customers you have notified. If you do not take this step soon after the data protection breach, PayPal can independently inform the joint customers about the data protection breach and identify them using your PayPal account records for card payments.
d. At PayPal's request, hire a PayPal-approved external auditor to perform security audits and reporting on your critical systems. You agree to comply with any request by PayPal as set out in this section at your own expense. You are obliged to provide PayPal with a copy of the test report. PayPal may pass these transcripts on to the financial institutions (including acquiring institutions) and card associations involved in processing card transactions for PayPal. If you do not initiate the security check within ten working days of a request by PayPal, PayPal can carry out such a check itself or commission it at your own expense. See also "Appendix 1" on audits.
E. Work with PayPal and follow all reasonable instructions from PayPal to avoid or mitigate the consequences of the data breach, to improve your critical systems to meet the requirements of this Agreement, and to prevent future data breaches. However, PayPal does not require you to do more than this Agreement requires unless the additional measures are appropriate given the risk to mutual customers and online retail best practices.
f. Do not resume normal operations of your critical systems until you have verified how the data breach occurred and have taken all reasonable steps to address the vulnerabilities that enabled the data breach or the possibility of further data breaches could.
G. Report the data breach to the relevant law enforcement authorities, participate in any investigations and cooperate if the authorities ask you to do so in order to identify and arrest the perpetrators.
H. Refrain from using card data that has been revealed or tampered with in the course of a data breach. Nothing in this section prevents you from requesting and using the card data again from common customers who have been affected by the data breach as soon as the vulnerabilities in your critical systems according to (f) above have been resolved.
9. The data protection regulations can be found in listing 2.
10. Deliberately released.
Card data and PCI DSS
11. Storage of card data
You may not receive, trace, monitor or save card data without the express consent of the cardholder to receive and save it. You are obliged to completely and securely destroy all card data received within 24 hours of receiving an authorization decision from the issuer responsible for this card data.
If, with the consent of the cardholder, you save card data for a short period of time, you may only do so to the extent that the card data is necessary for the processing of payment transactions with the consent of the cardholder. You must never pass on or disclose the stored credit card details to third parties. This also applies in the event that your company is sold. In addition, regardless of any statements to the contrary, you may under no circumstances save or disclose the verification and identification data printed on the signature strip on the back of the card (i.e. the CVV2 data). This applies even if the cardholder has given his / her consent.
12. Card data that you are not allowed to save
You declare that, notwithstanding the immediately preceding section, you will not store any personal identification numbers (PIN), CVV2 data or AVS data taken from the magnetic stripe or other digital storage of a cardholder's card (unless this data is also found on the front embossed or printed on the card). You can impose fines on the card associations if you violate this section, which reflects the rules of the card associations. In this section, “storage” means storage in digital, electronic, paper-based or other form, but not the temporary collection and storage of data during ongoing processing (but not beyond that).
13. Use of the card data by the dealer
You undertake to use and pass on card data exclusively to obtain authorization from the card provider, to carry out and bill the card transaction for which you were provided with the card data, as well as to settle credit card chargebacks and booking disputes or similar problems in connection with card transactions. According to the banking law, PayPal is obliged to repay payments for which the payer has not given its consent. Your use of card data to carry out card transactions therefore requires the cardholder's consent in order not to result in a chargeback.
14. Safe storage and disposal of card data
You agree to:
a. put in place and maintain appropriate controls to limit access to all records containing card data,
b. Not to sell or disclose bank details and information obtained in connection with card transactions to third parties,
c. Not to save map data on paper or on portable digital storage devices such as USB memories or portable hard drives,
d. electronically recorded signatures of cardholders not to be reproduced unless expressly requested by PayPal and
e. destroy the map data by destroying the respective storage medium or by making the map data completely and irreversibly illegible.
If you sell your company, you are not allowed to transfer the card data and any other information that you have about card transactions as an asset of the company in accordance with the rules of the card association. In such cases, you undertake to transmit the card data and all transaction data to PayPal upon request. If PayPal does not request this data, you must destroy it in the event of a company sale.
