After adding stuff in shopping cart, clicking some Pay Now with PayPal button, and successful PayPal payment (PP or CC), it is logically possible that a user stays on PayPal website, if for example the Auto Return option isn't activated (or it is but it doesn't work because the user is a guest user without PP account)
The user can return to the site by clicking a link, but doesn't have to. My question is: if he doesn't, how will the site owner be aware that the user paid so that he can now send the items by post? That the site owner gets informed of being paid seems elemental to me, so I find incomprehensible that such elemental thing be left to some obscure Auto-Return option.
Please can somebody explain this to me?
This is a common challenge with any redirected payment gateway, and it's the reason most (if not all) of them implement some sort of asynchronous notification that a payment has been completed. In PayPal, this is the Instant Payment Notification (IPN). You must setup on your site either a generic IPN listener that you link to from your PayPal account profile settings or you can create a more targeted IPN listener specifically for your transactions and use the NOTIFYURL (or related) parameter in the form or API request you use to redirect to PayPal to send IPNs to that listener.
In my integrations, I never perform any order update or transaction logging when the customer returns from the site, preferring instead to wait for the IPN that I can validate and ensure came from PayPal as opposed to a spoofed return from someone trying to hack my checkout process.
For more information, see the IPN documentation: https://www.x.com/developers/paypal/documentation-tools/ipn/integration-guide/IPNIntro
Paypal provide IPN for this purpose through which we paypal send request asynchronous to your site and you can perform whichever action you want
I think the point may have been missed here. Or a problem does exist. If the purchaser uses CC, even if you have IPN set up and it works, but if the purchaser uses CC and does not click a button on the last page, which is not presented when using PP account, it is possible for the funds to go through, but no IPN, and so your website is unaware of the purchase. This last page, is an extra page that CC user gets after the page with the Pay button on it.
In this state, you can even go into IPN history, and the IPN is there, says it is sent, but it hasn't been. It does not get sent until after the purchaser clicks the button on the extra page and then they are taken to the auto return page.
Related
I maintain a PayPal integration which uses PayPal HTML Buttons and confirms payment using IPNs. This system has been in production for more than 5 years.
The system sets the cancel_return variable to a unique URL for each order. If this URL gets hit (i.e. if the customer cancels at paypal and gets sent to this URL), it first checks the session, to ensure the user hitting the URL is the same one who initiated the order, then cancels the order.
I noticed that several recent transactions have been cancelled even though the transactions at PayPal were successful.
The logs showed that customers are hitting the cancel_return URL - in some cases just after the IPN has been received, and in one case just before the IPN was received.
I found at least one way to reproduce this behaviour:
initiate the order on my site
complete the payment at paypal
return to merchant
use the back button to return to paypal
I then get a message that says "Your payment was completed. To continue shopping, please return to the merchant." One button is provided: "Return to merchant name".
Clicking this button takes the user to the cancel_return URL!!
PayPal's documentation for cancel_return says
A URL to which PayPal redirects the buyers' browsers if they cancel checkout before completing their payments. For example, specify a URL on your website that displays a "Payment Canceled" page.
Default — PayPal redirects the browser to a PayPal webpage.
My question is whether this is an intentional change by PayPal -- if so I expect it will break many sites -- or if this is a bug. I couldn't find a bug report at PayPal.
Yes, they changed the meaning of cancel_url, though they are not acknowledging this as a bug or an intentional change. This is definitely a bug in my opinion (as documented in the question above).
In addition to the steps above (reproducing using the back button), I found a customer click-trail in my server logs where the customer was sent to the cancel_url, without using the back button, soon after PayPal sent the IPN confirming their successful payment. I confirmed that the customer did not want to cancel and did nothing to intentionally cancel their order. Unfortunately I could not find a way to reproduce.
I registered at www.paypal-techsupport.com and submitted a ticket about this issue. After several exchanges, the end result I got was:
This is the information that I received from our engineer.
Its an expected behavior when the customer click on the back button, it will bring back to the cancel_url.
We would suggest you to do some modification so that the order is not being cancel when the customer go to the cancel_url.
With poor customer support like this, I will not be recommending PayPal to any of my clients in the future.
You can post it here and the PayPal folks can pick it up.....
https://www.paypal-community.com/t5/Merchant-Technical-Support/ct-p/mts
I have a question about Paypal IPN, I was wondering when does the IPN activate and send it's message to my website.
I currently have my website that has a buy button. When the client buy the service, he is directed to paypal. Once he pay the service, nothing happen. In order for me to receive the IPN notification, the user has to click "Return to merchant website" or whatever the link is, then I receive the IPN notification.
Is it normal, does it work like that for everyone?
Cause right now, most people when they are done with the payment, just close the website and I don't receive any notification.
Thanks for any help !
Your question leaves a lot of missing information so I will go through each option for you:
Read here about how to setup a sandbox account if you don't already have one: https://developer.paypal.com/docs/classic/lifecycle/sb_create-accounts/
Bare in mind that your sandbox account is entirely separate in every way from your live paypal account. All settings will need to be checked and customised as needed.
