I'm trying to integrate with Braintree using the javascript SDK and the dropin plugin, but there is something I find hard to understand.
It seems that the user gives a free permission with his "payment_method_nonce" to charge his credit without him knowing how much he is being charged for. let me explain:
Looking at the flow overview:
1. Client request an authorization token from my server.
the server then creates a new token using his unique "Braintree SDK and credantials",
the sever send the token back to the client.
The User enters his credit card number and submits -> client sends a request to Braintree server.
Braintree server returns an "payment_method_nonce" to the client.
The Client send the "payment_method_nonce" to my server.
Using the "payment_method_nonce" my server create a transaction, set a price to charge and send a request to Braintree server. The user doesn't knows how much he was charged since the request was sent from the server.
When I worked with Paypal directly (without Braintree SDK) the user was redirected to the "paypal domain" to complete the transaction.
there he was presented with all the details about the transaction, price and all, but with "Braintree" this step is missing.
what am i missing here?
Full disclosure: I work at Braintree. If you have any further questions, feel free to contact support.
The Drop-In is a pre-made UI for accepting cards and PayPal. It should not be used as the sole part of your checkout.
You are responsible for incorporating the Drop-In UI into an existing checkout workflow within your store, which should include confirmations of meaningful transaction information such as address, amount, etc. By contrast- PayPal, who has security concerns for their account holders, includes some checkout steps to their UI as a means of providing trust and security to their customers.
Related
Currently we are using Paypal's REST API to setup a paypal payment process on our client's website.
Our webcontrol sits inside an iframe on their website and it is from this control the the paypal process is started and processed. Currently that works ok.
The issue we have is that this requires each customer of ours to have a business account (which is required any way we go so that bit is ok) but they then need to go the developer portal on their account and setup a an App ClientID and Secret (which is the bit we are hoping to do without to make it as simple as possible for our customers).
I have noticed solutions like wix.com offer paypal integration to their customers and only require the email address of their customer's paypal account and they handle the rest of the setup from there automatically.
I am just looking for some guidance on which product in Paypal's range should I be looking at to implement the same sort of solution setup for our customers?
Your observation is correct: the REST API service does not (currently) support placing API Calls for other users.
Alternatives:
Classic API: You can call the API in the name of a customer (who first needs to grant your API user access to his account) by passing the "SUBJECT=E-Mail Address" Variable. Usually used in conjunction with Express Checkout - see: https://developer.paypal.com/webapps/developer/docs/classic/express-checkout/ht_ec-singleItemPayment-curl-etc/
If you want to go this route, you may want to look into the permission service API under https://developer.paypal.com/docs/classic/products/permissions/ - it allows you to programmatically request the required permissions from a seller.
Adaptive Payments:
Often used by market places, we're dealing with 3 parties within Adaptive Payments:
a. API Caller --> The API caller placing the API calls and receiving all infos
b. The sender --> The person sending money to one or more recipients
c. The receiver(s) --> One or more receivers of the payment. As Adaptive Payments is pretty much using PayPals "Send Money" functionality, no further permissions need to be requested from the receivers.
See: https://developer.paypal.com/webapps/developer/docs/classic/adaptive-payments/integration-guide/APIntro/
Website Payments Standard: Just add a different e-mail address to the "business" variable and you're done.
See: https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/cart_upload/
Is it possible to store the clients credit card information on our secure website database and automatically pass the values to paypal to process without even having to show paypal website?
I would like to do this so client does not have to enter paypal credit card information each time for payment, if they do not want to setup a paypal account.
So basically just use the paypal system in the back-end. After the information is passed to paypal, it processes it, and redirects user to another page.
Update: Paypal Introducing Direct Payment
Can I just pass credit card information from my secure web database to direct payment system, and have it be processed without manually entering data?
It is never recommended to store credit card details in your database for a number of reasons. You really don't need to, either.
Instead, you can use PayPal's DoReferenceTransaction API.
The DoReferenceTransaction API operation processes a payment from a
buyer's account, which is identified by a previous transaction.
Basically, you just pass in the transaction ID of a previous sale or authorization transaction along with a new amount to be charged. PayPal will charge the card using the details they have saved in their system, so you don't have to worry about the hassle of protecting sensitive data like that.
I am building website which requires customer to update paypal account.
Is there anyway to check the reality of customer's account?
When my customer fill out their paypal account in my site, I want them to be directed to paypal login page to login and paypal will return the result.