15. PCI DSS audit
Upon PayPal's request, you undertake to allow a qualified security auditor to check your systems, controls and facilities and to prepare a report for PayPal and the respective associations. You agree to participate fully in this review and to grant the security auditor all information and access rights to your systems that the security auditor needs for the security audit. You agree to bear the reasonable cost of such audits. If you do not initiate a security check despite a request by PayPal, PayPal can initiate this independently at the merchant's expense. Alternatively, PayPal can immediately suspend your use of your product. You will receive a copy of the test report. PayPal must also receive such a copy and forward it to all accepting institutes or card associations that request the report.
1. DEFINITIONS AND INTERPRETATION
1.1. The following terms in this Appendix 2 have the respective meanings given:
„Card data"Is defined in Section 2.15 of this Appendix 2.
„customer“Means a customer from the European Union who uses the services of PayPal and is considered a data subject for the purposes of Appendix 2.
„Customer data“Refers to the personal data that the customer makes available to the merchant and which the merchant passes on to PayPal via the PayPal services.
„Data controller"(Also" controller ")," data processor "(also" processor ") and" data subject "have the meaning given to these terms in data protection laws.
„Data protection laws"Means the General Data Protection Regulation (EU) 2016/679 (GDPR) as well as all associated regulations and legal instruments and other data protection laws, regulations, regulatory provisions and codes of conduct of the EU member states that apply to the provision of PayPal services by PayPal.
„Data recipient“Has the meaning given in Section 2.15 of this Appendix 2.
„PayPal Group“Means PayPal and all companies that PayPal or its legal successor directly or indirectly own or control at the relevant time.
„Personal data“Has the meaning given in the data protection laws.
„processing“Has the meaning given in data protection laws; the terms "process", "processed" and "in process" are to be interpreted accordingly.
„Sub-processors"is any processor entrusted with the processing of personal data by PayPal and / or its subsidiaries.
1.2. To plan
This Appendix 2 comprises (i) Sections 1 through 2 which form the main body of Appendix 2; (ii) Appendix 1; (iii) Appendix 2 and (iv) Appendix 3 (with its appendices).
2. PROCESSING OF PERSONAL DATA IN CONNECTION WITH THE SERVICES
2.1. Dealer data controller
With regard to customer data processed by PayPal in connection with this agreement, the merchant acts as the data controller and PayPal acts as the processor. PayPal is solely responsible for determining the purpose and manner for which the personal data is processed or is to be processed by PayPal.
2.2. Written instructions from the dealer
PayPal processes customer data exclusively on behalf of and in accordance with the merchant's written instructions. The parties agree that Appendix 2 is the merchant's sole and complete instruction to PayPal with respect to customer data. Further instructions that are given in addition to this appendix (if applicable) require a prior written agreement between PayPal and the merchant, including an agreement on additional fees that the merchant owes PayPal for the implementation of such further instructions. The merchant ensures that his instructions comply with all applicable laws and in particular with data protection laws and that the processing of customer data in accordance with the merchant's instructions does not result in PayPal violating data protection laws. The provisions of this section 2.2. are subject to the in Section 2.14. contained safety regulations.The merchant hereby instructs PayPal to process customer data as follows:
a. insofar as this is reasonably necessary for the provision of PayPal services for the merchant and his customers,
b. to use this no longer identifiable personal data directly or indirectly for all purposes after the anonymization of the customer data.
2.3. Contribution through PayPal
With regard to the customer data to be processed by PayPal in accordance with the contract, PayPal works with the merchant to the extent that is reasonably necessary in order to enable the merchant to fulfill its responsibility under data protection laws. At the behest of the dealer, this includes in particular the following types of participation:
a. Assisting the merchant in the preparation of data protection impact assessments to the extent required of the merchant in accordance with data protection laws;
b. Fulfillment of binding requests from the responsible data protection authorities regarding the disclosure of customer data to the extent required by law.
2.4. Scope and data of the customer data processed by PayPal
2.5. Compliance with Applicable Laws
The parties always comply with the applicable data protection laws.
2.6. Correction, blocking and deletion
If the merchant cannot correct, change, block or delete customer data when using the PayPal services as provided for in accordance with data protection laws, PayPal will comply with all economically justifiable demands of the merchant to take such actions, provided that PayPal is legally authorized to do so. As far as legally permissible, the merchant bears all costs that arise from such support on the part of PayPal.
