Hack 6 Create a Separate Login for Each Employee

figs/moderate.gif figs/hack6.gif

Use PayPal's Multi-User Access feature to provide a separate login for each employee in your organization.

Even though you might trust your employees to take care of your kids for the weekend, you might have second thoughts about giving them full access your organization's PayPal account. To that end, the Multi-User Access system enables you to add up to 200 different users to a single account, each with configurable account privileges. Each user is assigned a separate login ID and password.

1.7.1 Adding a New User

PayPal first has you establish an Administrative email address. PayPal will send all email notifications related to your account Profile to this email address. This is a security precaution so that PayPal can alert you at a different email address if someone tries to change the primary email address on your account.

PayPal steers you in this direction the first time you try to create a new user. Even before that, you should make sure you have at least two email addresses registered and confirmed in your account [Hack #8].

Once you have your two email addresses, you are ready:

  1. Log in to PayPal, and go to ProfileMulti-User Access.

  2. Select an address from the list; note that you won't be able to select your Primary address.

  3. To create your first login, click Add and type in the user's name when prompted. It's best to use the person's actual name, but you could also consider using a job function or other nickname (e.g., Customer Service 1).

  4. Choose a User ID (must be 10-16 characters).

    The length requirement and restriction against special characters make choosing a user ID is less than optimal. Further compounding the problem, these user IDs need to be unique for all of PayPal, not just for your account (e.g., customerservice and jennifersmith were taken a long time ago). A good approach is to think up a short prefix to append to the front of each user ID, perhaps something related to your business name?for example, abcJohnSmith and abcMaryJones. User IDs are not case sensitive, so you'll be able to log in with abcJohnSmith and abcjohnsmith.

  5. Choose a password (must be eight characters or longer).

  6. Check off the boxes that correspond to the privileges you want to grant this user. A good rule of thumb is to initially grant the fewest privileges possible when setting up a new user. You can always add more privileges later. But you can't undo mishaps!

  7. Click Save when you're done.

You should now see something like Figure 1-3.

Figure 1-3. Adding new users to your account

You can add up to 200 users to your account, each with different login privileges.

1.7.2 Setting Privileges

You have a lot of flexibility in setting up different privileges for different users, as shown in Figure 1-4. To allow read-only access, leave all boxes unchecked.

Figure 1-4. Selecting any combination of privileges for each user

Obviously, the users and privileges you assign depends on how many employees you have and how you run your business. A typical medium-sized business might use the following setup:

Customer Service Rep

Leave all boxes unchecked for read-only access.

Refund Rep

Check the Refunds option.

Financial Reconciliation

Turn on the View Balance and Settlement File options.

Head of Finance

Check View Balance and Withdraw Funds.

If your employees or partners used to log in with your password, it's a good idea to change it once you get everyone set up.

1.7.3 Adding an Administrative Account

An additional benefit of Multi-User Access is that you can create a username-based login for yourself. Traditionally, a user logs into PayPal with an email address and a password. I don't know about you, but my email address is pretty lengthy, and having to type the ampersand (@) and dot (.) characters gets annoying.

Just add a new user to your account, and check all the boxes to give yourself full access.

You'll probably want to leave API Activation unchecked; that setting is needed only for using the PayPal API [Hack #88] .

1.7.4 Responding if Something Goes Wrong

If you spot unexpected account activity, it's best to do some research before starting to point fingers. Review all the users and their privileges. If none appear to have the privilege to perform the activity you discovered, someone else might have used your login.

Protect Your Account Against Phishing

Phishing, the act of sending out bogus emails and creating fake web sites to trick users into giving up their passwords, has become a major problem on the internet. Phishers have become so adept at their profession that they have even managed to secure passwords from the most savvy of web users.

Creating PayPal logins for your employees with limited privileges can minimize the consequences if one of your employees yields to a phisher. If you suspect that you or one of your employees has unknowingly given their password to a phisher, you should first attempt to change your administrative password. Then, contact PayPal Customer Service to let them know what might have happened. They usually can shut down any nefarious activity before it happens, provided that you contact them promptly.

Unfortunately, the PayPal site doesn't indicate the name of the person who performed any given activity on your account. If you really get into a bind, you can contact PayPal's Customer Service and they will be able to pull up a list of user activity. PayPal usually also has the IP address of the computer that was used, so you might be able to match it to one of your company's PCs or determine that the activity was performed from outside your company.

?Patrick Breitenbach