I'll shorten my question as much as possible.
I would like to know if there is a way for me to avoid to force user to enter his/her credit card number with rest of the CC informations ON MY WEBSITE...???
The PayPal API documentation that I'm currently reading:
https://developer.paypal.com/docs/classic/paypal-payments-pro/integration-guide/recurring-payments/
So basically what it says is:
Include all required credit card information in the CreateRecurringPaymentsProfile request.
And one of the parameters that I would send out from my website are:
1. Card type
2. Card number
3. Card expiration date
4. CVV2
And so on...
This is utterly unacceptable for me because my website doesn't uses the HTTPS protocol and the data traveling from my website to PayPal would be unsafe...
Is their API really this dumb that I can't do a simple recurring payment without sending all this data to them???
Are there any workaround to this ???
Related
I'm working a web application, which is MVC 5 + Angular JS hybrid. There is no authentication in the web app and an anonymous user can come and ask for price for certain services. To get the price the user needs to answer some questions spread across few pages. Here is the flow of app.
User clicks button to get price
A unique URI the request is generated and user is redirect to the questions page
User answers questions and user submits the answers. The questions are spread across multiple pages navigated through angular routing. The answers are saved back to server on page navigation.
Once, the user submits the answers, the system (server) generate the price and display it to user.
Currently, if the user has bookmarked the URI, he can come back after days and continue from where he left. I want to prevent this behaviour.
What are the different options do I have in MVC? I can think of following:
Using HttpCookie with expiration time
Save the last access time in DB and validate if the user has come within a stipulated time frame?
I would like to avoid HttpSession. I'm inclined towards using HttpCookie since it looks to be the simplest option.
If we go with HttpCookie option, are there any side effect that I need to keep in mind?
Are there any other alternative within MVC I can look for?
If You want to expire some link without storage involved and your service need to be scaled I think You just need to add expiration date in your link and sign it.
I believe you can create your URL in a way like this
Pseudocode:
var info = [Payload any info you need to store(questionnaire id or so)] + [expirationDate]
var sign = HMAC256(info + [SERVER_SECRET])
var clientLinkParameter = info + sign
var clientLink = [baseURL] + [delimiter] + Base64(clientLinkParameter)
*HMAC256 - it's just example you can create signature using any algorithm you want
Now you can just check your link for expiration by parsing serialized data in the part before delimiter. You can also check that date was not modified by checking:
HMAC256([partBeforeDelimiter] + [SERVER_SECRET]) and [partAfterDelimiter] for equality. If they match this is the link your server sent (as only your servers know what the [SERVER_SECRET] is) otherwise it was modified by the client.
Now you can store any non secret data in user link allow user to share this link and other great things that you can do with a link without worrying that someone modify our link. Client can deserialize first part as well if its widely known serialization algorithm like JSON.
I think this flow will bring better user experience in case of suddenly closed browser (that will clean cookies in your case) and also sharing link with someone (if you need)
Hope this will help.
I finally, went with session-cookie. I hashed the unique id and saved it in the cookie with salt. I feel this is a reasonable approach for following reasons:
The anonymous user session is going to be short lived. Once, he closes the browser the cookie gets removed.
If the user bookmarks the URI, I look for session-cookie in the Http Request. If the session cookie is not found, I redirect the user to the challenge page.
I have gone for MD5 algorithm for hashing. I understand it is collision prone, but is faster than SHA. Since I do not store sensitive information like password in the cookie, I guess it should be fine.
I'd rather generate a token for a unique user session and store it on the server along with CreatedDate. So URL will have a token query string parameter that will be validated against the date.
It's more secure than relying on cookies
Allows for adding analytics to your site, where you start storing q/a combinations along with generated prices for a given user session. Start collecting data early. :)
I am attempting to create a payment profiles using express checkout with an old NVP .NET (C#) API implementation. The version is 65.1.
After I perform a SetExpressCheckout, I get a successful response. The user is sent back to my test site, and I attempt to CreateRecurrentPaymentProfile. I pass in the url-decoded token, set the billing agreement description the same as the first step, and fire off the request. I always get an "The token is invalid" error. I've gone through and made sure I included all the required information from this page: https://developer.paypal.com/docs/classic/api/merchant/CreateRecurringPaymentsProfile_API_Operation_NVP/.
I also know that we are set up to allow for recurring payments because the recurring charges over direct payments currently works.
I know that everybody and their dog has had this issue when working with PayPal's NVP API at one point or another, but of the umpteen internet threads and discussions, none of them have helped. Any suggestions?
You should be using the same token returned in the response to your SetExpressCheckout. The token is good for 3 hours once it is returned so it isn't expired. Perhaps the token is corrupted somehow, with an extra character, or perhaps a character was omitted. The token should look similar to this: EC-5UG654898R029060W.
To reiterate: You get a valid token from the SetEC, you use this token in the redirect, you get this token back appended to the RETURNURL the customer returns to, and you reference this token in any subsequent GetEC and DoEC, CreateRP calls.
I am making a website where we are going to host events and would like a user "USER A" to be able to start an event - enter their paypal account info and set a price. Then other users can register for their event and pay USER A directly, with out us having to process their credit card. We would like users that do not have paypal accounts to be able to pay with a credit card.
It looks like Paypal's Adaptive Payment is the best API for us to use to accomplish this. I have it working in the sandbox environment. My problem is this - a user clicks to register for USER A's event , then they enter all their info (name, address, company, ect.) we need to keep this info in our Database so this needs to be done first. Then they will click on a button that says "Pay with Paypal". This creates a paykey and redirects the user to the Paypal login page where the user has 2 options (a. login paypal or b. enter personal info again and credit card information)
I want to know how I can accomplish having all the fields already filled out in the Paypal page , so the user does not have to enter all of their information again. They will be able to delete data in the text boxes if the billing address happens to be different. But all websites I have ever seen to not make the user enter this information twice if they are identical. Now I know this is possible because I have seen other sites do it. I have looked into SetPaymentOptions API , but it is not very clear how that works , and I need user information to be passed even if they are not known to Paypal already.
