I get a lot of fraudulent payments with PayPal from hacked accounts, and it ends in a chargeback and I waste a lot of money and time.
I'm imagining a system where I could ask my customers for an email address, and send them an email with a button to verify that they have access to their mailbox, and if so, allow them to place an order on my site with PayPal.
The concern is that I don't know how I can create a PayPal payment button with a predefined email address, so the client can very well validate a false email address, then pay with a hacked account.
Any ideas?
You cannot force them to log in and approve the payment with a certain PayPal account / email address. However, using a server-side integration, you can check their information before capturing the payment. Here is a skeleton demo of a server-side integration.
With that design, after the buyer approves the payment, the fetch( XHR to your server will be triggered, and normally this is when you would simply do a v2/orders capture request from your server to PayPal.
But per your question's requirement, before doing that you can first get info about the approver, and validate that their email corresponds to one you want to receive the payment from. I haven't tested this scenario specifically but my understanding is a "Show order details" call at this stage would return a "status": "APPROVED" , with information about the approver in the rest of the JSON body.
If the email doesn't match one you want to receive the payment from, then you would discard the order (not do any capture), and show a message to the customer that they must buy from the email you verified earlier in your checkout flow.
As a side note, if someone has full access to a PayPal account, they can always add a new email to that account within www.paypal.com , and check out from your site using that new email they have full control over. So I'm not sure this actually helps you in terms of security, but it does give your customers (both legitimate ones and fraudsters) an extra validation hoop to jump through to complete the checkout.
Related
When you are setting up a PayPal Buy Now Button, you can take customers to the URL when they finish checkout.
Is there a way to retrieve their PayPal email immediately after PayPal checkout using $_GET?
Does PayPal append some kind of ?email=email#address.com at the end of your thankyou page?
Or is there any variable I could add at the end of my thankyou page when typing a success URL inside the PayPal?
Basically I want to store their PayPal email address that they used on deposit, so that when they would cash out, the same PayPal email address will be used.
Just wanted to let you know why I'm interested in storing their real PayPal email address in the first place.
Any help from someone who have knowledge in this would be appreciated.
With a legacy HTML Buy Now button that redirects away from your page, there is never any guarantee the payer will return to your site after a successful transaction. With such an old integration, the only reliable way to get the email address of the payer and record this information in your database is to implement the old IPN service.
Instead, you should do a server-side integration of the current Standard Checkout.
Follow the Set up standard payments guide and make 2 routes on your server, one for 'Create Order' and one for 'Capture Order', documented here. Both routes should return only JSON data (no HTML or text). Inside the 2nd route, when the capture API is successful you should store its resulting payment details in your database (particularly purchase_units[0].payments.captures[0].id, which is the PayPal transaction ID -- as well as the payer object's email address, in your case) and perform any necessary business logic (such as sending confirmation emails or reserving product) immediately before forwarding your return JSON to the frontend caller.
Pair those 2 routes with the frontend approval flow: https://developer.paypal.com/demo/checkout/#/pattern/server
One of the features on my site allows users to pay via PayPal for items from other users. I'm using the standard REST API since I had already made the code for another project a while ago, which works fine.
https://developer.paypal.com/docs/api/#create-a-payment
Currently, the page sends a 'v1/payments/payment' request which I execute to receive the money in to my PayPal account which created the access token. Is there a way I can directly get the user to pay another PayPal email address?
If not, I guess the only way is to do another request to pay the owner of the content from my PayPal once I receive the money - although it means PayPal get to charge a fee twice.
Thanks.
I have Integrated Paypal using php. I know there is return url ,that means when payment is received it will return to the url for our website.My Question is if payment is received and due to internet problem it does not return to our web page, how do I know that payment is received from a particular user?
If there is a network issue and PayPal cannot issue the IPN message, then according to their documentation, they will retry 15 times up to 4 days.
The IPN message service does not assume that your listener will receive all IPN messages. Because the Internet is not 100% reliable, IPNs can get lost or be delayed. To address these issues, the IPN message service includes a retry mechanism that re-sends a message at various intervals until your listener acknowledges receipt. An IPN message may be present up to four days after the original was sent. The maximum number of retries is 15.
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNIntro/
This item below might help. Instant Payment Notification should work, but in the case of a network failure, if the payment reached PayPal but the purchaser did not get back to your site to complete a purchase, then you should still receive an email from PayPal telling you that you have received a payment.
using paypal button - can my webpage tell if paypal transaction was successful or not?
You get a confirmation email with their name and email address - be aware that occasionally this may not be the user's current, most active email address. You can also log in to your PayPal dashboard to see all details as well, of course.
You can look up your payment details from the email and compare them to your own user records in your database. If the email they use for PayPal is not the same as the one they registered on your site with, you can still look up their name from the email - in practice it seems to happen extremely rarely that payments have such a problem in my personal experience
I set up a script which emails my users with a passcode to get to the online product they bought which is emailed to them so they can submit that later along with their email address. This is the first thing that happens on return to my script so at least if the site fails to respond properly they can get to what they bought later.