2.7. Requests from data subjects
PayPal will immediately notify the merchant to the extent permitted by law of requests from customers in which they request access to, or the correction, amendment or deletion of personal data. The dealer is responsible for answering all such requests. To the extent permitted by law, PayPal provides the merchant with economically appropriate support and cooperation in relation to such customer requests. The merchant bears the costs resulting from the cooperation on the part of PayPal.
2.8. Advanced training
PayPal undertakes to train its employees in due course and as required on the PayPal obligations arising from Appendix 2. This is to ensure that PayPal staff is aware of their obligations and fulfills them.
2.9. Access restrictions
2.10. Partial processors
The merchant authorizes the engagement of the members of the PayPal group as sub-processors in connection with the provision of the PayPal services. In addition, the merchant authorizes the involvement of other third parties as sub-processors in connection with the provision of the PayPal services. When a sub-processor is commissioned, PayPal concludes a contract with them that contains provisions for the protection of customer data that are at least as strict as those contained in Appendix 2. PayPal provides the merchant with an up-to-date list of sub-processors for the respective PayPal services with information about their identity.
2.11. Exams and Certifications
PayPal undertakes to implement suitable technical and organizational measures as described in Appendix 1 to this Appendix 2 in order to protect customer data and to protect it from unauthorized or unlawful processing and unintentional loss, destruction and damage as part of the provision of the PayPal services. Since PayPal provides its services uniformly for all merchants via a hosted, web-based application, all appropriate and currently established technical and organizational measures relate to the entire PayPal customer base, which is hosted via a specific data center and subscribes to the same service. The dealer confirms that the technical and organizational measures are subject to the respective technical development status. In this context, PayPal is expressly entitled to implement suitable alternative measures, provided that the security level of the measures is maintained when providing the PayPal services.
2.13. Display of security incidents
If PayPal becomes aware of a security incident in connection with the processing of customer data, PayPal is obliged in accordance with data protection laws: (a) to inform the merchant immediately about the security incident, (b) to immediately take suitable measures to limit damage and secure customer data, ( c) to provide appropriate information about the incident and the measures taken to contain the potential risks as far as possible; and (d) to inform the merchant via the channels to be determined by PayPal, whereby notification by email is sufficient. The dealer is solely responsible for the correctness of his contact details.
After termination or expiry of the agreement, PayPal is obliged to delete all customer data that has been processed on behalf of the merchant or to send it back to the merchant. PayPal deletes the existing copies of this customer data, unless these are to be kept in order to comply with legal regulations.
2.15. Data portability
After termination or expiry of this agreement, PayPal will, upon written request from the merchant, provide the new merchant bank or the merchant's new payment service provider (“data recipient”) with all available credit card information and personal data of merchant customers (“card information”). For this, the merchant provides PayPal with all the information requested and, in particular, with proof that the data recipient meets the association-specific PCI-DSS requirements and PCI level 1. PayPal undertakes to pass on the card data to the data recipient, provided the following conditions are met: (a) The merchant provides PayPal with proof that the data recipient meets the association-specific PCI-DSS requirements and PCI level 1. For this purpose, he presents PayPal with a certificate or a report from an approved provider on compliance with the association-specific PCI-DSS requirements as well as all other information reasonably requested by PayPal. (b) The transmission of the map data corresponds to the latest version of the association-specific PCI DSS requirements and (c) the transmission of the map data is permitted in accordance with the applicable association rules and the applicable laws, rules and regulations (including data protection laws).
3. EU STANDARD CONTRACTUAL CLAUSES
The EU Standard Contractual Clauses are listed in Appendix 3 (“EU Standard Contractual Clauses”). The standard contractual clauses of the EU only apply to customer data that is transferred from merchants from the European Economic Area (EEA) or Switzerland to a country outside the EEA which, according to the European Commission, does not offer sufficient protection for personal data (according to GDPR) and in which PayPal Stores and processes customer data.
This Appendix 2 and the Agreement constitute the complete and final instructions to the data importer regarding the processing of customer data. Additional and alternative instructions require a separate agreement. For the purposes of Clause 5 (a) of the EU Standard Contractual Clauses, the data exporter issues the following instructions: (a) Customer data must be processed in accordance with the agreement and (b) Customer data generated by merchants during the contract period as part of the service use must be processed. These instructions also include the duration, subject, scope and purpose of the processing.