I tried adding values as suggested in Paypal tutorials like this
<INPUT TYPE="hidden" NAME="first_name" VALUE="John">
<INPUT TYPE="hidden" NAME="last_name" VALUE="Doe">
<INPUT TYPE="hidden" NAME="address1" VALUE="9 Elm Street">
but that didn't work, Here is the raw data from Fiddler from the request :
POST https://svcs.sandbox.paypal.com/AdaptivePayments/Pay HTTP/1.1
Content-Type: text/xml;charset=utf-8
X-PAYPAL-SECURITY-USERID: scotts_XXXXXXXXX_biz_api1.live.com
X-PAYPAL-SECURITY-PASSWORD: 1344XXXXX
X-PAYPAL-SECURITY-SIGNATURE: AOLbPDojAEUdeQJ3wXagJXkxYeJDARg4IXXXXXXXXXXXXXXXXXXX
X-PAYPAL-SERVICE-VERSION: 1.1.0
X-PAYPAL-APPLICATION-ID: APP-80W2844XXXXXXXXX
X-PAYPAL-REQUEST-DATA-FORMAT: XML
X-PAYPAL-RESPONSE-DATA-FORMAT: XML
Host: svcs.sandbox.paypal.com
Content-Length: 810
Expect: 100-continue
Connection: Keep-Alive
I think for you the problem is not really the login to paypal in a popup, but the paypal registration process to be able to pay with the credit card. There is an api call in the adaptive payment api that allow you to process a registration on the behalf of a user.
You can directly prefil paypal informations on a page using your own design. On submit you create a paypal account using adaptive payment api, and the last step of this process will need you to open a paypal popup which will ask the user to complete his registration by adding a password and credit card information.
After this point you will find back the same payment behavior you have using the simple paypal login.
Please note to even more integrate all your website through paypal you can add preapproval, then the user will only see the paypal website once: when he will accept the preapproval (two steps in a light paypal popup: login > accept).
When the user checkout the first time:
Select between Create an account (using the way I explained above) or Pay with paypal
Create a preapproval key (see the doc on the api, you don't need to know the user paypal login), as returnUrl, specify a url with the local user_id
Open a paypal popup client side using the url returned by the previous step. The user will need to login with his paypal account and then accept the characteristics of your preapproval (limit in time, limit in money)
Paypal will redirect to the returnUrl of step2, it can be a page when you just say "This window will close automaticaly" with a js to close the page
You can now use the preapproval key to make payments on the behalf of the user
When the user checkout after the first time:
Ask for a confirmation "$XX will be taken on your linked paypal
account"
Pay using the preapproval key, and it's done!
Hope it will help!
Offical Response from PayPal:
" Adaptive Payments does not have any feature in the documents which does this. I apologize for the inconvenience this might cause."
I will leave this question open though in case someone has a better route for me to go to accomplish what I have explained in the question.
EDIT:
Incase someone else comes across this , it is offically 100% not possible - I ended up using Express Payment API , using this it is very easy to pass user parameters.
Dont use Adaptive Payment API
Adaptive payments was discontinued as of 01/12/2017 and PayPal Marketplace is the equivalent to adaptive payments.
You can learn more about the Marketplaces product on the PayPal Developer Portal: https://developer.paypal.com/docs/marketplaces/pp4mp/?mark=marketplaces
hello I think following link will help to you
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_APIntro
I am trying to integrate paypal gateway in my aspx page having shopping cart. I succeed to commit transaction using express checkout method generated by paypal integration wizard but what I am being unable to do is sending product quantity and details to paypal page.
And how can I redirect to my own review page where shipping and billing address is present after log in into the paypal?
how can i redirect to my own review page where shipping and billing address
First you need to send a unique number id for the order that is connected to your database with the information that you like to show after the purchase.
Then you send the "return" parametre with the full url with the unique id of your order that your customer will return and you need to show the final informations.
eg:
<input type="hidden" name="return" value="https://www.urls.con/orderinfos.aspx?TID=112999182">
of cource for better protection is good to encode some how your order id. All of that exist on the paypal sdk manual.
Also return url are the "notify_url" to be notify even if the user not return, and "cancel_return" in case of cancel the payment
You can also search for PDT for the return, and IPN for the notify for more advanced information.
My team working in a shopping cart project
We have integrated First data payment Gateway
Now we want to verify the master card and visa
I need to authenticate the master card SecureCode based on the link given below
http://www.mastercard.com/us/personal/en/cardholderservices/securecode/how_it_works.html
Please provide any api or necessary information for doing the same
To validate a credit card is legitimate:
Verify it against the Luhn Algorithm. (Will only validate the card number is in a valid format)
Verify the card number against known Issuer Identification Numbers
Perform an Authorization Only (aka AUTH ONLY) for $0.00 (or $0.01 if your processor does not support zero auths). This is the only guaranteed way to verify a credit card exists.
Hum, imho you need a payment provider to use credit card payment anyway - they'll give you a kind of api to check the data against.
To at least validate the code is valid you can give this a try:
http://www.notesbit.com/index.php/web-mysql/web-scripts/luhn-algorithm-in-c/
http://www.mobilefish.com/services/credit_card_number_generator/credit_card_number_generator.php
Check previous link it contains good description for luhn alog and have credit card generator