Can we assume that the payment is completed for a transaction when the customer is auto returned to our site?
Paypal advices us to use their IPN system for other types of payment, like an e-check, but also tells us to tell the customer something along the lines of "Thank you for your payment. Your transaction has been completed, and a receipt for your purchase has been emailed to you. You may log into your account at www.paypal.com/ca to view details of this transaction."
What are the downfalls of not using IPN, and just assuming the payment is completed when paypal auto-returns users to our site?
Thanks!
Relying solely on the return url is a pretty bad idea. It would be easy for a bad guy to skip payment and just visit your return url to complete the order.
There is a pretty comprehensive article about this here
No.
However, using the Auto Return option in your Paypal account in conjunction with Payment Data Transfer (Profile/My Selling Tools/Website preferences/Website Payment Preferences) will give you payment confirmation data in the URL you use for Auto Return, for example:
www.yourReturnURL.com?tx=9XV61416UY0043254&st=Completed&amt=9%2e00&cc=USD&cm= 9601&item_number=2
You need to verify this data (anyone could send a fake request) by sending the payment reference ("tx" parameter above) back to Paypal and waiting for a VERIFIED response.
This last step is identical as the one you take for the IPN (Instant Payment Notification) implementation.
With PDT you get the notification instantly. PDT has a a major weakness: it sends order confirmations once and only once. As a result, when PDT sends a confirmation, your site must be running; otherwise, it will never receive the message.
With IPN, in contrast, delivery of order confirmations is virtually guaranteed since IPN resends a confirmation until your site acknowledges receipt. For this reason, PayPal recommends that you implement IPN rather than PDT.
Note: If your site must be notified of payments immediately, you can implement both IPN and PDT.
More info here: https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNPDTAnAlternativetoIPN/
Related
My question is very simple and no related to any kind of troubleshooting its just to get the information about the IPN
Lets say:
I have a system Paypal integrated activated IPN and working fine
someone tried to Price Jack a product and changed the price from 200$ to 2$
My IPN detected that and informed me about that issue (through mail as i set in my IPN).
My question is will paypal still process that payment and accept that 2$ and redirect user to my success page? or it will stop the processing the payment?
Ofcourse I have the proper handling of that and will not update the database
but question is will those 2 dollar will get processed in my paypal?
if yes is there any way to stop paypal from processing?
Note that there're multiple ways to protect your payment button code (price and other details) and also a very rare chance that an HTTPS payment request got "price-jacked" by a man-in-the-middle attack or malicious fraud activity, but still a valid question to be clarified.
In this case, the $2 will be processed just as a normal transaction to PayPal, and the asynchronous IPN will only be triggered by the event of payment completion. That's when your website backend will reconciliate and detect the "price-jack" by IPN callbacks, after the payment processing but not before.
Eventually, the transaction (of $2) that has taken place would be in sccope of fraud activity & dispute issue, and to be reported and handled by PayPal customer service
In the documentation for IPN, it says things like "Check email address to make sure that this is not a spoof". But I cannot see what to do when that is the case, and how I tell PayPal I want to reject a transaction. E.g. do I sent back a 400 instead of a 200? Or alter the POST data in some other way?
Or do I just ignore the message? (The problem with that is that PayPal will keep re-trying, which is wasted bandwidth for us, but also means it takes longer for the user to hear about the payment failure.)
Background: I realize sending it back to PayPal and getting the VERIFIED message back handles most security issues. But in my case, there is some unique ID information in the custom field. If that is missing, or does not validate against the DB, I want to reject the payment. I want my customer to see it failed, so they know to go and use a fresh form. The alternative is to accept the payment, and then have to involve a manual process trying to work out who the payment came from, and then possibly do a manual refund. (Other reasons to do this might be that the inventory has sold out in the split second between them seeing a product on the site and clicking BUY.)
The payment didn't fail. PayPal is notifying you that the payment succeeded: not asking you whether you want to accept it. You can't reject it at this stage.
Simple send back a 200 code to let Paypal know you received the IPN, otherwise Paypal will try to send the IPN response repeatedly.
IPN is Instant Payment Notification. After the payment paypal notify you the result of the payment. Check if connection VERIFIED, and next if if the payment is Completed and mark the result in the database.
