General security

PayPal: Chargebacks and Dispute Resolution

Daniel Dimov
May 23, 2013 by
Daniel Dimov
  1. Introduction

PayPal Inc. is a global provider of online payment services established in 1998 in Palo Alto, California. In 2012, PayPal Inc. generated a total revenue of $5.6 billion USD. . One of its main advantages is that it allows users to automatically convert funds from one currency to another. As a result, users need not have separate accounts for each currency. At present, PayPal supports 17 currencies and can be used in over 100 countries. Every second, more than $1,000 is transferred through PayPal's financial engine.

In order to protect its customers against the risks associated with doing online business, PayPal complies with the decisions concerning chargebacks made by payment card companies. However, the buyer cannot file a chargeback directly on the PayPal website. They must file the chargeback directly to the issuer of the payment card.

A chargeback can be defined as the reversal of a prior transfer of funds from a consumer's payment instrument to a merchant. Chargebacks can be provided for technical reasons (e.g. bank processing errors, expired card authorization), clerical reasons (e.g. duplicate billing and incorrect amount billed), quality reasons (undelivered goods or services), and information security reasons (e.g. identity theft).

The present contribution describes PayPal's approach to chargebacks submitted to issuers of payment cards (Section 2) and provides suggestions as to how to avoid it (Section 3). Also, it contains overviews of PayPal's dispute resolution procedure (Section 4) and the Payment Card Industry Data Security Standard (Section 5). The implementation of the Payment Card Industry Data Security Standard may significantly decrease the number of chargebacks and disputes concerning goods or services paid online through payment cards. Finally, a conclusion is drawn (Section 6).

2. PayPal's approach to chargebacks


PayPal does not make decisions on whether or not chargebacks submitted to issuers of payment cards should be granted. PayPal simply complies with the rules imposed by payment card providers, such as American Express, Master Card, Visa, and others. Any legal entity or individual who accepts, issues, or processes payment cards is bound by those rules.

It should be noted that payment card companies typically assume that the buyer is right. The reason is that they do not want to deteriorate their business relationships with cardholders. In order to protect sellers against unjustified chargebacks, PayPal created their Seller Protection Policy (SPP). The SPP covers transactions of physical goods against claims of fake, non receipt or unauthorized payment. If the physical goods are shipped to a confirmed address within seven days of payment and the seller has electronic proof of delivery for the shipment, including signature for payments over 250 USD, PayPal will protect the sellers against unauthorized chargebacks and return the money taken as a result of such chargebacks.

3. Suggestions as to how to avoid chargebacks


The best way to manage chargebacks is by avoiding them. There are two ways to avoid chargebacks, namely, (1) taking additional security measures in relation to unusual shipping requests and (2) increasing the communication with the buyer. These two ways are explained in more detail below.

Unusual shipping requests, such as requests for shipment to strange addresses or very urgent requests, may be an indication that the buyer is paying with a stolen card. Accepting such requests may lead to chargebacks for unauthorized payments. Therefore, e-commerce companies need to thoroughly examine unusual shipping requests before accepting them.

The increased communication between the buyer and the seller may prevent unclarities concerning the transaction and, therefore, decrease the number of chargebacks against the seller. That is why it is better to provide the seller with more information than with too little information.

4. An overview of PayPal's dispute resolution procedure

If a buyer is not satisfied with a transaction paid by using PayPal, they need to inform the seller immediately through PayPal's Resolution Centre. Then, by communicating with each other, the buyer and the seller may resolve the dispute between them without the help of an intermediary.

If the buyer and the seller cannot resolve the dispute between themselves, the buyer will need to escalate the dispute to a claim. However, in order to file a claim, the buyer needs to satisfy four conditions: (1) the claim must be for physical goods that can be shipped; (2) the purchase was made with PayPal as a payment method; (3) the full price of the item was paid in one single amount via PayPal; and (4) the buyer's PayPal account must be in "good standing." The following goods/services are not covered by PayPal's dispute resolution procedure: vehicles, intangibles, licenses and access to digital content, airline flight tickets, real estate, businesses for sale, and prohibited items on the "PayPal Acceptable Use Policy" (Available on https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=ua/AcceptableUse_full).

The claim can be filed within 20 calendar days after opening the dispute. By submitting a claim, the buyer requests PayPal to make a decision on the claim in accordance with the terms of the PayPal User Agreement. The buyer and the seller can respond to PayPal's information requests and follow the progress of the claim in PayPal's Resolution Centre.

PayPal tries to resolve cases within 30 days, but complex cases may take a longer time.

Because PayPal's dispute resolution procedure provides a remedy for buyers in e-commerce disputes, it plays an important role in the field of e-commerce consumer protection. However, it should be pointed out that the scope of PayPal's dispute resolution procedure is limited. The reason is that the only possible remedy in PayPal's dispute resolution procedure is the reversal of payment.

5. The Payment Card Industry Data Security Standard


The Payment Card Industry Data Security Standard (The PCI DSS) was developed by the Payment Card Industry Council with the aim to (1) ensure the security of cardholder data and (2) facilitate the adoption of data security measures on a global level. It applies to organizations involved in payment card processing, such as acquirers, issuers, merchants, processors, issuers, and service providers. By implementing the PCI DSS, organizations may decrease the number of information security incidents and, thus, the number of chargebacks and disputes arising from such incidents.

