At the end of the IPN docs it says the following:
Important: After you have authenticated an IPN message (that is, received a VERIFIED response from PayPal), you must perform these important checks before you can assume that the IPN is both legitimate and has not already been processed:
1.Check that the payment_status is Completed.
2.If the payment_status is Completed, check the txn_id against the previous PayPal transaction that you processed to ensure the IPN message is not a duplicate.
3.Check that the receiver_email is an email address registered in your PayPal account.
4.Check that the price (carried in mc_gross) and the currency (carried in mc_currency) are correct for the item (carried in item_name or item_number).
What are you supposed to do if one of these checks fails? Are we supposed to call a PayPal API somehow to 'reject' the transaction'?
Most shops would mark an order / transaction that fails these checks as "Possible Fraud" or something along these lines.
The order status should raise awareness with the employee working the orders - a closer look should show which check has failed and further actions can be initiated.
This may range from refunding the transactions to contacting PayPal for possible fraud attempts. In any case, the order should be checked and not just treated as any other "Completed" order.
Sample scenario:
You're using unencrypted Website Payments Standard, HTML Forms to receive payments.
A fraudulent buyer finds out and starts modifying the price of an item through editing the submitted form
You receive the order as PAID and don't check the value of the order within your shop against the transaction
An employee doesn't spot this and an item worth 200$ is sent out for a payment of 0.01$
Related
After one has created a monthly billing agreement with a customer; how do I verify that the customer has paid (and not cancelled the agreement) at the next bill statement?
Would I use GetRecurringPaymentsProfileDetails for this information? Basically, I want to automate cancellations/etc.
In your ipn end point a subscr_cancel txn_type is sent when this happens. Then you can update a record in your database to account for this.
Ipn messages when enabled send post requests for all kinds of actions such when a Payment is made or a subscription is cancelled. When you receive a message you need to validate the message, determine what message it is, and then perform an action in your application
Ipn info
https://developer.paypal.com/docs/classic/products/instant-payment-notification/
In the documentation for IPN, it says things like "Check email address to make sure that this is not a spoof". But I cannot see what to do when that is the case, and how I tell PayPal I want to reject a transaction. E.g. do I sent back a 400 instead of a 200? Or alter the POST data in some other way?
Or do I just ignore the message? (The problem with that is that PayPal will keep re-trying, which is wasted bandwidth for us, but also means it takes longer for the user to hear about the payment failure.)
Background: I realize sending it back to PayPal and getting the VERIFIED message back handles most security issues. But in my case, there is some unique ID information in the custom field. If that is missing, or does not validate against the DB, I want to reject the payment. I want my customer to see it failed, so they know to go and use a fresh form. The alternative is to accept the payment, and then have to involve a manual process trying to work out who the payment came from, and then possibly do a manual refund. (Other reasons to do this might be that the inventory has sold out in the split second between them seeing a product on the site and clicking BUY.)
The payment didn't fail. PayPal is notifying you that the payment succeeded: not asking you whether you want to accept it. You can't reject it at this stage.
Simple send back a 200 code to let Paypal know you received the IPN, otherwise Paypal will try to send the IPN response repeatedly.
IPN is Instant Payment Notification. After the payment paypal notify you the result of the payment. Check if connection VERIFIED, and next if if the payment is Completed and mark the result in the database.
If you say to PayPal the ipn address in the cart, Paypal send you the notification. You can't say to paypal: "yes please, send me a notification" and when receive say "why you send this?" If you put ipn in cart form you can provide a ipn url with code 200, not 404. Or remove ipn value in the cart form
Is it possible to reject / auto refund after receiving IPN message with COMPLETED status but the txn_id is duplicated or the price value is incorrect?
Or manual investigation need to be done to refund
If you are verifying your IPN calls with PayPal, this should (in theory) be impossible. PayPal never duplicates transaction IDs.
Is it possible to reject / auto refund after receiving IPN message with COMPLETED status but the txn_id is duplicated or the price value is incorrect?
You can't reject the transaction with IPN. You aren't in a transaction. You're getting notification that a transaction has already occurred.
You may be able to use another API to reverse the transaction, as suggested by #geewhiz.
I am using PayPal's IPN service to confirm payment. My listener is checking the payment_status variable hoping to find "Completed". I don't want to do anything in my database unless the payment comes back "Completed". My question is, what if it does not come back with that status? Will PayPal continue to communicate with my listener until it is complete? For example, the status could come back as "Processed", which appears to be a step before "Completed". Below is a link to a document with all of the variables:
https://www.paypalobjects.com/webstatic/en_US/developer/docs/pdf/ipnguide.pdf
On page 10:
Because IPN messages can be sent at various stages in a transaction’s progress, make sure
that the transaction’s payment status is “completed” before enabling shipment of
merchandise or allowing the download of digital media.
So yes, I think PayPal will always give you an IPN with Completed status.
I have done some scouring but cannot find a definitive answer for this!
I get "VERIFIED" and "Pending" so i can put my orders from "placed" to "in-progress" but need the complete / failed so i can then transfer to "paid" and "cancelled".
Anyone have anything definitive on this, or is it a waiting game until test payments are complete (not using sandbox).
If the payment has a “Pending” status, you receive another IPN when the payment clears, fails, or is denied.
Also, here are some good things to check once you receive Payment_staus=completed
Check that the "txn_id" is not a duplicate to prevent a fraudster
from using reusing an old, completed transaction
Validate that the "receiver_email" is an email address registered in
your PayPal account, to prevent the payment from being sent to a
fraudster's account
Check other transaction details such as the item number and price to
confirm that the price has not been changed
You get another IPN (not a 'resend'), same txn_id, with payment_status='Completed'.