PayPal Community

Users views on this problem will be welcome.
I have been a silent and satisfied UK PayPal user for 10years until recently, when my authorization to pay £1 to an online information/help service led to an unauthorized deduction of £24. Although the monies were refunded the same day, I was uneasy that such unauthorized payment could bypass PayPal's claimed security features.
Investigated further, and discovered what I consider to be a serious flaw in PayPal's Automatic Payment system.
Many on this forum may already be aware of the contents of this post. See comments of unhappy PayPal users at:
https://www.paypal-community.com/t5/Transactions/How-to-disable-entirely-the-automatic-payment-featu...

but those who have blindly trusted PayPal's security measures need to be made aware, especially at this time of the year with increased online transactions that PAYING BY PAYPAL CAN LEAD TO SUBSEQUENT UNAUTHORISED WITHDRAWAL BY THE MERCHANT FOR ANY AMOUNT.
I use PayPal especially when paying a new merchant believing that it was safer than exposing my credit/debit card details.
This, I find is not so, because of the feature in PayPal called Automatic Payments or Recurring Payments. (The terminology is also problematic - It may be called “billing agreement”, "subscription”, “reference transaction”, “preauthorized transfer" or "preapproved payment" or "AutoPay"). For brevity, I will refer to it as AutoPay below:

Problems:
1. No input nor authorization required from the customer for a merchant to set himself up as an AutoPay recipient. Any merchant (business PayPal account holder) can set up a "subscription" link to a customer’s PayPal account after one transaction.
The terms of such subscription (i.e. amount/frequency of payment) are set by the merchant and PayPal simply trusts the merchant that those terms have been agreed with the customer, without seeking any verification from the customer. The subscription link places that merchant in the AutoPay list of the customer.
see https://superpayit.com/blog/a-comprehensive-guide-to-setting-up-recurring-payments-on-paypal-lny...

2. There is no notification from PayPal that a merchant has been added to the AutoPay list, in stark contrast to multiple emails that PayPal send out for every other change made to an account. This is perhaps the most serious breach of security and begs the question as to why such an important change to the account is not notified in the first place.

3 Once included in the AutoPay list, the merchant can set his own settings to withdraw money. There is no apparent control by PayPal as to how the merchant operates the AutoPay system. The merchant is entirely free to change the terms of the recurring payment, both frequency and amount. Although deduction by direct debit of monies not agreed is illegal, PayPal act as a payment medium only and do not appear to police such changes, choosing instead, to trust the merchant that the changes have been agreed between the merchant and customer outside PayPal’s knowledge and trusting that the merchant has complied with the Direct Debit Regulations.

Although this may appear to be a fraudster’s charter, it is no different to a direct debit on a bank where, for example, utility companies withdraw increased amounts without customer involvement. This is why there has to be security checks before any merchant should have access to PayPal’s AutoPay.

4. Confusion and lax attitude towards the problem.
PayPal's Moderators appear to be confused as to how a merchant can be added to the AutoPay list and prefer to believe that the merchant has been authorized by the customer either by click on a tick box or even by the terms in the small print on the merchant’s website to set himself up as an recurring payment recipient.
This is not the case. Merchants registered for subscriptions get automatically added to the Automatic Payments list even if a one  time subscription was purchased. When renewals time comes up, they can automatically deduct whatever increased amount they like, despite the fact that no follow up subscription was intended nor agreed.
If the merchant abuses the AutoPay system and draws out an non-agreed amount, the Moderators seem to think that the issue can be simply resolved by contacting the Resolution Centre. They appear to forget that primary prevention of fraud is more important than a retrospective cure.
Moreover, PayPal are no better than the banks if a merchant abuses the AutoPay/Variable Direct Debit and take more than has been agreed. In the first instance, both PayPal and banks treat such excessive deduction as a dispute rather than fraud and will not easily reimburse. The customer will be advised to contact the merchant to resolve the matter directly, failing which, some evidence that the deduction was in breach of an agreement will be required. This is often difficult in today's online "click to agree" world where the buyer has no hard copy. This again, highlights the need to screen who can be added to AutoPay in the first place.

