PayPal’s New Fraud Rules Are Key For PFs

PayPal announced Wednesday (May 4) a series of payments policy changes, including late-to-the-game restrictions on gift cards, a longtime favorite cyberthief tool. Given PayPal’s massive marketshare, payment facilitators need to watch closely any policy changes the no-longer-Ebay-unit makes. In short, any fraud-related changes that PayPal makes gives political cover for any PF to mimic the move.

The biggest change is that PayPal is now excluding “items equivalent to cash, including gift cards” from its PayPal Seller Protection program. It made a similar change to its Purchase Protection program by “clarifying the exclusion for items equivalent to cash to now include stored value items such as gift cards and pre-paid cards.”

A few other items that will no longer be supported by purchase protection—at least as of June 25, when the new rules are scheduled to kick in—are payments on crowdfunding platforms, “gambling, gaming and/or any other activity with an entry fee and a prize” and “anything purchased from or an amount paid to a government agency.”

Given the way the changes were phrased, it appears that PayPal has intended to exclude gift cards, but less-than-explicit-and-specific phrasing created a loophole for users to argue that gift cards were covered. The problem is that a $100 gift card can be sold but before the new owner has the chance to use the card, a thief could have drained some or all of its value. As a practical matter, there is little that PayPal can do prevent that. Hence, it’s an expensive and risky purchase to protect.

Protecting such a purchase forces distinctions that are problematic. For example, exactly when was the value drained? Was it drained five seconds before the purchase was completed—suggesting a seller liability—or five seconds after the sale was completed, which would be akin to an item being lost/stolen on the way home from the store, which is a classic card brand payment protection scenario.

What if a thief is in cohoots with the seller? For that matter, what if the thief is the seller? The thief could wait to drain the funds until an instant after the sale was made. All in all, it seems a wise exclusion for PayPal—and PFs everywhere—to use.

PayPal also made a couple of less significant changes. It deleted a rather strange requirement that users have to pay for “the full amount of the item with one payment.”

It also said, rather vaguely, that users “must respond to PayPal’s request for documentation and other information in a timely manner.” As opposed to what? Had they set a number of days to define “timely,” that would have made more sense. Timely in who’s opinion? The way it’s phrased, it appears to be at the sole discretion of PayPal. Good for PayPal. Less good for anyone else. Oh well. Judges need something to interpret.

A change to purchase protection gave that kind of specificity. PayPal is “now requiring all buyers to wait at least 7 days to escalate a dispute to a claim regardless of the transaction amount.” That is an interesting move. Waiting seven days to dispute something makes sense, as it gives the other party time to deliver. But if the dispute is in process, why wait seven days to escalate?