It appears that a fraud vector is introduced when users link their PayPal accounts to Google Pay. This TechRadar article links the potential hack to a unproven theory that Google Pay exposes the Pay Pal virtual card at the POS, and that criminals have found a way to intercept that card data and reuse it.
If this is the case, Google Pay is using an old version of NFC that transmits card data without EMV encryption — that would be bad. An article in GizChina indicates that as a result of the fraud, Google is now preventing Pay Pal accounts from being provisioned in Google Pay:
“Some time ago, Paypal had a security breach in its system and it did not deal with it on time. Now, this breach was exploited via Google Pay. Google probably doesn’t like it at all and has now removed PayPal from its own payment service. As of now, we do not know if the removal is temporary or permanent.
In any case, the first users report that they can no longer set up PayPal with Google Pay. This implies that some users can no longer make payments in shops using a virtual credit card. According to users, PayPal seems to be usable for the Google Play Store, but only via the traditional way.”
The story is a tad murky, but it suggests that layering different payment systems on top of each other can expose unexpected vulnerabilities.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group