PayPal PayFlow Pro - Recurring Billing - Credit Card Verification - CVV - paypal

With regards to the PayPal PayFlow Pro service, is it possible to pass through a CVV number when creating a recurring profile?
Currently on our site we only ask for a credit card number and expiry date when creating a recurring profile however we would now like to request the CVV number to improve card holder verification and I guess ultimately reduce the likelihood of potential fraud.
According to the documentation:
https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_payflowpro_recurringbilling_guide.pdf
CVV isn't listed as a parameter for the "ADD" action as part of the recurring billing service however if you do pass it as a parameter, the response back contains information related to CVV validation as follows:
CVV2MATCH => N,
PROCCVV2 => N
What's interesting is that testing this in the PayPal Sandbox with an invalid CVV number, the response I get back is as follows:
Request:
TRXTYPE => R,
TENDER => C,
ACTION => A,
ACCT => 4111-XXXX-XXXX-1111,
CVV2 => XXX,
EXPDATE => 0518,
START => 04162014,
MAXFAILPAYMENTS => 1,
RETRYNUMDAYS => 2,
TERM => 0,
PAYPERIOD => YEAR,
AMT => 50.00,
PROFILENAME[9] => test_1234,
OPTIONALTRX => A,
COMMENT1[14] => Recurring Plan,
Response:
RESULT => 0,
RPREF => R1056C75AF08,
PROFILEID => RT0000014434,
RESPMSG => Approved,
TRXRESULT => 0,
TRXPNREF => A70A6ABE7817,
TRXRESPMSG => Verified,
AUTHCODE => 407PNI,
CVV2MATCH => N,
HOSTCODE => A,
PROCCVV2 => N,
VISACARDLEVEL => 12
As you can see although the CVV validation failed "CVV2MATCH => N" (which means there was no match), the transaction went through successfully "RESULT => 0, TRXRESULT => 0" and the recurring profile was subsequently created.
One would expect that a non-matching CVV would result in the transaction failing not succeeding.
Is there something that I've incorrectly assumed or are doing wrong? Is there a setting somewhere in PayPal Manager that needs to be enabled/disabled to deny transactions if CVV validation fails or is this simply some bug in the PayPal Sandbox.
Any help would be much appreciated.
Regards.

Security code services are supported on the Payflow platform, though not required in all cases. You should be able to create a "Fraud Filter" within your manager account that will act on the CVV2 response as you see fit. To access these filters login to manager.paypal.com and click on "Service Settings." From there click the sub-heading "Fraud Protection." Here you will be able to construct custom filters based on the results returned for each transaction.
Hope this helps!

Related

PayPal PDT not returning Custom Message url parameter "cm" properly

I have multiple websites that use PayPal Buy Now buttons and have PDT enabled.
All of the existing customer websites are working, in that after the user makes a purchase, they are redirected back to their site by PayPal with a return URL that includes the 'cm' parameter as specified here.
I have a new client with a brand new Merchant Account who has their PDT configured correctly (I have checked it multiple times to be sure). However, upon return from PayPal payment, we are missing the 'cm' parameter that is necessary to do validation/updates on our website.
I have never seen this before where some of the variables are getting sent back, but not all as defined in the PayPal documentation above.
Here is an example of a working return URL - (some values edited for privacy purposes only)
.../paypal/pdt?redirect=https://journals.myclient.com/view/journals/cssm/4/1/article-p14.xml?PFTxId=4435&offerProvider=DEFAULT&amt=9.95&cc=USD&cm=mJ5v4sm1PUcD0E9vbii0pm6e1ql5GRs/lv+aQuNuves=%7CaccountId=XXXXX%7COffer ID=7|mc_gross=9.95&item_name=ITEM NAME Dilemma&item_number=/journals/cssm/4/1/article-p14.xml&st=Completed&tx=XXXXXXXXXXXX
Here is the example of the newly created Merchant Account where this is not working
.../paypal/pdt?redirect=https://www.nonworkingclient.org/view/journals/tpmd/s1-1/6/article-p331.xml?PFTxId=40&offerProvider=DEFAULT&PayerID=RPUJELM94HEYU&st=Completed&tx=XXXXXXXXXX&cc=USD&amt=0.01
Here you can see in the comparison, PayPal is returning the 'tx' and 'cc' variables in both examples, but 'cm' is missing from the bottom example.
Has anyone else experienced this lately?
Does anyone know of anything more than the PDT setup that needs to be checked to see why this is failing in the Merchant Account?
Thank you for any assistance.
I have an account that has been set up and working for 3+ years. PDT always returned a "cm" parameter which I pass in as "custom". In the last couple weeks it is hit or miss whether I get "cm" back (can't say exactly when it stopped working as the site has not been used since Spring 2020). About 10% of the time it works but the other 90% no "cm". The response is a bit different in the success and failure cases. Here is an example of a successful return with "cm" (the output is the GET array parameters and values)
(
[feepaid] => Y
[amt] => 75.00
[cc] => USD
[cm] => 586
[item_name] => IW***** Fee
[item_number] => g**5
[st] => Completed
[tx] => 9J5******81R
)
and an example of a failure case (no "cm")
(
[feepaid] => Y
[PayerID] => 9J*******YG
[st] => Completed
[tx] => 3D2*****2457
[cc] => USD
[amt] => 75.00
)
The failure has "PayerID" which does not appear as a valid variable in PDT or IPN spec. Success case has no PayerID but has item_name and item_number (which are fixed in the button definition on PayPal merchant account).
Same here! Paypal no longer return cm paramater for some users

