Using the PayPal REST API, have the credit card form configured and processing correctly. Noticed that in sandbox mode the card validation is very loose, you can pretty much enter whatever you want for the payer details, as long as the card number is essentially valid.
I assume that once I change to live mode, using live credentials, the validation will be more strict.
I run a test, using a valid card number, but intentionally use a bogus name, address, expiration date, and cvv (the cvv I provide is only 3 digits, it should be 4 for AMEX).
The payment is processed successfully!
I scratch my head and make sure the site is really using the live credentials. It is. I check with my non sandbox PayPal account, it has actually received the payment.
What gives?
The amount was for $1. My assumption is that PayPal passed all the details along to AMEX (in this case) and AMEX saw that it was only $1, and didn't verify any other details? Fine, but wow, to me that's crazy! Talk about fraud waiting to happen.
Any insight would be appreciated.
Depending on how your account is vetted when you first open it up, PayPal may or not may give you full access to fraud filters. It sounds like you do have full access, which means it's going to accept payments even if AVS or CVV2 responses come back as a failure.
If you want to stop this, login to your PayPal account and go into your profile. Look for Fraud Management Filters, Risk Controls, or something along those lines. It's different depending on what version of PayPal account you have.
Once you're in those settings you should see lots of options for security filters you can set including AVS and CVV2 (card code).
Now, that would apply for the name, address, and cvv2, but it shouldn't apply for the expiration date. Are you sure the test you ran included an invalid expiration date? My guess is the card number and expiration were good, but you just used a bogus address and card code..??
Related
I'm using Paypal Pro API to process my purchase. It works well with card number, expire date and security code but I need to validate the address and the owner name of the card as well.
Is there any parameters or functions in the API to do this? I didn't found anything in the docs. Or maybe it is an additional option in the Paypal developer control panel?
Assuming that we're talking about the Payflow Gateway API (for PayPal Payments Pro and other things), it appears you can do address verification--see the section entitled Using Address Verification Service. Notice the note there that says it doesn't check street names, in case that's a deal-breaker for you.
As for name validation, I can't find anything about that other than that it's typically passed in the sale transaction itself (section: Typical Sale Transaction Parameter String). Whether it's then validated by the banks as part of their end of the transaction, I couldn't say.
Hope that gets you a bit further. I haven't worked with any of this stuff myself.
I want to verify that whether user has entered valid Paypal id or not. If not than user can't do registration. I've also visited this [1]: How can I verify a PayPal ID? question but it doesn't help me :(
You can't find a direct answer because "valid PayPal ID" doesn't have a single fixed meaning. You will need to be more specific as to what you are trying to discover. Then there may or may not be a way to accomplish what you want, since PayPal protects some aspects of their customers' account and identity information for their protection (and for business reasons).
A bit of background that may help you clarify your question, if not necessarily answer it:
Any email (or phone number) can be configured to receive PayPal payments, in many cases even if the email was not attached to a PayPal account at the time the payment was sent. However, not all PayPal products can function in this way (e.g. you cannot make API calls as an account that has not been set up and has not generated API credentials). Are you asking about receiving money, and if so with which product(s)?
Most people can pay through PayPal if sent to a PayPal page, whether they are accountholders or not (depending upon the PayPal product being used). In addition to guest payments and/or direct credit card payments through PayPal, people can set up PayPal accounts when they arrive and immediately pay with them. So collecting email first and refusing to go forward if there is no PayPal account attached to that email would loose you potential customers. It would also "let through" many customers who could not pay, such as people who know an email address but don't own the attached PayPal account. PayPal also intentionally declines to easily answer questions about whether an email has an associated PayPal account in order to make it harder for bad actors to accumulate lists of PayPal accounts (often with associated personal information) for spear phishing campaigns. There are some APIs that allow you to get limited information about a PayPal account but there are limits associated with these APIs; see e.g. GetVerifiedStatus documentation at:
https://developer.paypal.com/docs/classic/api/adaptive-accounts/GetVerifiedStatus_API_Operation/
Note also that Verified has a particular technical meaning in PayPal, and is NOT AT ALL THE SAME as "able to pay you."
If you want to know if someone can log into their PayPal account, and then use that PayPal account to get information about the user (as well as potentially pay you), that's easy: use Login with PayPal. That's what it's for. Naturally this requires the user to login and assent to your use of their information.
If you want to know if someone can take a particular action (e.g. make a payment), at this moment, the only way to be certain is to actionally request that action. You have options short of actually requesting money; if you want to ensure the user has funds and reserve them for you to collect shortly you can request an authorization rather than a sale. If you want to make sure the user can log in, has payment mechanisms and generally looks ready to pay you (but WITHOUT reserving and guaranteeing funds) you can request an Order.
Hopefully one of these things is what you are asking for?
If you have a PayPal AccountID (a PayPal-generated ID rather than an externally-generated identifier like email or phone number) you can pass it to certain APIs (such as the GetVerifiedStatus), so many of the same options above apply.
I'm getting this intermittent message on checkout in BigCommerce.
Your financial institution has indicated that it could not successfully authenticate this transaction. To protect against unauthorized use, this card cannot be used to complete your purchase. You may complete the purchase by selecting another form of payment or use a different card.
My API is correct with Paypal Payments Pro, Check out works and then doesn't work. Tried a few cards, sometimes the card worked, and sometimes it didn't. Here is the error message.
Your financial institution has indicated that it could not successfully authenticate this transaction. To protect against unauthorized use, this card cannot be used to complete your purchase. You may complete the purchase by selecting another form of payment or use a different card.
I have the same account setup on another BigCommerce site and never had a problem.
If you have another BigCommerce site and are using the PayPal account, make sure that your starting invoice numbers are far enough apart, otherwise you will be sending duplicate invoice numbers to PayPal and end they'll return an error. I was getting the same error, and I just set had to set one of my store's starting invoice number (under store settings/misc) to a really high number. This fixed the problem. Thanks BigCommerce tech support guy!
(You should be able to see what error you are getting by going through your store logs)
Problem: I've implemented "partial authorizations" (pg 72) but whenever I try to run a transaction that could use it, the result is a decline.
Setup: I'm handling transactions with the API with PayPal Payment Pro Payflow Edition (aka, PayFlow Pro Gateway & PayPal Merchant Account).
Cards use in Transaction: Visa Gift Card & American Express Gift Card. This feature was made for gift cards and other prepaid products. Gift Cards are specifically cited in PayPal's documentation example.
Transaction Logs:
Here is the log for a declined partial authorization. The original amount requested is $25.00, even though this visa gift card only had $2.00 on it. I should have received a response with an approved amount for $2.00. Instead I got a decline.
-> PARTIALAUTH:Y TENDER:C ACCT:**** VERBOSITY:HIGH TRXTYPE:A EXPDATE:0618 AMT:25.00
<- RESULT:12 CARDTYPE:0 PROCAVS:G IAVS:N PROCCVV2:I EXPDATE:0618 RESPMSG:Declined: 15005-This transaction cannot be processed. LASTNAME:NotProvided ACCT:**** AMT:25.00 PNREF:************ AVSZIP:X AVSADDR:X HOSTCODE:15005 TRANSTIME:2012-12-14 12:43:04 CVV2MATCH:X
For comparison, when I run the same card for an amount that is less than what's on the card, it goes through no problem:
-> TENDER:C VERBOSITY:HIGH ACCT:**** AMT:.11 TRXTYPE:A EXPDATE:0618 PARTIALAUTH:Y
<- AMT:0.11 AVSZIP:X PPREF:***************** ACCT:**** AUTHCODE:111111 TRANSTIME:2012-12-14 12:41:46 LASTNAME:NotProvided IAVS:N PROCAVS:G RESPMSG:Approved PNREF:************ RESULT:0 EXPDATE:0618 PROCCVV2:I CARDTYPE:0 AVSADDR:X CVV2MATCH:X CORRELATIONID:*************
-> TENDER:C ORIGID:************ TRXTYPE:D
<- RESULT:0 PENDINGREASON:completed PNREF:************ FEEAMT:0.11 PAYMENTTYPE:instant RESPMSG:Approved PPREF:************ CORRELATIONID:*************
I believe the API calls should be and in fact are the same in both cases. The point of Partial Authorizations is that you don't know when you need it, so if you want it, it should be enabled for all transactions -- meaning you always append the two extra parameters of VERBOSITY=HIGH and and PARTIALAUTH=Y.
Any ideas why this isn't working. The feature is very important to my application and is one of the main reasons I'm using PayPal.
I hope I'm missing something simple, like a setting in manager.paypal.com.
From what I can see you're doing everything correctly. When something like this happens the only thing you can do is contact PayPal directly.
You can do so via www.paypal.com/mts or if you login to your PayPal account and go into the contact by phone section you should see a separate phone number for tech support directly.
I would recommend submitting a ticket to MTS and then also calling, but when you call, refer them to your ticket. They're going to want you to post one anyway, but if that's all you do it probably won't get answered for awhile, unfortunately. I've had good luck catching them on the phone, though, and can get things done much more quickly that way.
The only thing I can think of that might be an issue here is that you're using the PayFlow gateway with PayPal as your merchant. While the PayFlow gateway supports this, PayPal may not. It may only work if you're using a 3rd party merchant account on the PayFlow gateway.
That's something they will need to confirm or deny as I haven't specifically tested this myself, but again, I don't see that you're doing anything incorrectly.
I'm using paypal website standard and passing my order id that is generated on my site via item_number field. I was wondering, how does paypal know that the content in the form has not been altered by user? For example, someone could just change the amount of $10 to $5 and paypal would not not have any way of knowing. I've doe this before with other payment processor, and they make me send them md5 hash of amount and some other data + secret key, but I am not sure if paypal has this?
Based on this article, I believe it depends on whether or not you are using "Payment Data Transfer". If you're just using a button, then you'll need to manually verify the payment amount before shipping. If you're using PDT, you should be able to verify the payment_gross amount sent back in the response from PayPal.
Your right -- in general you can't keep someone from altering your data. If you must use PayPal (yeah, I know, no monthly fee) so far as I know you have three options:
Let PayPal host your button data. But this gives you little control over the process.
Manually verify each transaction, checking price etc before shipping item.
Using their API to receive completed transaction to automatically check data.
Another thing to watch out for is calculation of sales tax. PayPal's approach was too simplistic for our needs, which forced me to take control of the checkout process.
See this link.
you should try to implement it using ipn, pdt is prone to not passing the variables from paypal to your website if the user does not press the "go to store" button. as what others had answered hosting your button would make it secure at the cost of flexibility. Here is a link on the variables that could be altered on hosted buttons https://www.x.com/people/PP_MTS_Haack/blog/2009/11/11/override-variables-for-hosted-and-encrypted-buttons , as you would look into the variables, you cant really change the important ones.