Study Guide
Table Of Contents
- PayPal Certified Developer Program Study Guide
- Contents
- List of Tables
- Online Payment Processing
- Internet Security and Fraud Prevention
- Why Every Business Should Be Concerned About Internet Fraud
- Liability for Internet Fraud
- Internet Fraud: What It Is and How It Happens
- Who Is at Risk for Online Fraud
- Reducing Exposure to Fraud
- What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud
- What PayPal Is Doing to Protect Your Business Against Fraud
- Disclosure and Compliance
- PayPal Fraud Protection Services
- Review Questions
- Getting Started With Account Setup
- API Credentials
- Name-Value Pair (NVP) API
- Express Checkout
- Direct Payment API
- Transactions
- Sandbox Testing
- Answers to Review Questions
- General Reference Information
- Glossary
- Index
Transactions
Payment Notification Integration
8
102 March 2008 PayPal Certified Developer Program Study Guide
NOTIFYURL=IPNnotificationURL?shared_secret_variable_name=shared_secret_value
where:
z IPNnotificationURL is the notification URL.
z shared_secret_variable_name is any variable name.
z shared_secret_value is the shared secret itself.
The merchant can also specify a shared secret in his Profile, which is used for all transactions.
Specifying a shared secret in the NOTIFYURL variable explicitly overrides the value in the
Profile.
N OTE: The value of the shared secret is not encrypted; it is in clear text for easier processing;
therefore, the shared secret value is recorded in the merchant’s web server’s access
logs. Always practice proper security for server access logs.
HTTPS Postback to PayPal. The second method for validating receipt of an IPN is to post
the exact variables and values received in the IPN back to PayPal.
The guidelines for constructing the IPN HTTPS POST to PayPal for notification validation are
as follows:
1. The POST must be sent to https://www.paypal.com/cgi-bin/webscr
.
2. Include the variable
cmd with the value validate.
3. Post all the form variables exactly as they were received.
PayPal responds to the postback with a single word in the body of the response: VERIFIED or
INVALID.
After receiving a VERIFIED response, perform the following checks before updating a
database. Move on to the next check in the sequence only if the previous one passes.
1. Check that payment_status is COMPLETED.
2. Check txn_id against the previous PayPal transaction, to ensure it is not a duplicate.
3. Make sure receiver_email is an email address registered in the merchant’s PayPal
account.
4. Check that the price (mc_gross) and currency (mc_currency) are correct for the item,
item_name, or item_number.
5. Check that the shared secret is correct.
In the case of an INVALID response, further investigation is necessary; in some cases, the
response is caused by an IPN error, possibly from a change in the IPN format. To determine if
it is an IPN error, first examine the IPN code. For further assistance, go to
http://www.paypal.com/wf
, click Seller Tools, and click Instant Payment Notification.