Guest checkout not available with Paypal Express checkout

I am trying to set up Paypal Express checkout on my website and I am having trouble getting Paypal to accept payments without the buyer creating an account. When clicking the option to pay by debit or credit card it will not submit payment unless the user creates an account.
First of all is this feature available in Japan? I have contacted technical support at Paypal but have yet to receive confirmation.
I am testing with a sandbox account, it is a business pro account, I have set the Paypal Account Optional to be On. All account verification steps have been completed APART from the identity verification (the link doesn't work for some reason). Account is set in Japan and the buyer address is Japan also.
I have tried clearing the cookies in my browser before testing and also tried on multiple browsers.
I have attached screenshots of the landing page reached and the pay by credit card page that requires account details. I have also attached the request details below as I believe my request is set up correctly.
Is there any help anyone can give me? Am I missing anything? Is there anything else I should check?
[url] => https://api-3t.sandbox.paypal.com/nvp
[SetExpressCheckout] => Array
(
[PAYMENTACTION] => Sale
[AMT] => 3413.00
[CURRENCYCODE] => JPY
[RETURNURL] => https://apivitadev-643304293.ap-northeast-1.elb.amazonaws.com/paypal/express/return/
[CANCELURL] => https://hidden/paypal/express/cancel/
[INVNUM] => 200000358
[SOLUTIONTYPE] => Sole
[GIROPAYCANCELURL] => https://hidden/paypal/express/cancel/
[GIROPAYSUCCESSURL] => https://hidden/checkout/onepage/success/
[BANKTXNPENDINGURL] => https://hidden/checkout/onepage/success/
[LOCALECODE] => en_US
[ITEMAMT] => 2660.00
[TAXAMT] => 253.00
[SHIPPINGAMT] => 500.00
[L_NUMBER0] => 10-22-00-108
[L_NAME0] => Cleansing Creamy Face & Eye Foam Cleanser
[L_QTY0] => 1
[L_AMT0] => 2800.00
[L_NUMBER1] =>
[L_NAME1] => Discount
[L_QTY1] => 1
[L_AMT1] => -140.00
[BUSINESS] =>
[NOTETEXT] =>
[FIRSTNAME] => dave
[LASTNAME] => grant
[MIDDLENAME] =>
[SALUTATION] =>
[SUFFIX] =>
[COUNTRYCODE] => JP
[STATE] => æ±äº¬éƒ½
[CITY] => 目黒区
[STREET] => 目黒
[ZIP] => 153-0063
[PHONENUM] => asSAFSAF
[SHIPTOCOUNTRYCODE] => JP
[SHIPTOSTATE] => æ±äº¬éƒ½
[SHIPTOCITY] => 目黒区
[SHIPTOSTREET] => 目黒
[SHIPTOZIP] => 153-0063
[SHIPTOPHONENUM] => asSAFSAF
[SHIPTOSTREET2] => sadSDAFS
[STREET2] => sadSDAFS
[SHIPTONAME] => dave grant
[ADDROVERRIDE] => 1
[LANDINGPAGE] => Billing
[USERSELECTEDFUNDINGSOURCE] => CreditCard
[METHOD] => SetExpressCheckout
[VERSION] => 95.0
[USER] => ****
[PWD] => ****
[SIGNATURE] => ****
[BUTTONSOURCE] => Magento_Cart_Community
)
[response] => Array
(
[TOKEN] => EC-57K60966AN691131P
[TIMESTAMP] => 2017-04-11T08:29:52Z
[CORRELATIONID] => af500bdeda4a3
[ACK] => Success
[VERSION] => 95.0
[BUILD] => 32305669
)
[__pid] => 5800
User forced to create account
Landing page
As I understand it, you have an issue with PayPal Guest Checkout. the Please let me know if this is not correct.
I have checked on the issue and I found out that the buyer is trying to pay with credit card. The reason why the buyer receives that error is because of it a guest checkout. Guest Checkout is not a 100% that is offered to your with your current account. Guess Checkout provide the buyer to pay with credit card but it is not a 100% success due to few factors that will reject the transaction such as:
1. If the buyer uses a credit card that already attached to a PayPal account.
2. If the buyer uses an email that is already attached to a PayPal account.
3. If the buyer already attempts multiple time on the same credit card and they received a decline or incorrect information was entered. Then, the credit card will be blocked or put under risk from our end.
These are the reason of the error that your buyer is seeing. To resolve this, they would need to have/create a PayPal account or use a different credit card to make the purchase. Some other merchant they might have a Pro account which only available for US, Canada, New Zealand and Australia. You may refer to the link here.
https://developer.paypal.com/docs/classic/products/payflow-gateway/?mark=payflow%20country
They have to use a direct credit card integration. There is a restriction on the buyer and merchant side. For some countries, you need to create a PayPal account in order to proceed with the payment. I hope this explain on the issue.
Thank you.