5. Despite its dangers, PayPal do not offer the option to switch off AutoPay entirely as a feature. Nor can an AutoPay merchant be deleted immediately, only deactivated. Only after a concerning delay will the merchant be deleted. Unfortunately, there appears to be no way to automatically block a deleted merchant from being added at the next transaction. (Although one user has reported that he managed to block AutoPay by contacting Customer Support)

6. Multiple terminology (see above) used by PayPal obfuscates searches and makes navigating through PayPal’s Account website difficult.
The AutoPay merchants are not visible on the Accounts Home page requiring several clicks to get to Automatic Payments, despite the fact that this can be a major drain on the account. As consequence, many users are unaware of the number of merchants who have been included in AutoPay.

7. No corrective action so far by PayPal.
The problem with AutoPay has been highlighted to PayPal for at least 4 years. Reports of fraudulent deduction through AutoPay appear since 2020. It is also a global problem. I have come across posts from Netherlands, Egypt and the US regarding problems with AutoPay.
see US article dated posted October 2023, https://clark.com/personal-finance-credit/paypal-recurring-charges-setting/

Whilst AutoPay system is no doubt a boon for merchants and a convenience to many users, it is system open to abuse by unscrupulous merchants allowing them to deduct monies from an account without the account holders knowledge or authorization.
The only mitigating factor is that PayPal will send a notification of such payment without authorization taken by an AutoPay merchant.
Nonetheless, the ease with which a merchant can be added to the AutoPay list and subsequently withdraw any amount without authorization by the account holder makes PayPal far less secure than paying by bank credit/debit card.

What PayPal need to do:
1. As a matter of urgency, PayPal must notify account holders of addition of a new merchant to the Automatic Payments list.
Such notification must highlight the fact that the merchant can then deduct monies from the account without future authorisation for payment.
Explanation of how to deactivate should also be included in the notification. This should not be difficult for PayPal to set up.

2. Also urgently required is a system to ensure that no merchant added to Automatic Payment can withdraw any funds for at least 30days without going through standard payment authorization procedures. 

3. Add an extra tick box when authorizing payment whether to allow the merchant onto Automatic Payments. There must also be explanation in clear language that it means allowing unauthorized variable direct debit withdrawals, hopefully without having to click a separate "info" window for explanation. The default should be no.

4. Add verification link to the notification in 1 requiring the account holder to confirm acceptance before allowing the merchant to be added to the Automatic Payments list.

5. Notify the account holder if a merchant changes the terms of his Automatic Payments. Add verification link to confirm acceptance by the account holder. This will make PayPal's system more secure than a direct debit with a bank. 

6. Show Automatic Payments list of merchants on the Home Page.

7. Offer the option to disallow all Automatic Payments.

8. Offer the option to block individual merchants from ever being added to Automatic Payments.

9. Standardize terminology used to refer to Automatic Payments in all PayPal help articles.

What PayPal users can do in the meantime:

1. Avoid using PayPal for any new merchants/on-line sellers that you have not transacted with before.

2. Check the list of merchants in Automatic Payments regularly.
From Accounts Home screen, click on Settings (Gear Icon), click Payments Tab, Scroll down, click "Automatic Payments"
Slide the switch next to all merchants with whom you have no obligation or desire to pay to "inactive"

3. If you have paid an unscrupulous merchant in the past and still concerned, remove all funding sources. Cards and bank accounts from your Home Page. Contact Customer Services to cancel PayPal Credit facility if you have one.  The PayPal account can be operated with a cash balance that can be topped up by transfer into your account by a friend or family member.

4. Ultimate solution of course, is to close the PayPal account.

To all PayPal users, please respond to this post with your views specifying the problems that you have experienced with Automatic Payments, especially if there were disputed deductions. I would also welcome any input from PayPal’s Moderators.
To email me just add "PP at proton.me" to my username. I'm pretty impervious having lived in a legal jungle so don't hesitate to express your views.
I wish I could help those who are out of pocket as a result of Automatic Payments but I am afraid that is not possible. My intention is to address the matter for the future.