There are no rules.
Once you share an address with someone, they can send arbitrary amounts of bitcoin to that address. They can also send further transactions to that address any time in the future. There is no way to reject a transaction just because you don't like the amount or for any other reason; if the transaction spends valid coins and is properly signed, it's valid and is irreversible once confirmed.
The various schemes for requesting a payment (
bitcoin: URI, QR code, BIP 70) do include a requested amount, but it is nothing more than a request. Most client software handles it by pre-filling the amount field in their "send coins" dialog, but typically the user can just change the amount if they want to. They could also just extract the address from the payment request and send whatever they want to it.
It is up to you to decide what to do if you receive a different amount than you expected. As far as the Bitcoin protocol is concerned, the money is just yours to keep or to spend as you please.
In a typical commerce platform, you would have had the user log in to make a purchase, and you would generate a unique address for them. So if the user sends a different amount than you requested, you would know to contact that user and ask them to send more money or to provide refund instructions. But that is outside the scope of Bitcoin itself.
You can try to create a new transaction that sends the coins back to the address(es) that sent them, but this has some pitfalls. In some cases the sender may not have access to that address anymore. You will also have to pay a transaction fee for this new transaction (or manually deduct it from the amount). The BIP 70 payment protocol contains a "refund address" feature that makes this a bit more reliable; but this is optional. The sender can still send coins to your address without providing a refund address, if they choose.