3.3. Exams and Certifications
The parties agree that the controls described in Section 5 (f), Section 11 and Section 12 (2) of the EU Standard Contractual Clauses are fulfilled as follows: the provisions of Annex 2 Paragraph 2.11 apply to the data importer in the same way as to PayPal.
3.4. Proof of deletion
The parties agree that the certificate on the deletion of personal data described in Section 12 (1) is only to be sent to the data importer upon request by the data exporter.
The parties agree that all existing liability relationships between them in accordance with Annex 2 and standard contractual clauses of the EU (which with a view to the data importer are added together with those of PayPal until the total liability limit stipulated in the agreement is reached) are subject to the terms of the agreement (including limitation of liability), whereby the liability limit does not apply to liability relationships that arise for the data importer in accordance with the provisions of the EU's standard contractual clause on the rights of third parties vis-à-vis data subjects.
3.6. Exclusion of third party rights
Subject to Section 4.6, PayPal is granted third-party rights with respect to obligations that expressly favor the data importer or PayPal in accordance with Appendix 2. The data subjects are granted third party rights in accordance with the EU standard contractual clauses. All other rights of third parties are excluded.
Signed for (insert dealer name) …………………………………
Name of the signatory ……………………………………. Position of the signatory ……………………………………
on behalf of PayPal (Europe) S.á.r.l. et Cie, S.C.A.
Name of the signatory …………………………………… .. Position of the signatory ……………………………………. Date…………………………………………………
Technical and organizational measures
The following technical and organizational measures are implemented:
1. Measures to prevent unauthorized use of the facilities used for data processing,
2. Measures to prevent data carriers from being read, copied, changed or moved by unauthorized persons,
3. Measures to prevent the unauthorized entry of data into the information system and the unauthorized reading, modification and deletion of the recorded data,
4. Measures to prevent the data processing systems from being used by unauthorized persons by means of data transmission devices,
5. Measures to ensure that authorized persons using automated data processing systems can only access data in their area of responsibility,
6. Measures to ensure the verification and recording of the identity of third parties to whom the data is transmitted by means of data transmission equipment,
7. Measures to ensure that the identity of persons who have access to the information system and the data entered into the system can be subsequently checked and recorded at any time and by any authorized person,
8. Measures to prevent data from being read, copied, changed or deleted without permission, if it is passed on or data carriers are moved,
9. Measures to secure the data by making backup copies.
Processing of customer data
Categories of data subjects
„Customer data“Refers to the personal data that the customer makes available to the merchant and which the merchant passes on to PayPal via the PayPal services.
Subject of the processing
The payment processing provided by PayPal enables the merchant to accept credit cards, debit cards and other payment sources from customers on websites and mobile applications.
Type and purpose of processing
PayPal processes customer data sent by the merchant to PayPal in order to verify the customer's source of payment for payments for goods or services to the merchant.
Type of personal data
Customer data: The merchant informs PayPal of the type of customer data that PayPal processes according to this agreement. Should there be any changes to the type of customer data that PayPal processes, the merchant will notify PayPal of this immediately. PayPal processes the following customer data transmitted by the merchant:
Advanced Credit and Debit Card Payments
Payments Pro Payflow
Bank details and sort code
Card or payment instrument (optional)
Primary account number of the card (Pan)
Expiry date of the card
Corporate tax number
Special categories of data (if applicable)
The transmission of special categories of data is not intended.
The contract period.
STANDARD EU TREATY CLAUSES
Export of personal data from the data controller to the processor (from EEA countries)
Within the meaning of Article 26 (2) of Directive 95/46 / EC on the transfer of personal data to processors who are based in third countries and do not guarantee an adequate level of data protection
Company of the data exporter: ……………………………………… ..
Tel .: ............................................... ........
Fax: ................................................ ........
Email: .............................................. .......
Further information to identify the organization: …………………………… (data exporter)
Data importer company: Paypal, Inc
Address: 2211 North First Street, San Jose, CA 95131
Further information to identify the organization: …………………………… (data importer)
One "party" each, taken together the "parties",
AGREE to the following contractual provisions (the "Provisions") to ensure adequate safeguards for the protection of privacy and the fundamental rights and freedoms of natural persons in relation to the transfer of personal data by the data exporter to the data importer in accordance with Annex 1.
