2004
Instant Payment Notification Manual
3
Copyright 2004 PayPal, Inc. All rights reserved
Step 3: At the time the payment is made, PayPal will post a notification to your server
at the URL you specified. All of your customer’s payment information and a piece of
encrypted code will be included in this notification.
Step 4: On receiving the notification, your server will send the information, including
the encrypted code, back to a secure PayPal URL. PayPal will authenticate the
transaction by checking the encrypted string. This post-back of the IPN data to PayPal
prevents “spoofing,” so you can be sure the IPN came from PayPal. Upon verification,
PayPal will send your server a “VERIFIED” or “INVALID” response.
Step 5: When you receive a VERIFIED response, you need to perform several checks
before fulfilling the order.
Note: An INVALID response should be treated as suspicious, and should be
investigated.
• Confirm that the payment status is Completed, since IPNs are also sent for
status types such as Pending or Failed.
• Check that the transaction ID is not a duplicate — this prevents a fraudster
from using an old, completed transaction.
• Validate that the receiver_email is truly your account — this prevents the
payment from being sent to a fraudster’s account.
• Check other transaction details, such as item number and price, to confirm that
the price hasn’t been changed.