PayPal NVP API - BMUpdateButton

I have a hosted subscribe button with PayPal, which I want to have an unlimited number of billing cycles. This is easy enough to set up through the PayPal web interface, by setting 'After how many cycles should billing stop?' to 'Never'. However, when I then update that button through the PayPal NVP API BMUpdateButton, the number of billing cycles shows to the user as '$25.00 AUD for one month' instead of '$25.00 AUD for each month'. The button still shows 'Never' as the value in the web interface, but when it is used, the button is set to complete after 1 month.
I have tried variations of L_OPTIONnTOTALBILLINGCYCLESx API parameter, but with no success. Any help or thoughts would be appreciated. For all I know, this is a subtle bug in PayPal itself. If anyone has reason to believe that if I switch from NVP to SOAP it will work, then that would also count as a solution.
Here is a sample of the parameters that I send through. I don't get any API errors, and the button updates correctly except for the total billing cycles.
'METHOD' => BMUpdateButton
'VERSION' => 117
'USER' => ...
'PWD' => ...
'SIGNATURE' => ...
'L_OPTION0SELECT0' => First Tier
'L_OPTION0PRICE0' => 25.00
'L_OPTION0BILLINGPERIOD0' => Month
'L_OPTION0BILLINGFREQUENCY0' => 1
'L_OPTION0TOTALBILLINGCYCLES0' => 0
'L_OPTION0SELECT1' => Second Tier
'L_OPTION0PRICE1' => 30.00
'L_OPTION0BILLINGPERIOD1' => Month
'L_OPTION0BILLINGFREQUENCY1' => 1
'L_OPTION0TOTALBILLINGCYCLES1' => 0
'HOSTEDBUTTONID' => ...
'BUTTONTYPE' => SUBSCRIBE
'OPTION0NAME' => Payment Scheme
'L_BUTTONVAR0' => currency_code=AUD
'L_BUTTONVAR1' => no_shipping=1
'L_BUTTONVAR2' => cancel_return=...
'L_BUTTONVAR3' => return=...
Thanks very much for any thoughts.
The below two parameters in your API call is related to the installment buttons and if you pass them with the subscription type button they will be ignored.
L_OPTION0BILLINGFREQUENCY0
L_OPTION0TOTALBILLINGCYCLES0
If you are looking to update the subscription billing cycles you need to pass these two parameters :
L_BUTTONVARn="src=1"
L_BUTTONVARn="srt=12"
If the above src=1 means profile is set to be recurring and srt=12 will set the billing cycle to 12 .
If you don't pass any of the parameter in the API call then by default "src" will be set to "0" meaning no recurrence which is similar to your case .

PayPal Payflow: How to verify in one request, and then authorize in another without saving CC info?

