PayPal definitely has to be PCI compliant. Anyone who wants to store credit card numbers has to be.

Section 6 of the PCI DSS deals with known vulnerabilities, I doubt they following it if that's true.

PayPal Europe is actually licensed as a Bank in Luxembourg.

Being licensed as a Bank in Luxembourg sounds a lot like getting a degree from the University of Phoenix.

It's a real bank. Luxembourg has cheap corporate tax rates, so all Paypal's Europe stuff goes through Luxembourg and thus they get cheaper taxes.

Just because it is called a bank does not mean you'd would want to rely on it. If Paypal suddenly decided to pull up it's stakes and take all it's customers money, I would not imagine that Luxembourgois banking law would help a lot of customers.

Do you have any sources confirming that the Luxembourgish banking laws would allow Paypal (and all the other countless international banks stationed there) to get away with this?

Because Phoenix is known for its important education sector just as Luxembourg is known for its important financial sector?

I am very confused by your statement.

> They could shut down tomorrow and take all the money and it would be perfectly legal.

There may be less protection than if they were banks, but it would hardly be legal. They might be able to steal the money and escape with them in a way a bank can't, but again, not legal.

Not in Australia, because they are classed as a deposit taking institution and are thus governed by APRA.