Hmmm... I don't know what paypal's policy is, but when normally using CC's, it is the merchant's responsibility to confirm the identity of the buyer. I.E., the bank or CC is not responsible for any fraudulent charges. However, in the case of paypal, the "merchant" (you), does not have access to the tools to confirm the buyer's identity. I have never actually received money via paypal, but I don't even imagine they will disclose what method the buyer used to pay. For all you knew, the seller pulled the money directly from a bank account. This is very bad indeed...
Hmmm... now that I think about it, I recall that there was a limit on how much you could charge to your CC via paypal (something like $150 or $250) before you did add your bank's checking account. This really seems like BS on paypal's part to me if this is still the case. There is no way the buyer could have charged $400 to his CC without also registering a checking account. What paypal does is deposit a few cents into your checking account, you call your bank (or wait for your statement), and input those amounts at paypal's website to confirm that it is really your account. Even if the CC was stolen, paypal should have been able to get it from the valid checking account.
The only explanation I can come up with is that someone stole a paypal user's username and password, in which case, it should be either the owner's or Paypal's fault, and certainly not yours. Do you mind if I ask the email address you are registered with paypal under? I would like to write them a nastygram regarding this incident - it really doesn't make me feel too safe.
Rocko