Set up your IPN URL on your sandbox account Here: https://www.sandbox.paypal.com/uk/cgi-bin/webscr?cmd=_profile-ipn-notify
Once set up, you then need to download and set your code (PHP or something else) to the listener (referenced in the above sandbox profile link). You can find IPN code examples here: https://github.com/paypal/ipn-code-samples
When that's all set you need to set your listener to using the sandbox mode and then log in to your live account and then run the IPN simulator from here: https://developer.paypal.com/developer/ipnSimulator/
Paypal will send messages to your IPN listener and you need to do something with the messages, typically output them into some sort of log file. Any issues, you can read Paypals feedback and IPN data/delivery information here https://www.sandbox.paypal.com/uk/cgi-bin/webscr?cmd=_display-ipns-history&nav=0.3.4 [Found from History->ipnHistory on the Paypal menu] and it should list them out. You can resend any failed or queued or undelivered messages.
Paypal is a terribly documented and terribly structured system for coding with. I hate it. Use Stripe.
I love bullet points.
Paypal claims they will try and resend failed/queued IPNs 16 times over 5 days. I have yet to see this, you need to resend them manually (at least, sandbox ones)
Please remember all the settings and changes you have made to your Sandbox account will need to be also made to your live account before you make your payment system live!
Solution
My return_URL is the location of my IPN.php file which take care of the data sent and received. My problem is that the IPN is only firing when I click the "Return to merchant website" and not when the payment is actually completed
What you have done, from reading your comments, is set your IPN page to being your return from paypal page, this is NOT the way IPN is supposed to work, the IPN page should never be visited by the customer, only ever by Paypal.
Read through my anwser (points 2,3,4) and set up your IPN web link as I have described above, your return_url value should be a basic page to say to the customer "transaction complete". The IPN page is defined on your paypal accounts (sandbox and live) as I stated above.
This will fix your problem.
I hope to integrate Paypal using "Add payment buttons to your website" https://developer.paypal.com/webapps/developer/docs/integration/web/ since my site only needs one time purchase so this solution is perfect.
But it requires an IPN implemented as an async solution at the merchant side to receive the transaction result. While the button redirects user to paypal.com to finish the payment process. But after that is done. User is not automatically redirected back to merchant site.
I found on the forum that I can add an "data-return" attribute in the script element so when user is done paying there is an additional link that points to the merchant site. Now since IPN is asynchronous, once user views the "data-return" page, IPN may not have been called yet. My questions are:
1. So what's the suggested solution of synchronizing between return page and IPN?
2. When testing, I found a lot of query strings are appended to the "data-return" URL, looks related to transaction result. Can I use them to replace IPN so I have a SYNCHRONOUS way of verifying the transaction result?
Thanks!
Use Payment Data Transfer (PDT, for short). https://developer.paypal.com/webapps/developer/docs/classic/paypal-payments-standard/integration-guide/paymentdatatransfer/
I would like to check if a paypal user who tries to buy something from my site has a verified account before he makes purchase.
Once the user isn't verified, any payment he/she makes would fail. Funds will be returned back to user automatically.
Is there any code I can add or edit to make this work due to fraud issues.
Well I found this
https://www.paypal.com/us/verified/pal=emailhere
where if i replace emailhere with any email i get verified or unverified.
I would like to add this to the code.
Thanks
If you're not already, I would recommend using the Express Checkout API. This will allow you to check the payer status prior to finalizing the payment.
The SetExpressCheckout API would generate your token that you use to redirect the user to PayPal with. They would then sign in, review the order, and click continue which would send them back to your site.
At that point, you can call GetExpressCheckoutDetails to obtain all the buyer details including their verified status.
To finalize the whole thing you would call DoExpressCheckoutPayment. In cases where the payer is not verified, though, you could simply stop the flow and leave this call out. No payment will have taken place so no refund would be necessary. You can simply display a message that they need to verify their account prior to making purchases from you.
If you happen to be working with PHP I would recommend taking a look at my class library for PayPal. It makes all of this very simple for you.
I'm implementing a simple Buy Now button and I'm using IPN (not PDT) to verify the transaction.
A thing that bugs me is that I don't understand how come only after I set the notify_url field to the button I also get the transaction variables to the success URL, as GET params. It would seem normal to be the other way around.
Since the user could or could not choose to "return to the merchant's website" there's not way I should rely on that data. It does however seem to be identical to the one sent to the notify URL.
Some clarification would help. Thanks!
I know what you mean, after the user has finished paying and chooses to return to the sellers website (button in paypal page) they are redirected to your thankyou page.
I don't think it used to do this back in 2009 but now paypal will issue the redirect with all sorts of parameters in the url query string.
I'm just ignoring this information and relying on the backend IPN post which is verifiable by paypal
In my previous experience with IPN, I defined the location of the notify URL in the control panel. Once the payment is processed, PayPal sends a POST notification to this URL independent of any user behavior.
In any case, even if you define the notify_url parameter in the button, I believe PayPal will still send the payment notification seperate from the user behavior - they spawn a new process to send the data. As to why they are using a GET rather than a POST, that is odd behavior. However, in your IPN script you should still have logic that verifies the call with PayPal before you continue processing.