Stewart of Freedom Mobiles has had some problems with PayPal hacked accounts and the problems they present over the last few months, which he wants to share with the wider community. Dealing in consumer electronics they’re wise to pretty much everything going on and Stewart explained to me that this not not intended to be a rant against PayPal, just a word from the wise!
Using PayPal for your webstore has very different rules than on eBay. Here’s what you need to know from a seller who has seen it all. There are two reasons your direct PayPal payments differ from eBay.
1) That layer of protection a buyer ID offers
You can see the feedback history and know that the potentially fraudulent buyer has jumped through that extra hoop.
2) That mercurial payment status “partially eligible”
Its essentially a shout out to those sellers who tire of PayPal security measures and therefore allows the payment through but does NOT insure it. In reality you should expect about 20% such payments, higher for high value item, versus eBay which is always insured.
The Problem
The problem is that there is no information regarding the credit card used, or crucially whether the billing address matches the delivery address. To our cost, we have learned that “partially eligible” can translate to “junk payment.” A full investigation into a particularly nasty fraudulent transaction reveals that a hacked PayPal account can have its delivery address changed, previous buying location and volumes radically changed, and used to successfully purchase high value items on a PayPal shopping cart. Industry leading fraud protection you say? For higher value items this means you really need to refund the transaction where it is not covered, and this means about 1 in 4 purchases (some days as many as half your orders).
There ARE criminal gangs out there, particularly in the London area who have banks of hacked PayPal accounts primed for use. After all they only need a password rather than full credit card info and 3D secure password. And these gangs know too well that PayPal shopping carts are a vulnerable part of your business. Sometimes the fraudulent payments are actually processed as “fully eligible” which means you will inadvertently donate PayPal money to these criminal gangs by accepting the payment. Also a bad idea.
PayPal, just like eBay, needs to be part of your business. But if you have high value items, you also need a credit card processing account so you have full access to the details of the payment. We recently sold a £3k top end camera via PayPal which was only partially eligible. This kind of payment can easily sink a company if it reverses, yet PayPal say its “ready for dispatch.” So a refund is the only sensible course of action. I’m sure we’ll be defending out refund rate next month to PayPal but its the rock or the hard place.
Why allow a payment through, take the full processing fee and then dodge the insurance on it? That seems a little cheeky to me.
How do you protect PayPal payments on your webstore?
So what advice do you have for other sellers when offering PayPal on your webstore? What additional checks do you do when trading “off eBay” compared to “on eBay”? Were you aware that whilst seller protection (so long as you ship tracked) is actually pretty good on eBay but no where nearly as comprehensive as soon as you’re accepting payments on your own website?
4 Responses
It worries me deeply that PayPal only requires an email address and a simple password for access – I hope they also have some sort of cookie enabled too, but I’m not sure they do.
I never keep any substantial amounts in the account in case it gets hacked… would really like more secure access please.
never mind that paypal have a serious flaw, If a someone uses a credit card through your website,paypal only give you a delivery address which is not the address where the card is registered.So yes you guessed it every crook who found out about this have been stealing millions through this flaw, paypal have thousands of charge backs weekly.
Paypal do offer a security key system for extra security in the same way that online banks do. You simply have to sign up for it and obtain a security key card at a cost of £20 or register your mobile phone and use that as a security key card for free.
Now signed-up for the 6 digit security code via the mobile, feel a bit more relaxed about the security – can’t understand why PayPal doesn’t make this obilgatory, would save a lot of fraud.