The PCI DSS contains technical and operational requirements grouped in the following twelve categories: (1) the installation and maintenance of a firewall configuration to protect data; (2) not using vendor-supplied defaults for system passwords and other security parameters; (3) protection of stored cardholder data; (4) encryption of transmissions of cardholder data and sensitive information across public networks; (5) using and regularly updating anti-virus software; (6) developing and maintaining secure systems and applications; (7) restricting access to data by business need-to-know criteria; (8) assigning a unique ID to each person with data access in order to monitor activity; (9) restricting physical access to cardholder data; (10) tracking and monitoring all access to network resources and cardholder data; (11) regularly testing security systems and processes; and (12) maintaining a policy that addresses information security.

As can be seen from the previous paragraph, the PCI DSS mirrors security best practices. Companies willing to comply with the PCI DSS need to take the following three steps: (1) Assess, (2) Remediate, and (3) Report. These three steps are discussed in detail below.

Assess

The first step includes the vulnerability assessment of IT assets and business processes used for payment card processing. The Payment Card Industry Council provides programs for two kinds of independent experts to help with the PCI DSS assessment: Qualified Security Assessor (QSA) and Approved Scanning Vendors (ASVs). QSA are organizations that have been qualified by the Payment Card Industry Council to assess compliance to the PCI DSS standard. ASVs are organizations providing commercial software tools and analysis services for performing external vulnerability scans for payment processing systems.

Remediate

The second step includes fixing the discovered vulnerabilities. The remediation process consists of the following five steps: (1) scanning the network with software programs analyzing infrastructure to spot known vulnerabilities; (2) reviewing and remediation of vulnerabilities found during the assessment; (3) classifying and ranking the vulnerabilities in order to facilitate the process of prioritizing the remediation measures; (4) applying changes, fixes, patches, and workarounds to unsafe processes; (5) re-scanning checks aiming to confirm that remediation was successful.

Report

The third step includes the submission of compliance reports to the acquiring bank and payment brands with which the vendor makes business. All merchants, processors, and service providers may be obliged to submit quarterly scan reports. These scan reports have to be performed by an ASV. Businesses with larger transaction volumes are obliged to have an annual on-site assessment completed by a QSA and send the findings to each acquirer. Businesses with smaller transaction volumes may be obliged to submit an annual attestation within the Self-Assessment Questionnaire (SAQ). The SAQ is a validation tool that can be used only by eligible entities. An entity qualifying to use SAQ may self-evaluate its PCI DSS compliance.

6. Conclusion


PayPal's approach to chargebacks is based on a strict compliance with the rules imposed by payment card providers. Because the success of payment card providers' business depends on the satisfaction of the cardholders, payment card providers are nearly 100% biased towards siding with buyers when it comes to requests concerning chargebacks. Consequently, the parties in the chargeback procedures offered by the payment card providers are not on an equal footing.

That is why vendors need to take measures to prevent the occurrence of events that may lead to chargebacks. This article suggested two ways to avoid chargebacks, namely, taking security measures in relation to unusual shipping request and increasing the communication with the buyer.

Apart from the chargeback procedure offered by payment card providers, a buyer who is not satisfied with a transaction paid via PayPal may commence PayPal's dispute resolution procedure. The procedure allows the buyer and the seller to resolve dispute between them with or without the help of an intermediary.

Finally, the article discussed the PCI DSS. Compliance with the PCI DSS will not only decrease the number of disputes and chargebacks in PayPal, but also show to the buyer that the information security of their payment cards is a top priority of the vendor.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

References

  1. Bird, R., Reder, M., Darrow, J., Lichtenstein, S., Aresty, J., Klosek, J.,"CyberLaw: Text and Cases", Cengage Learning, 2011.
  2. Bradley, T., "PCI Compliance: Implementing Effective PCI Data Security Standard Standards", Elsevier Science Limited, 2007.
  3. Chuvakin, A., Williams, B., "PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance", Elsevier, 2010.
  4. Cortés, P., "Online Dispute Resolution for Consumers in the European Union", Taylor & Francis, 2010.
  5. Hörnle, J., "Cross-border Internet Dispute Resolution", Cambridge University Press, 2009.
  6. Kim, D., Solomon, M., "Fundamentals of Information Systems Security", Jones & Bartlett Learning, 2010.
  7. Moeller, R., "Cyber Security and Privacy Control", John Wiley & Sons, 2011.
  8. PCI Security Standards Council, "Getting Started with PCI Data Security Standard" October 2010. Available on https://www.pcisecuritystandards.org/documents/PCI%20SSC%20-%20Getting%20Started%20with%20PCI%20DSS.pdf .
  9. Roebuck, K., "PCI Data Security Standards (PCI DSS): High-impact Strategies - What You Need to Know: Definitions, Adoptions, Impact, Benefits, Maturity, Vendors", Lightning Source Incorporated, 2011.
  10. Savage, M., "The PayPal Official Insider Guide to Internet Security: Spot scams and protect your online business", Peachpit Press, 2012.
  11. Sofield, S., Nielsen, D., Burchell, D., "PayPal Hacks: 100 Industrial-Strength Tips & Tools", O'Reilly Media, 2009.
  12. Virtue, T., "Payment Card Industry Data Security Standard Handbook", John Wiley & Sons, 2008.
  13. Weinstein, S., Macewan, N., Geach, N., "Electronic and mobile commerce law", University of Hertfordshire Press, 2011.
  14. Williams, D., "Pro PayPal E-Commerce", Apress, 2007.
  15. Wright, S., "PCI DSS: A Practical Guide to Implementation", Bernan Assoc, 2009.
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.