For the purposes of this clause, the following terms have the respective meanings given:
- (a) The terms "personal data", "special categories of data", "processing", "data controller", "processor", "data subject" and "supervisory authority" are used in Directive 95/46 / EC of the European Parliament and the Council of October 24, 1995 on the protection of natural persons with regard to the processing of personal data and the free movement of data.
- (b) "data exporter" means the data controller who submits the personal data.
- (c) "Data importer" is the processor who receives personal data from the data exporter, processes them on his behalf and in accordance with the provisions and is not subject to a third country system that provides adequate protection within the meaning of Article 25 (1) of Directive 95/46 / EC guaranteed.
- (D) "Sub-processor" is a processor who is commissioned by the data importer or by another sub-processor of the data importer and who consents to the receipt of personal data from the data importer or another sub-processor of the data importer, which is solely for processing on behalf of the data exporter in accordance with its instructions, the provisions and the respective subcontract are intended.
- (e) "Applicable data protection law" is the legislation to protect the fundamental rights and freedoms of natural persons and in particular their right to privacy with regard to the processing of personal data, which applies to data exporters in the member state in which the data exporter is located.
- (f) "Technical and organizational security measures" are measures to protect personal data from accidental and unlawful destruction, accidental loss, modification, unauthorized disclosure and access, especially if the processing involves the transmission of data over a network, as well as from all other unlawful forms processing.
Individual provisions for data transmission
Details on data transfer and in particular on the special categories of personal data can be found in Appendix 1, which forms an essential part of these provisions.
Third party beneficiaries
1. Data subjects can use this clause, clause 4 (b) through (i), clause 5 (a) to (e) and (g) to (j), clause 6 (1) and (2), clause 7, clause 8 (2) and clauses 9 to 12 as third party beneficiaries against the data exporter.
2. Affected parties can assert this clause, clause 5 (a) to (e) and (g), clause 6, clause 7, clause 8 (2) and clauses 9 to 12 against the data importer. If the data exporter ceases to exist factually or legally, a legal successor takes over all rights and obligations of the data exporter by contract or by law. In this way, the person concerned can enforce the specified clauses against him.
3. Data subjects can enforce this clause, clause 5 (a) to (e) and (g), clause 6, clause 7, clause 8 (2) and clauses 9 to 12 against the sub-processor if both the data exporter and the Data importers factually or legally no longer exist or are insolvent; If a legal successor takes over all rights and obligations of the data exporter by contract or by law, the data subject can enforce the specified clauses against him. Such liability of the sub-processor is limited to its processing activities according to the clauses.
4. The parties do not object to the data subject being represented by an association or other body, provided he / she expressly so wishes and national law permits.
Data Exporter's Obligations
The data exporter insures:
- (a) that the processing of personal data and their transfer is carried out in accordance with the relevant provisions of the applicable data protection law (and, if applicable, the competent data protection authorities of the member state in which the data exporter is located) and that it does not violate the legal provisions of that state,
- (b) that he has instructed the data importer to process the transferred personal data exclusively on behalf of the data exporter and in accordance with the applicable data protection law and these provisions for the entire duration of the processing of personal data,
- (c) that the data importer offers sufficient guarantees with regard to the technical and organizational security measures set out in Annex 2 of this contract,
- Harley Davidson 48 or Iron 883
- Why are Israel and Lebanon enemies?
- What is the roughest part of Edinburgh
- Why are you bored with fast fashion
- Did you go to the Fyre Festival
- Why should you organize your computer files
- Ramaxel RAM memory is good
- Does the US tariff war work against China?
- Can nonviolent protests be destructive?
- Which is the most voluntarily patriotic nation
- How can i get my weight
- Is it bad to dream clearly?
- Christians believe in the Prophet Mohammad
- Halo 3 was the last great Halo
- Is emigrating to Australia a bad idea?
- How important are the arts
- Who gives seed funding to people
- Calfskin is cruel
- Is obscenity protected by the first change
- When will Russia finally respect the West?
- How do I become a webcam model
- What do the Iranians think of India
- OCD is a communicable disorder
- What does fate mean