If you say to PayPal the ipn address in the cart, Paypal send you the notification. You can't say to paypal: "yes please, send me a notification" and when receive say "why you send this?" If you put ipn in cart form you can provide a ipn url with code 200, not 404. Or remove ipn value in the cart form
I cant find anny clear documentations about this.
If you use paypal express checkout, when a payment is pending what happens next?
Does paypal sends you by IPN an update if the states changes, do you have options?
Let say you do an DoExpressCheckoutPayment (with NVP)
and you get this:
&PAYMENTSTATUS=Pending
&PENDINGREASON= ECHECK //The payment is pending because it was made by an eCheck that has not yet cleared.
&REASONCODE=None
So you've made the payment and you want to wait until its cleared? What should you do next.
Update Some (external documentation) I found only sugest you could use (IPN?) to handle pending payments.
"If the Do Express Checkout Payment PENDINGREASON response is a value
other than none or completed , the payment is pending. Typically,
this means the customer has paid with aneCheck. In such a case, funds
are not guaranteed, and you should not ship or deliver items or
services until the payment has successfully completed. NOTE:
PayPal recommends that you block eChecks as a payment method if you
are unable tohandle pending state payments.To find out the status of a
pending payment, you can:
Submit an Inquiry transaction.
Check the status using PayPal Manager. See PayPal Manager online help
for details."
The paypal sandbox seems to have the option to check IPN messages for the express checkout type. The only correlation (if its ment to be used this way) between the DoExpressCheckoutPayment and the IPN seems you can use the "custom" field to keep track of a pending status. The txn_id (ipn) isn't given in DoExpressCheckoutPayment (nvp). Does any one have any experience with this?
The transaction ID is most certainly given in DoExpressCheckoutPayment, even if the PAYMENTSTATUS=Pending. A pending payment is still a transaction.
So yes, you would be notified via IPN when the transaction is completed. This typically takes a few working days.
Once it has completed, you can correlate the transaction from DoExpressCheckoutPayment to the IPN you will have received via the txn_id in the IPN.
Note: If you want to test a 'Pending' payment in the PayPal Sandbox, simply go to https://developer.paypal.com/ > Test account and click on 'Payment review' for the seller account you're testing with.
Once payment review is enabled on that seller account, any transactions it receives will be in a 'Pending' state.
Simply disable payment review to release the tranasctions afterwards.
I thought i'd add my two pence worth of thoughts to this.
I was getting a pending return status using Express Checkout via the dotNet SDK, according to the doc's and examples I should have been getting an 'approved' status.
I couldn't figure out why but it turned out to be because I was passing through a new currency, in our case 'GBP'. I had to log in as the facilitator sandbox account and decide what to do with the new currency.. convert it or setup a new balance in the currency. Once I did this, and set it as the default action, the pending return status no longer occurred.
hope that helps someone!
One thing not noted here and I haven't found anything else to confirm.. is that Paypal Express API doesn't support passing in the NOTIFYURL with the code. So you have to use the hardcoded IPN url set in your paypal account. This of course causes issues because you need a common callback file that can redirect to the individual payment options.
For example, if you are using Paypal Express AND Paypal Advanced.. Neither of those properly support a notifyurl passed in using the code. Paypal Advanced claims to, but it doesn't seem to work. So there needs to be a common IPN callback file that handles the redirection to each.
Unless someone else can confirm a working notify url for Express Checkout variable that can be passed in the code?
I have downloaded sample code from paypal to allow me to use parallel payments via their sandbox accounts. When I run parallel.php, I get redirected to paypal's sandbox login page.
How am I supposed to know "server side" that the payment has been made successfully, so I can update my database records?
I believe you have to work with PayPals IPN system. This will basically send a confirmation to your server that tells you it has gone through.
https://www.paypal.com/ipn
Paypal lets you register a notification url which is part of the IPN (instant payment notification IIRC) system. So if someone pays by a delayed payment (such as a bank transfer) the transaction will update days later. You need to have an application (web page) on your server that can be called by Paypal with transaction details to update a payment.
You'll need to create an initial transaction record in your system when paypal redirects back to you so refer to their documentation for that. I'd also recommend looking at either OSCommerce or Zen cart for an idea of how they do it as they support the same kind of thing.
I'm having some trouble choosing between PayPal's Instant Payment Notification (IPN) and Payment Data Transfer (PDT).
Basically, users buy a one-off product on my site, pay on PayPal, and return to my site. I understand how IPN works but I'm now seeing that I might be able to trigger the various actions that take place after a successful purchase more easily with PDT, as the data gets returned there and then (as opposed to needing a separate listener).
However, PayPal's PDT documentation contains this cryptic line: "PDT is not meant to be used with credit card or Express Checkout transactions." ... but I can't find anything further whatsoever on the topic.
Are credit cards REALLY not meant to be used with PDT? I would like more than a sentence.
Does that mean that a user must have/create a PayPal account to pay?
Does it mean that if I want to allow users to pay with their PayPal accounts AND/OR with credit cards directly, I must implement IPN?
Could anyone who's gone through this kindly shed some light?
The APIs for PDT and IPN are similar. The main difference is when you receive the notification. For that reason I would recommend implementing both.
With PDT you get the notification instantly and can do any additional processing required and show the user a confirmation page.
With IPN you are guaranteed to be notified that the payment was received even if the user's computer explodes before it can send you the PDT.
Implement both and get the best of both worlds. But if you're only doing one, IPN is the reliable one.
One catch: if you implement both then there's a chance your payments could be processed twice. Take care to ensure that doesn't happen. The application I wrote handles the PDT and IPN almost identically (the backend part is the same) and that code acquires a per-web-user lock in the database, so that if the same user tries to submit the exact same payment multiple times it can only be processed once. Once processed the result of that process is re-used for any subsequent attempts to process it.
Edit
One more thing: IPN carries more information than PDT. There are lots of different messages that you can receive from IPN, such as chargeback notification, etc, and thus you really should implement it.
PayPal's PDT system sends order confirmations to merchant sites that use PayPal Payments Standard and lets them authenticate this information. Such sites can then display this data locally in an "order confirmation" page.
When to Use PDT?
IPN provides the same capabilities described above. So, when should you choose PDT instead of IPN?
With PDT, your site is notified immediately when a customer completes payment. With IPN, however, there is a material lag between the time a customer completes payment and the time your site receives notification of this event.
So, use PDT if your site includes a feature that requires immediate payment notification.
For example, consider a digital music store. With PDT, this store can let customers download their purchases right away since PDT sends order confirmations immediately. With IPN, such immediate order fulfillment is not possible.
Advantages of IPN
PDT has a a major weakness: it sends order confirmations once and only once. As a result, when PDT sends a confirmation, your site must be running; otherwise, it will never receive the message.
With IPN, in contrast, delivery of order confirmations is virtually guaranteed since IPN resends a confirmation until your site acknowledges receipt. For this reason, PayPal recommends that you implement IPN rather than PDT.
Another advantage of IPN is that it sends many types of notifications, while PDT sends just order confirmations. So, using IPN, your site can receive, for example, chargeback notifications as well as order confirmations.
Note: If your site must be notified of payments immediately, you can implement both IPN and PDT. However, if you do, your site will receive two order confirmations for each sale. As a result, you must be careful to take action (say, ship a product) on just one copy of a given confirmation message.
Documentation Here
Re 1. PDT is meant to use with Auto Return for Website Payments feature. Auto Return redirects to PDT site after paying money to seller. Unfortunately it's not possible to use that feature along with PayPal Account Optional - used to enable Credit Card payment. Here is note from PayPal: 'If you have turned on Auto Return and have chosen to turn on PayPal Account Optional for new users, a new user will not be automatically directed back to your website, but will be given the option to return.'. User will have an option to go back to your site(PDT step) or stay on PayPal site. To sum it up when paying by Credit Card user can skip PDT step if user will not click 'return to store link'.
Re 2. It is up to you what paying options do you want to allow. If you want to allow paying without a PayPal Account you can enable Account Optional. If you want to allow only users with PayPal accounts disable that feature. There might be more options.
Re 3. In your case you need to trigger action after successful purchase. Recommended way would be to implement IPN. PDT doesn't work for all cases and doesn't guarantee message delivery. Here is link to doc covering that topic PDT vs IPN.
This is an old question, but my simple answer would be - Why not use both PDT and IPN? They will work fine for card transactions.
PDT can provide the immediate transaction status to your website, where you can quickly check the payment success or failure status and provide the user with appropriate message.
Meanwhile, you can await the full verification from IPN in the background. Once received, you can use this to further update your DB and process the order.
You can follow this step-by-step guide which I found to be very clear and helpful - and it's still valid in 2018.
https://www.codexworld.com/paypal-standard-payment-gateway-integration-php/