Does paypal api support this situation?
Pretty much any implementation of PayPal you choose would follow the flow you mentioned.
Payments Standard would allow you to create basic buttons or create an HTML form and POST directly to PayPal to process. It would send the user to PayPal for login and approval to complete the payment. The transaction details would include the payer status (verified or unverified) as well as the address status (confirmed or unconfirmed) and lots of other details about the order.
Express Checkout is basically the API version of Standard, but it's much more advanced and open to integrate in the way that works best for your site or application. In this case, some of buyer/transaction data is available during the process within your app through API requests and responses, and then you can also get to it via transaction details after the fact just like payments standard provides.
Another option would be to use Adaptive Payments, but if you're doing a general payment of any kind you probably don't need that. That's what you would use if/when you start wanting to split payments among multiple receivers within the same transaction, setup preapproval profiles, etc.
If you happen to be working with PHP my class library for PayPal will make the API calls very simple for you.
You could do what PayPal itself does when you register. Send them a few cents and have them tell you how many when they get it. The payment itself will fail if the account doesn't exist, and telling you how many cents proves that they own the account.
Is there a way to use the paypal API to send basic details of a payment without actually creating the payment itself? What I mean is, I'm working with a non profit organization that does not currently employ SSL. They want to use paypal to accept donations, but they want their own branded form on their page, they don't want to use the simple donate button. I had thought I might be able to send basic details, such as name and address along with the amount they wish to donate and a few other details using the paypal API, and then have the actual payment information processed on paypal's secure servers. All the examples I can find on how to use their API however are creating complete payments and sending them to Paypal, something I'm not able to do for obvious reasons. Short of employing SSL, something that we should probably do anyways, and capturing a complete payment, is there a way of sending just select information over the API and handling the rest on paypal's end?
If you want to control the form itself you don't have any choice but to go SSL. Any other route would require sending the user to PayPal, where you would no longer have that control.
Question:
How can I have a visitor to my site pay to a 3rd party PayPal account (one I do not have access to) and have PayPal return the visitor to my site, confirming that the payment was a success (while requiring no special setup or confidential information from the 3rd party account)?
Details:
My company provides a service to clients of other organizations, however, we collect payment directly from those organizations (and not from their clients). In our particular case, if the organization's client opts to use our service, they will pay the organization they are part of (and not us) - the entirety of their payment goes to the 3rd party organization (the value of the payment may vary, but it will always be billed as a single item). The only information we need from this transaction is: the ID of the client (a value from our database), and some type of verifiable confirmation (ideally, a dollar value paid).
The flow is as follows:
Our site
redirect to 3rd party PayPal
return to our site with confirmation
Authorize transaction and enable service
e.g. thank you page with Next button
payment needs to be authorized before going to next page
We would like to implement this in such a way that the 3rd party organization does not need to set up anything additional in their PayPal account, and does not need to share confidential information with us (ideally, they should only need to share their PayPal email address).
Currently, we are exploring using the following:
Buy Now button
Set the notify_url field on the form
Setup an IPN listener on our server that will process (and verify) the transaction
The problems are two fold:
We have been unable to confirm that this implementation would not require the 3rd party
organization to setup anything in their PayPal account (e.g. they
don't need to setup IPN, since we are using a per transaction URL
and they don't need to share their API key).
IPN is asynchronous - so we will not receive the notification as part of the transaction flow (which complicates things, but if no better option exists, we
can make it work). Is there any synchronous approach that would
notify us of a successful transaction without requiring additional
credentials (e.g. PDT requires an identity token so does not appear
to be an option for us).
If there are any better ways to approach this problem, suggestions would be appreciated.
You can use Parallel or Chained Payments to send money to multiple recipients, be able to control where the buyer is taken to after completing the payment, and you would get an API response back right away telling you if the payment completed or not. Using the Permission Services API calls you can set up your account as a third party to the receivers so they wouldn't have to make the changes themselves.
You mentioned that you're looking into using Buy Now buttons through Payments Standard. That would work for if you're looking for a quick and simple way of setting it up. Define the receiver as the business value and the money would be sent to them.
By default, IPN is set to "off" in an account which means an IPN post will still be sent out if you define it with the "notify_url" variable. You may need them to enable IPN within their account if they've previously disabled the service. If the receiver already has an IPN URL set in their account it would be overwritten by the "notify_url" value you provide.