I have a number of clients with old Classic ASP based systems who pass customers through to Paypal to make payment.
Paypal sends an IPN to the site, and the site then makes the necessary response to Paypal to confirm receipt.
My clients have received messages from Paypal recently saying that Paypal is requiring users to use SSL this year.
In our case, that's fine, we've been using SSL all along.
However, Paypal also say that in 2017 they will impose a:
"TLS 1.2 HTTP/1.1 requirement"
I'm not entirely clear, but it looks like this covers the IPN responses my clients site make to Paypal. If so we have a problem.
I can use either the built in MSXML or WinHTTP objects on the Windows server to POST responses to Paypal. However, it looks like only Windows Server 2012 and later will allow posts from these objects using TLS1.2.
All my clients are hosted on Windows Server 2008-r2 shared hosting.
So before I have to start persuading the web hosts to upgrade or search for new hosts, can anyone confirm that the IPN's are definitely covered by this requirement and will have to be posted using TLS1.2?
And if that is the case, does anyone have a solution which can be implemented on 2008-r2?
Related
I'm trying to integrate with Braintree using the javascript SDK and the dropin plugin, but there is something I find hard to understand.
It seems that the user gives a free permission with his "payment_method_nonce" to charge his credit without him knowing how much he is being charged for. let me explain:
Looking at the flow overview:
1. Client request an authorization token from my server.
the server then creates a new token using his unique "Braintree SDK and credantials",
the sever send the token back to the client.
The User enters his credit card number and submits -> client sends a request to Braintree server.
Braintree server returns an "payment_method_nonce" to the client.
The Client send the "payment_method_nonce" to my server.
Using the "payment_method_nonce" my server create a transaction, set a price to charge and send a request to Braintree server. The user doesn't knows how much he was charged since the request was sent from the server.
When I worked with Paypal directly (without Braintree SDK) the user was redirected to the "paypal domain" to complete the transaction.
there he was presented with all the details about the transaction, price and all, but with "Braintree" this step is missing.
what am i missing here?
Full disclosure: I work at Braintree. If you have any further questions, feel free to contact support.
The Drop-In is a pre-made UI for accepting cards and PayPal. It should not be used as the sole part of your checkout.
You are responsible for incorporating the Drop-In UI into an existing checkout workflow within your store, which should include confirmations of meaningful transaction information such as address, amount, etc. By contrast- PayPal, who has security concerns for their account holders, includes some checkout steps to their UI as a means of providing trust and security to their customers.
Since this week the forwarding to our site after payment does not work anymore in production mode, while it still works within the sandbox.
Actually we use PDT for the direct forwarding and IPN as backup. For some reason the payment is not finished fully. There seems no PDT or IPN connection to be established from PayPal since beginning of this week.
A payment from March 9th was successful, but all payments since March 11th are marked as successful on the PayPal page, but our site "does not know it", so customers don't get their accounts updated.
When trying to track the bug, I switched to the sandbox, but there everything works fine there.
Has PayPal changed something recently? (The design during payment process ist now, but I don't know since when...)
Thanks!
The biggest downfall with PDT is the message is only sent once, where as IPN is repeatedly sent until the server responds with the correct message. You can run both, but from my experience it is very uncommon (and I build eCommerce systems for a living). Recently a lot of my company's clients who run PayPal as their payment method have come to us with a similar problem (even more so with RBS WorldPay). And the solution has been to try the following:
Confirm that the IPN listener URL is still working and pointing to
the right site (some people try to use one PayPal account for
multiple sites, and change it to the 2nd site not thinking it will
stop IPN for the 1st site).
Make sure the latest version of the PayPal gateway is installed (if
on OpenCart / WooCommerce / Magento / etc...). The latest version
requires SHA-256.
Ensure the server has SHA-256 enabled, as above PayPal is now asking
users to make sure they have it for the hashing to work.
Ensure that an SSL certificate is installed. It is not yet a certain requirement, but in this day and age if you don't have one, you are not likely to get many orders. Also for some strange reason it has fixed IPN for some clients.
Hope this helps!
One of my customers had a website hosted on FusionHQ with subscription profiles through PayPal. When migrating the payments, I guessed I could just change the IPN and would get the new messages. But it seems that Fusion has manually set nofify_url parameters for their subscription profiles and there seems to be no way to change the notify_url.
Though slightly annoying, I guessed I could still use the classic payments API to get information and do something stupid like checking the subscribers' status on the assumed expiration date. But, it turned out that PayPal doesn't allow it because the specific API FusionHQ has used, with the following error message:
Subscription Profiles not supported by Recurring Payment APIs.
The thing is that there is no way I can get access to the old IPN server since it is on FusionHQ's domain. After searching through StackOverflow, I've really lost all hope of doing this in a decent way, and I'm about to redirect my customer's PayPal emails to some SMTP bot to parse them and give me the transactions update. But this is obviously a very crappy and unreliable way. So, does anyone have any idea of what to do?
Am shared hosted on Godaddy and have SSL installed and configured.
My cart is OSCommerce 2.3.4.
I have enabled Paypal Express checkout and CCavenue payment gateways.
Problem is After adding products to the cart and checking out, am able to seamlessly go to the payment gateway provider website for making the payment.
After making payment and coming back to merchant website, am getting a new session ID compared to the old one. Obviously, the txn is incomplete. The same thing happens when canceling without making a payment and coming back to the merchant site.
The above problem persists for both the payment gateways.
I tried many tips and tricks suggested by folks on this website and others and nothing seems to work.
Needs assistance pls.
I'm using NopCommerce 3.0 system with PayPal Express plugin (http://noppaypalexpress.codeplex.com/). It used to work without HTTPS, but not it doesn't. I know that in Magento there is an option called "Transfer Shipping Options", after disabling it PayPal doesn't require SSL. Can anyone explain me what does this option actually do? What does it set in the PayPal API? I could not find anything in the PayPal documentation or in the plugin source code. Unfortunately installing SSL certificate is not an option.
Transfer shipping options uses a CALLBACKURL, which must be HTTPS. I don't have specific knowledge of NopCommerce, but most likely they haven't even implemented this functionality.
Express Checkout w/o a CALLBACK should work fine from an HTTP site, with a RETURNURL/CANCELURL that also happens to be HTTP. It is up to the cart module to pass the correct URL to PayPal so the buyer may return to the site and complete the checkout.