My question is very simple and no related to any kind of troubleshooting its just to get the information about the IPN
Lets say:
I have a system Paypal integrated activated IPN and working fine
someone tried to Price Jack a product and changed the price from 200$ to 2$
My IPN detected that and informed me about that issue (through mail as i set in my IPN).
My question is will paypal still process that payment and accept that 2$ and redirect user to my success page? or it will stop the processing the payment?
Ofcourse I have the proper handling of that and will not update the database
but question is will those 2 dollar will get processed in my paypal?
if yes is there any way to stop paypal from processing?
Note that there're multiple ways to protect your payment button code (price and other details) and also a very rare chance that an HTTPS payment request got "price-jacked" by a man-in-the-middle attack or malicious fraud activity, but still a valid question to be clarified.
In this case, the $2 will be processed just as a normal transaction to PayPal, and the asynchronous IPN will only be triggered by the event of payment completion. That's when your website backend will reconciliate and detect the "price-jack" by IPN callbacks, after the payment processing but not before.
Eventually, the transaction (of $2) that has taken place would be in sccope of fraud activity & dispute issue, and to be reported and handled by PayPal customer service
Related
My issue is that PayPal is performing security checks on their end, but marking the order as pending. This means that I am getting an OK status from the notification response on SagePay, but am unable to hold the order from being sent to the warehouse which the client has requested.
The documentation I have taken a look at is https://www.sagepay.co.uk/file/25046/download-document/SERVER_Integration_and_Protocol_Guidelines_270815.pdf and I have attempted to speak with SagePay directly.
Please, could someone let me know whether they have ever integrated the PayPal IPN with the SagePay server integration before?
Thank you
Sage Pay doesn't support Paypal IPN. Sage Pay's Payment integration is a one shot thing - once the transaction is done, it's done - it exists in either an authorised or declined state, and is immune to any further changes.
Your best bet might be to implement IPN outside of Sage Pay. You could hold all Paypal orders by default, and then wait for notifications from PayPal to indicate they are cleared to ship.
I have a SAAS web application that works through a subscription fee. If the subscription is valid everything works fine, otherwise the app goes in read-only mode until the customer renew the subscription. I've developed the payment flow with the PayPal API.
The problem is that PayPal Documentation says this:
"Although PayPal usually processes IPN messages immediately, IPN is not synchronized with actions on your website. Internet connectivity is not always 100% reliable and IPN messages can be lost or delayed. The IPN service automatically resends messages until the listener acknowledges them. The service resends messages for up to 4 days.
Because IPN is not a real-time service, your checkout flow should not wait for the IPN message before it is allowed to complete. If the checkout flow is dependent on receiving an IPN message, processing can be delayed by system load or other reasons. You should configure your checkout flow to handle a possible delay."
Unfortunately this is exactly my case: when customers renew the subscription I need to immediately activate the app so I placed all the logic right in the "notify callback" where I have to create the order, send a confirmation email, update some session variables... but I if there's a delay from PayPal IPN this is a problem!
In these days I did some test in Sandbox mode and in several cases I got an answer from IPN even 4 hours after the successful payment! This is unacceptable for my app!
Finally the question: what's the best solution for my case? It makes sense to move the application activation from "notify callback" to "success callback"? There may be problems?
Thanks
Don't use IPN for this; it's a poor fit & not designed to be inserted into synchronous user experience flows. It works fine as a way to initiate offline fulfillment, but can delay your customers if they are actively waiting for access.
You don't specify which PayPal product you are using, but each product should provide a way to immediately give you feedback that the payment has been completed. For example with Express Checkout or any API-based payment you can take action (activate/re-activate a subscription) when you receive the successful API response (the DoEC API in the case of Express Checkout).
With web-only/non-API products you can take action when the customer redirects to your return_url, using PDT to securely get information about the transaction if you need that (it can include an IPN-style key that you post back to PayPal to verify, exactly as you do with an IPN).
If you are concerned about the edge cases of someone closing their browser before it can redirect to you, or some other sort of dropped connection or programming error, you can also check & activate/fulfill upon receipt of an IPN to catch any fallout. So all customers that complete a normal payment flow are activated immediately; if they do something wonky (or your code breaks, or whatever) then the activation still happens, albeit potentially delayed by a few seconds or minutes.
I'm trying to use paypal ipn on my website. I am using sandbox to debug it...
I noticed sometimes I get values on payment_status like pending ...
My question is, do I get a response again from paypal ipn when this payment becomes complete?
Yes you do. That is the reason why you should implement logic in your code to cope for multiple messages relating to the same transaction.
From paypal site: https://cms.paypal.com/es/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_testing_SBOverview
"The PayPal Sandbox is a self-contained environment within which you can prototype and test PayPal features and APIs. The PayPal Sandbox is an almost identical copy of the live PayPal website"
Comparison table in the link above does mention some scenarios like Fraud detection are not enabled in sandbox.
Other than these, it should be safer to assume that features of live are same in sandbox ( like receiving IPN after status change from pending to complete etc).
I have downloaded sample code from paypal to allow me to use parallel payments via their sandbox accounts. When I run parallel.php, I get redirected to paypal's sandbox login page.
How am I supposed to know "server side" that the payment has been made successfully, so I can update my database records?
I believe you have to work with PayPals IPN system. This will basically send a confirmation to your server that tells you it has gone through.
https://www.paypal.com/ipn
Paypal lets you register a notification url which is part of the IPN (instant payment notification IIRC) system. So if someone pays by a delayed payment (such as a bank transfer) the transaction will update days later. You need to have an application (web page) on your server that can be called by Paypal with transaction details to update a payment.
You'll need to create an initial transaction record in your system when paypal redirects back to you so refer to their documentation for that. I'd also recommend looking at either OSCommerce or Zen cart for an idea of how they do it as they support the same kind of thing.
Can we assume that the payment is completed for a transaction when the customer is auto returned to our site?
Paypal advices us to use their IPN system for other types of payment, like an e-check, but also tells us to tell the customer something along the lines of "Thank you for your payment. Your transaction has been completed, and a receipt for your purchase has been emailed to you. You may log into your account at www.paypal.com/ca to view details of this transaction."
What are the downfalls of not using IPN, and just assuming the payment is completed when paypal auto-returns users to our site?
Thanks!
Relying solely on the return url is a pretty bad idea. It would be easy for a bad guy to skip payment and just visit your return url to complete the order.
There is a pretty comprehensive article about this here
No.
However, using the Auto Return option in your Paypal account in conjunction with Payment Data Transfer (Profile/My Selling Tools/Website preferences/Website Payment Preferences) will give you payment confirmation data in the URL you use for Auto Return, for example:
www.yourReturnURL.com?tx=9XV61416UY0043254&st=Completed&amt=9%2e00&cc=USD&cm= 9601&item_number=2
You need to verify this data (anyone could send a fake request) by sending the payment reference ("tx" parameter above) back to Paypal and waiting for a VERIFIED response.
This last step is identical as the one you take for the IPN (Instant Payment Notification) implementation.
With PDT you get the notification instantly. PDT has a a major weakness: it sends order confirmations once and only once. As a result, when PDT sends a confirmation, your site must be running; otherwise, it will never receive the message.
With IPN, in contrast, delivery of order confirmations is virtually guaranteed since IPN resends a confirmation until your site acknowledges receipt. For this reason, PayPal recommends that you implement IPN rather than PDT.
Note: If your site must be notified of payments immediately, you can implement both IPN and PDT.
More info here: https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNPDTAnAlternativetoIPN/