Study Guide
Table Of Contents
- PayPal Certified Developer Program Study Guide
- Contents
- List of Tables
- Online Payment Processing
- Internet Security and Fraud Prevention
- Why Every Business Should Be Concerned About Internet Fraud
- Liability for Internet Fraud
- Internet Fraud: What It Is and How It Happens
- Who Is at Risk for Online Fraud
- Reducing Exposure to Fraud
- What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud
- What PayPal Is Doing to Protect Your Business Against Fraud
- Disclosure and Compliance
- PayPal Fraud Protection Services
- Review Questions
- Getting Started With Account Setup
- API Credentials
- Name-Value Pair (NVP) API
- Express Checkout
- Direct Payment API
- Transactions
- Sandbox Testing
- Answers to Review Questions
- General Reference Information
- Glossary
- Index
PayPal Certified Developer Program Study Guide March 2008 101
Transactions
Payment Notification Integration
8
that will process the IPN posts, and click Save. Doing this activates IPN for all
transactions.
Setting Up an IPN-Processing Program
The data sent by IPN is in the form of name-value pairs. At a minimum, a program must
process these pairs; other processing may be necessary based on the merchant’s order
management needs, database, and other factors outside the scope of this guide.
Code samples for several environments are available at http://www.paypal.com/ipn
.
IPN Notification Validation
After the server receives an IPN, the merchant must confirm it was received. This is known as
notification validation, which is a means for PayPal to help prevent spoofing or “man-in-the-
middle” attacks.
A merchant can validate the notification in one of two ways:
z Send a shared secret that is known only to the merchant. PayPal recommends this method
because it ensures the validity of the data and decreases network traffic to and from the
merchant’s website. Shared secret validation is appropriate if:
– The merchant is not using a shared website hosting service.
– The merchant has enabled SSL on the web server.
– The merchant is using PayPal Encrypted Website Payments (EWP).
– The merchant uses the NOTIFYURL variable on each individual payment transaction.
z Send a POST back to PayPal after receiving the IPN and verifying the correctness of the
data. Postback is appropriate if:
– The merchant relies on a shared hosting service.
– The merchant does not have SSL enabled on the web server.
Both concepts rely on a notification URL, which is the URL to which PayPal posts IPN data.
The notification URL can be set either with each transaction (if the merchant wants to receive
notifications for different transactions at different URLs) or globally in the Profile.
Set the notification URL on a per-transaction basis with the NOTIFYURL variable, which must
be URL-encoded. If the merchant sets the notification URL in the Profile, specifying the
NOTIFYURL variable overrides the value in Profile.
N OTE: If the merchant does not use EWP or shared secret validation, he must check the price,
transaction ID, PayPal receiver email address, and other data sent by IPN to ensure
they are correct.
Shared Secret Validation. The recommended method for notification validation is to use a
shared secret on individual payment transactions. Add a shared secret variable and value to the
NOTIFYURL variable to which the IPN data is posted after a payment is made. The shared
secret consists of the following: