Blog | Paypal tightens its security
11th November 2014
Paypal customers will today have received an update to their Terms & Conditions, and given that most won’t have the time to read them we thought we would summarise. The full update can be found on Paypal’s site.
Using your identity to improve security
Users of Paypal POS and mobile (and potentially others services) can now be required to add an image of themselves. This picture can then be shared with anyone you are transacting with.
“…If you use certain functionalities provided by us (including, without limitation, PayPal POS functionality on your mobile app) we may ask you to upload a picture of you in order to provide these specific services. Your face must be recognisable. Your image is solely your responsibility.
If you are using your mobile app, we may share your picture that you have stored with your mobile app with other PayPal users so that they can identify you, You license us to use your image for the above purposes on a non-exclusive, worldwide, royalty-free, transferable and sub-licensable basis.
We may also share with other users the fact that you are within local reach as a customer….”
PCI-DSS Compliance is also your responsibility
The majority of businesses use a third party merchant gateway to take payments and in so doing defer their PCI DSS Compliance responsibilities to them. As card data entered on your website is never seen by you – only by the likes of Paypal – you do not need to worry about the extensive legalities (and costs) surrounding storing and managing card data.
Paypal is making you be more responsible. Recognising that there are still instances where multi-channel companies may take cardholder data (over the phone, following returns etc) – particularly using their Virtual Terminal – it is asking you to be stringent too.
“…Your PCI DSS compliance. You also agree to comply with the PCI Data Security Standard (PCI DSS). You must protect all Card Data that comes within your control according to PCI DSS, and you must design, maintain and operate your website and other systems in conformity with PCI DSS. You must ensure that your staff are and remain sufficiently trained so that they are aware of PCI DSS and can carry out its requirements. PayPal is not responsible for any costs that you incur in complying with PCI DSS.
“PayPal’s PCI DSS compliance. PayPal warrants that PayPal and your Product comply and will comply with PCI DSS. However, PayPal’s compliance, and your Product’s, are not sufficient to achieve compliance with PCI DSS by you and your systems and processes…”
Also worth mentioning
Paypal has also outlined the exact names of the third party companies it may pass your data to as part of its operations, including Duedil, DemandGen (email marketing) and StrikeAd (retargeting advertising).
There is also clarity over what transactions it will process – if you don’t have the funds then it won’t send money to another user.
They outline the Principles of Data Security including reserving the right to visit and audit your premises to check on your cardholder data security.
It’s certainly worth taking a look at these terms and conditions revisions which can be found here.