I'm building a book store and I am building the checkout using PayPal Payflow . This is the checkout flow:
Shipping info --> Billing info |verify CC using Paypal| --> Order summary --> Submit |authorize CC using Paypal|
Shipping info: fill out shipping address, nothing special here
Billing info: fill out your billing address + credit card info. Don't save the credit card info since it's against standards, instead just send the CC number, expiration date, and CVV directly to PayPal to verify. PayPal approves.
Order summary: The order sees the summary of his order before he submits the order. He presses submit and another request to PayPal is sent to authorize the funds.
However, the CC info vanishes after #2, so how would I persist that data to #3 so that I can send it to PayPal again?
Can I just use the ORIGID to point to the PNREF ? The documentation says I have to do a full request with the whole params list (including CC info, CVV, exp date, etc).
TRXTYPE=A&TENDER=C&PWD=x1y2z3&PARTNER=PayPal&VENDOR=SuperMerchant&USER=S
uperMerchant&ACCT=5555555555554444&EXPDATE=0308&AMT=123.00&COMMENT1=Seco
nd purchase&COMMENT2=Low risk customer&INVNUM=123456789&STREET=5199
MAPLE&ZIP=94588
Or am I just misunderstanding what authorization means? Isn't authorization actually reserving funds in the user's CC? So that shouldn't be done until the user presses submit order right?
I figured it out.
The documentation here: https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/pp_payflowpro_guide.pdf
on page 40 mentions it briefly, but doesn't go into much detail about this checkout flow even though it seems pretty common.
My assumption was right, in that I could just do an address verification request first with all the CC info, and use the PNREF returned. I save the PNREF id in my session and reuse it to submit a request that looks like this:
def authorize_transaction(pnref)
make_request(authorization_data(pnref))
end
def authorization_data(pnref)
{
"TRXTYPE" => "A",
"TENDER" => "C",
"USER" => PAYPAL_API["user"],
"PWD" => PAYPAL_API["pwd"],
"VENDOR" => PAYPAL_API["user"],
"PARTNER" => "Paypal",
"AMT" => purchase.total_price,
"ORIGID" => pnref,
"VERBOSITY" => "HIGH"
}
end
And receive the desired response:
{"RESULT"=>"0", "PNREF"=>"A10A6A9C08E1", "RESPMSG"=>"Approved", "AUTHCODE"=>"752PNI", "AVSADDR"=>"Y", "AVSZIP"=>"Y", "HOSTCODE"=>"A", "PROCAVS"=>"Y", "VISACARDLEVEL"=>"12", "TRANSTIME"=>"2014-01-31 11:53:56", "FIRSTNAME"=>"net", "LASTNAME"=>"theory", "AMT"=>"15.64", "ACCT"=>"1111", "EXPDATE"=>"0115", "CARDTYPE"=>"0", "IAVS"=>"N"}

CreateRecurringPaymentsProfile returns Success and then recurring profile gets cancelled instantly, Paypal Sandbox

I am implementing Paypal recurring API. In sandbox mode when i create a recurring profile using CreateRecurringPaymentsProfile, it returns success as response
The request and response for CreateRecurringPaymentProfile are:
Request:
`&TOKEN=EC-6VH029039A9xxxxxx&PAYERID=&PROFILESTARTDATE=2013-08-29T18%3A44%3A52Z&DESC=Premium+Membership&BILLINGPERIOD=Month&BILLINGFREQUENCY=1&TOTALBILLINGCYCLES=xx&INITAMT=x.xx&FAILEDINITAMTACTION=CancelOnFailure&AMT=9.99&CURRENCYCODE=USD&COUNTRYCODE=US&MAXFAILEDPAYMENTS=3&AUTOBILLOUTAMT=AddToNextBilling`
Response:
`array(7) (
[PROFILEID] => (string) I%xxxxxxUMYEMFxx
[PROFILESTATUS] => (string) PendingProfile
[TIMESTAMP] => (string) 2013%2d07%2d30T18%3a45%3a16Z
[CORRELATIONID] => (string) 424d12027ab90
[ACK] => (string) Success
[VERSION] => (string) 86%2e0
[BUILD] => (string) 7084400
)`
Also it shows Pending profile on sandbox account. For some cases it activates the profile and charges the initial amount and for some cases the profile gets cancelled by itself. This happened to me before when negative testing was on, but now it happens even if negative testing is off. Again it happens in some cases not all cases.
You're using INITAMT and FAILEDINITAMTACTION=CancelOnFailure, so it sounds like you're getting exactly what should be expected.
If for some reason the initial amount cannot be charged it will immediately suspend the profile.