WTF?
Let me get this right? So a seller can add any sum AFTER you have approved a transaction?
How is this even legal?
An apparent flaw that lets users add any amount of money onto already processed PayPal transactions is a feature, not a bug, according to the payments giant. The function was designed to allow sellers to add additional costs for services like shipping on the top of transaction totals which customers had approved through the …
My company took an issue with PayPal to the Luxembourg regulator, but all I can say is good luck with that. Even with access to French speaking staff and a pretty formidable international legal team we kept hitting a lot of brick walls. It's very different to what you would expect from the FSA, for example. I'm sure we could have got somewhere eventually but when you rely on the PayPal monopoly you really don't want your main payments provider being out of action for 2-3 years while you drag through the courts.
Eventually what worked best was potential for bad press, they seem to be much more afraid of that than the Luxembourg regulator.
"After looking into the issue, we communicated this is not in fact a vulnerability. We work closely with our merchants who use Express Checkout to provide them the flexibility they need to complete their transactions in a timely manner so they can offer excellent payments experiences to their customers."
An excellent payment experience is when you hand over the cash for something, and then find out that it's currently on special and you're getting it at a discounted rate.
It does not mean that once you have paid for the goods, the merchant is then able to tack on extra expenses just because they can.
is the fact that the merchant has taken more money than authorised.
I see the email coming in, I ignore it because it confirms a payment I just authorised.
a) Merchants should get the shipping charges right *before* sending you to paypal
b) paypal should have a DIFFERENT and scarily worded "Merchant has claimed more money than agreed" email that gets sent out in these cases.
There is also some onus on you to check emails. If you ignore important emails like transaction confirmations then you're asking for trouble.
There are bugs in all sorts of banking and payment systems so unfortunately the consumer must take some responsibility for discovering these.
To follow up - it would be an interesting case for eBay seems to think that clicking the "buy" button is completely binding and commits you to purchase (I'm talking about a buy it now, not an auction). You are now in a situation where you are committed to buying something that the vendor could pile on some additional charges not mentioned in the price shown by the buy it now button...
Here's my experience with them:
- so many years ago, you could pay securely through Paypal:
1 buys something on ebay for a given amount
2 generate an electronic VISA/Mastercard number at your bank for *that very amount only*
3 put it on paypal and send the money to the seller
4 Voila
I did it a lot and no matter what phishing or paypal bugs there would be, it was safe. Then, they removed (with no explanation) the ability to do step 3. You had to put your real VISA/Mastercard number, which is basically a wide open gate to your bank account. Now your bank account security is ensured by PayPal.
Now they're setting up the knobs to be attracting to dodgy selling practices, like hidden fees, surprise fees, whatever fees you weren't aware of when committing to a purchase. Then they are
a lot more appealing than any VISA/Mastercard online systems. Et Voila.
Needless to say, I stopped using them when they forbid step 3. Sorted.
They basically sneakily moved from a convenience relay (that needn't be regulated) to a full payment (that must be) and no-one noticed. Time for regulators to wake up.
PayPal wasn't so bad back when eBay would let sellers request/accept money orders or checks from buyers. Back then, you could totally avoid the shitpit that was PayPal. But now they are pretty much the only method that eBay will let us occasional sellers use. And they still suck.
Putting it on your Visa/Mastercard is fine, if you're using a credit card and not debit card. If you get screwed, you dispute the charge and don't have to pay it because it is settled well before you have to make the payment. While the same is technically true for a debit card, in the US at least, the money is already out of your account until the dispute is found in your favor, which could be a real problem depending on what your balance normally is and how much money was taken.
What pisses me off is step 2 is pretty much gone in the US. You would think credit card companies would like virtual account numbers since using them fraudulently is impossible, but maybe they like fraudulent charges overall because probably a lot of people don't watch their statements closely and don't notice small fraudulent charges.
"Putting it on your Visa/Mastercard is fine, if you're using a credit card and not debit card. If you get screwed, you dispute the charge and don't have to pay it because it is settled well before you have to make the payment. "
I think the law is possibly the same here (France) but even then, setting up an open gate to my account is not OK to me. Crookery business model: you screw someone, if he complains, then thing are back to balance and no impact on you, if he doesn't notice, you win. So in the long term, the crook wins. Paypal is in this business model.
"What pisses me off is step 2 is pretty much gone in the US. You would think credit card companies would like virtual account numbers since using them fraudulently is impossible, but maybe they like fraudulent charges overall because probably a lot of people don't watch their statements closely and don't notice small fraudulent charges."
No-one except you and me watch their bank statements. That's why if regulation doesn't put pressure on banks to make transactions secure, people will get screwed without knowing.
Things are getting OKish here in the land of Napoleon but probably elsewhere, people may have to pressure the local MP.
As a merchant we do use this feature from time to time to collect more funds that have been authorised at checkout, BUT only after contacting the customer first for approval and also to get that approval via email - this is just good practice we feel to prevent chargebacks.
Paypal merchants (and I don't believe this is restricted to just PayPal, but Sage, Worldpay etc are the same) are able to capture 15% more than the authorisation on Credit Card payments and 10% more on PayPal payments up to a maximum of $75 but we have never been able to go above this and we have needed to try previously - but it gets denied in which case we have to get the customer to get payment details again.
This is documented here: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/authcapture/
If the additional 200 euros in this article is true then I would say this was a bug as it's above the $75 threshold.
As I won't give my CC details to paypal, I just simply add up my purchases, and transfer to PayPal that amount. From Finnish banks, at least, I can credit PP within 1 hour - free of bank charges.
Only card I have authorised through PP is my Visa Electron card (for transferring back when I felt flushed some time ago, and stuck €50/mo. in there. I don't do that anymore).
Not a problem.
If you have an agreement with a seller to add costs for shipping or other extras then that is what they can legally add to the approved charges. It's highly unlikely any reputable seller is going to add more than what has been approved. Being able to add shipping or other charges is NOT a bug in the software as alleged, it truly is a feature. Anyone that is unscrupulous and adds more than agreed to by the buyer should be prosecuted for fraud just like if a brick and mortar operation overcharged for delivery. As usual this story is a bunch of nonsense by people trying to make a software feature into a bug when it is not. There will always be people with an ax to grind...
A couple times I bought buy it now items off Ebay that listed a range for shipping costs, and the total amount ended up being in the range so I didn't think much about it. There should be some way that Paypal can have the buyer authorize a maximum amount and no way for the merchant to go over it. If you're buying something with the understanding that price/shipping is fixed that there's no range, that's the only amount that should be authorized.
If this isn't a bug, it is really shady, but being shady is nothing new to Paypal. There's a reason why only morons would link their bank account (either directly or via their debit card) to Paypal. If you're a seller and someone disputes, they can pull money out of your account and you have no recourse. With a credit card, that's not possible. If you're a buyer only I would have guessed using a debit card is OK (but I still would never do it, credit cards are better protected by US law) but I guess this shows that is not true.