Has anyone yet dabbled with Paypal's REST API call for Direct credit card payments ?
This resource resides here:
https://api.sandbox.paypal.com/v1/payments/payment
The typical way to process this account is:
Get access token by making an API call that includes the Client_ID and Secret.
Using the access token, I make a call to the payment API with the necessary card specific data.
In point number 2, the line 'necessary card specific data' is important. So far, I had been testing using one of my test/sandbox business accounts. That is, the credit card data that was specifically generated for this account. However, it seems like I can manipulate the name, change the expiry date (as long as it's a valid date), the CVV2 number. As long as the credit card passes a MOD 10 check, the response object shows the payment as processed (state: approved) .
My question is, is this a loophole (unlikely) or just by design that paypal allows any random card related data to verify payments. (as long as they are valid credit card numbers).
If it is the earlier, then I wonder why Paypal wants me to create a business account and generates credit card data for me, when all I really need is the REST API client id and secret that is provided when I sign up as a developer.
Disclaimer: The documentation does not state anywhere that random card related data can be used.
Correct, this is by design. We'll accept any credit card number in the Sandbox environment as long as it adheres to MOD-10. This is done specifically to allow for easier testing in the Sandbox environment.
If it is the earlier, then I wonder why Paypal wants me to create a
business account and generates credit card data for me, when all I
really need is the REST API client id and secret that is provided when
I sign up as a developer.
I'm not quite sure what you mean here though?
Related
I have a white labeling Shopify app that bills store owners who install my app whenever orders for my vendor are created in their store. Currently I use Authorize.net as a payment processor. Store owners perform an initial setup whereby they authorize their credit card using a web form I provide. This provides me with a customer profile ID and a customer payment profile ID for the store owner, and I use these two ids to charge their credit card via Authorize.Net for each and every order that is placed through their store for when the order contains one or more of my white label products.
So essentially I have Authorize.Net tokens for each store, and I use those tokens to charge store owners' credit cards as orders come in through their store, and each order has a different charge amount (this is not a recurring payment that is of the same amount each time). Here is some sample code.
I'd like to use PayPal as a backup payment processor and reproduce this same functionality. I'm looking through PayPal's API as well as the Node SDK, and I am not sure how to accomplish the same thing with PayPal. I essentially want to obtain a token tied to the store owner's account which I can use to charge the seller for each order, and each order can have a different charge amount.
Can someone point me in the right direction?
Turns out that what I wanted seems to be Reference Transactions.
For documentation see https://developer.paypal.com/docs/classic/express-checkout/integration-guide/ECReferenceTxns/.
For an example see this project which uses the paypal-ec2 Node package.
The flow for the example project mentioned above appears to be as follows:
Create Billing Agreement with seller
Visit Express Checkout page
http://localhost:3000/checkout/callback_success is called
Receive token
Redirect to payment URL (which uses token received)
Receive token
Create a billing agreement
(no redirection or confirmation happens)
Receive and store a billing agreement token in database
You now have the ability to process payments in the future for arbitrary transaction amounts using the Billing Agreement ID
There is a code returned by the credit card processor when the transaction is approved, usually 5-6 digits. I'm trying to retrieve this code with REST API in their sandbox.
If you are using PayPal Payflow you can see this on the transaction result page when logged in to your Payflow account. This number is also on a printed receipt when you go to a store, it's a very common number to have after an approved CC payment. I have yet to accept a real payment through REST API, just working with sandbox so far. Looking at the response for the sandbox payment and the sale transaction I cannot see anything that looks like the processor authorization code.
Documentation for this authorization code is difficult to research and I don't want to lead anyone astray; I'm not looking for anything related to the auth code used for access and refresh tokens, same name but completely different.
From here in the Payflow Developer Guide:
To create a secure token, pass all parameters that you need to process the transaction except for payment details parameters such as the credit card number, expiration date, and check number. For details on transaction parameters, see Submitting Credit Card Transactions. In addition, pass the following Payflow parameters to create the secure token.
TENDER is listed as a required parameter here, in the "Submitting Credit Card Transactions" section. When using Hosted Pages, do I really need to ask the customer how they want to pay prior to passing them to Payflow? If not, could someone point me to where this is described in the documentation? I'm not seeing it anywhere.
Thanks,
Ian
TRXTYPE is the type of transaction you are doing, not what the customer is using.
Are you doing an (A)uthorization? (S)ale? (C)redit? (V)oid? etc.
With the hosted page token request, you pass over everything for the transaction except the payment method (credit card number or PayPal account).
I wanna store card details while using Paypal payment, there is any why in Paypal SDKs which store details of card.
PayPal's REST API calls this a "Vault" and allows you to save the credit card details on PayPal's server so you don't have to save it on your own server. This way you can still process saved cards without any risk of saving it on your own server.
The Classic API (which is what I still prefer) has the same thing except that it's called Reference Transactions. You can run a card verification / $0 authorization, and then in the future you make a call to DoReferenceTransaction to process any amount you need using the card details PayPal has saved on their server.
Either way it's just a matter of building the API requests per the documentation. There are SDKs available to help you with this.
Paypal does not share its users' account details, especially card details to anyone. You have to use the unique account email address to define a user.
It is highly recommended to not save any payment information of users. Only transaction IDs, and perhaps a unique user ID or hash.
I’m building a site to be based in Australia and I have been researching into saving credit card numbers. Currently I have not had much luck with my questions. Paypal was of little help.
The site will run on many small transactions. I plan on using the paypal gateway to handle payment both via credit card and paypal accounts.
What I would like to do is retrieve user’s credit card details so they do not need to input them each time.
How I imagine this to work is that the first time a customer will input their credit card details to make the purchase. Once this purchase has been completed the site will receive a transaction ID from paypal. I then save this ID for future reference mapped to the users ID or email address.
So the next time the user wishes to make a purchase via their credit card I can forward this transaction ID to paypal and it can already have all the fields populated with their card details. Or display a screen with the last 4 digits or similar and ask the user if they wish to use this card again.
This is all assuming that the user does not have a paypal account.
Is this possible? Is there a better/more cost effective solution than this?
Your understanding isn't too far off. When you submit card details to PayPal (or any payment gateway) you should get back a token id. You would store that token id instead of the card details, then at any future point you wish to take payment you submit the token id (along with payment value etc)
By only storing the token value (and not the card details) you free yourself of most of the hassle with PCI compliance. PCI does allow you to store part of the card details in plain text (at most the first six and last four digits), so you could safely store these along with your token id. That would allow you to display these details and ask 'use this card again'
An example of this is documented at PayPal's site here:
https://developer.paypal.com/webapps/developer/docs/integration/direct/store-a-credit-card/