The script uses PHPMailer and cc's me with their passcode so I have it available to re-send to them if they write with a complaint. It doesn't help if the PayPal return for Instant Payment Notification fails completely but the other answers cover that very fully and detail the PayPal repeat attempt process well.
Instant Payment Notification scripts can be downloaded from PayPal for modification by yourself as per the article linked to above.
To be perfectly honest, this is one of PayPal Standard's largest holes. IPN is a POST callback (as is PDT) and they check to make sure they get a 200 response or else they retry (and you can use the IPN history in your PayPal account to resend missing IPNs). But this method still relies on you getting the callback in a timely manner and it's not foolproof. Worse, you need to verify the IPN call and that introduces yet another point of failure in calling PayPal to make sure they did indeed send you the IPN you got.
There's a couple of ways to deal with this
Audit your account regularly. This is a good idea in general, but for a small website this shouldn't be terribly hard. Match your invoices up to your PayPal payments. Obviously this doesn't scale well so...
Switch to Payments Pro. There's more hurdles to this (like more PCI compliance, SSL certificate, etc) but the major advantage is that the API is far less susceptible to the whims of the Internet and only involves one call for credit cards (you can ignore the IPN because the API tells you everything you need to know). The worst that can happen is you send a payment API call and fail to get a response. This is exceptionally rare as PayPal makes sure their API is 99.9% reliable (IPN relies on your server being reliable). Speaking from experience, Payments Pro has far fewer issues than IPN does.
In your application, you should have a status field for orders. If you haven't received the ipn, you wouldn't change the status to Paid.
After that, if you receive an email from Paypal that someone has paid, check the order number, and change the status manually.
how do I know that payment is received from a particular user?
Paypal will send an email both user and you.
Paypal offers 2 solutions for your problem.
PayPal IPN - it notifies the server with a POST request to a specific URL, whena transaction has been successful, declined, aborted by user and so on. Paypal provide an IPN Simulator (the worst simulator ever) in order to test its functionality. you may give it a try at : https://developer.paypal.com/developer/ipnSimulator/
Paypal WebHooks - The webhooks are the "New Kid in the Block",they are basically "user-defined HTTP callbacks that receive events for the subscribed event types. Webhooks are asynchronous, the order is not guaranteed, and idempotency may lead to the same event being sent more than once." as stated in the Paypal documentation.
You can read more about it on : https://developer.paypal.com/docs/integration/direct/rest-webhooks-overview/
For any further help, comment below and I shall try to help.
Cheers,
You have to use notify_url for this purpose
<input type="hidden" name="notify_url" value="https://domain-name.com/ipn.php">
I'm currently developing an application which has to be able to process PayPal Payments from multiple e-mails and then has to redirected to my IPN class located at my server.
All the users of my application, have the possibility to set-up their own PayPal e-mail address into my system, and then the customers will pay directly to his PayPal Account (that means no intermediates).
But there's a problem, I must ensure that my sellers are actually connected to my IPN. Why? Because if they are not, when a customer makes a payment, the transaction will be actually completed, but they won't be able to download their purchased item, because my application could not receive the params.
So, the question is: how can I ensure this:
User has a valid Paypal Account (based on e-mail)
How do I know (and verify it each time) that this e-mail will sent a params directly to my server's IPN? (So important)
How do I verify each time that some customer makes a purchase?
Thank you so much guys!
I would integrate Express Checkout and have them authorize you $1 (or whatever your minimum for currency is). This way you are guaranteed that the customer has a PayPal account with some balance. You can void the transaction via API and they get their money back.
There's no way to guarantee they send you IPN for their payments. The best bet would be to have them authorize you to run third party calls on their behalf and take the money for them via your system.
See #2
I am having trouble with Paypal IPN About one thing,
As I understood, paypal redirects the user to a page of us after the successful order, then calls our IPN page, after the transection with post variables including result.
Paypal sends the mail of the order owner in the post variables, but what if the mail in the site and paypal are different.
If PayPal is calling the ipn page, sessions won't work. If i don't check the mail, I won't be able to catch simultaneously IPN orders ( I think ).
I saw something about txn_id and receipt_id, but if I'am not sending the variables, how can they help me to catch the user.
I am Mixed a bit.
Thanks for any reply.
Regards.
There is a custom parameter, it can be user to send additional parameters
You link the IPN request and the transaction by the txn_id (transaction_id). This is an id you generate, the only requirement is that it's unique.
So:
User starts a payment transaction on your site. You generate a transaction_id which is linked to the user with address info and some 'shopping cart', price info, items etc. This is all the info you need, to know who ordered what and where to send it - all identified by the transaction_id
You pass your merchant info and transaction_id on to PayPal.
User completes payment.
IPN calls your server with user info, payment status and a transaction_id. The email address you get from PayPal may be a different email address than you have registered for the user, maybe the user has a separate email for PayPal? .. It doesn't matter. Use the email address the user gave you, not the one you got from PayPal. And don't use the email address for identification, use the transaction id it's the only value you can rely on.
I'm not sure about the receipt_id. If you want to email a receipt, mail it after you've got a successful payment from IPN. You should have all the info to generate the receipt.