PayPal Certified Developer Program - 2008 Study Guide
Contents
1. a 54 Technical DetailS a sass aa odiar ee eo EA ee pk de a Be be a S 54 Request Response Model a a a a 54 Request Format css sk e ieu dh a a we a ee 56 Response Format 57 Posting Using HTTPS aa aaa 000002 ee ee 58 Review Questions a 58 Chapter 6 Express Checkout 0 24 259 How Express Checkout Works a a 59 Express Checkout API Reference Information 00084 61 SetExpressCheckout Request 000000 eee eee 62 SetExpressCheckout Response e 65 GetExpressCheckoutDetails Request 0 e 2 o o o o 66 GetExpressCheckoutDetails Response e o 66 DoExpressCheckoutPayment Request o e 68 DoExpressCheckoutPayment Response 0 0000 eee eee 71 March 2008 PayPal Certified Developer Program Study Guide Contents ional Button and Logo Placement and Use 20 00200222 73 PayPal Button as a Checkout Choice aoao a a 74 PayPal ButtonasaPaymentMethod 000000004 74 Using PayPal Hosted Images 000 a 75 TIDS e a pe aca ae e wa Ea Swe A e A a a ar Sa a a AR ee 75 Redirecting to PayPal eos u s aa acia e o 75 Recommendation for Browser Redirection o 75 Order Review Page Setup a ee 76 Authorization amp Capture 2 2 76 Review Questions ee2. 00000 ee ee 125 Testing Express CheckQUt e 126 Testing Error Conditions 000 ee 129 APITESINO so a cos idad dd a a eh Ee 130 Testing Using AVS Codes a 134 Testing Using CVV COdes 0 138 Testing Recurring Payments e 140 Review Questions s an a a a ang a a eek Pa a ae eb 141 Appendix A Answers to Review Questions 143 Chapter To ia ahs eee oe I ee ee re A a ES AS RE 143 Chapter 2 oa eds a Yok el oa ae ee Ga eee ee Pee ee a 146 Chapter Siac mat sae a ee ea Ee ae a es RD ae ee 150 6 March 2008 PayPal Certified Developer Program Study Guide Contents Chapter 4 a s i me Bae a hie ce eae eh ee ee ee st Mee ee ee e 151 Chapter 5 ecc sir Pee eee eae AR wee a RE EPR a 151 Chapter62 o e aoi aia bk es be oe Oe ee a a oe we Le es 151 AAA 151 Chapter 9 lt a aoda a a aa a A POE A OGRE a Roe ad 152 Appendix B General Reference Information 153 ShippingAddress Parameter 00 ee ee 153 PayPal Supported Transactional Currencies o e o 154 AVS Response Codes 2 1 a a a a a 155 CVV2 Response Codes oa qa airaa d dong a daa i ay a e aa E a d a a 156 Gl ssary 5 3 a Sa dre ia AA A aa e O INdeX 2 ee ee o a A ee ba a ee ee a a 19 PayPal Certified Developer Program Study Guide March 2008 7 fon Contents 8 March 2008 PayPal Certified Developer Program Study Guide Table 1 1 Table 2 1
3. COMPLETETYPE The value Complete indicates this is the last capture to make Yes The value NotComplete indicates there will be additional captures NOTE If Complete any remaining amount of the original authorized transaction is automatically voided and all remaining open authorizations are voided Character length and limits 12 single byte alphanumeric characters INVNUM The invoice number or other identification number that is displayed to the No merchant and customer in the customer s transaction history NoTE This value in DoCaptureRequest will overwrite a value previously set on DoAuthorizationRequest NoTE The value is recorded only if the authorization being captured is an order authorization not a basic authorization Character length and limits 127 single byte alphanumeric characters NOTE An informational note about this settlement that is displayed to the No customer in email and in the customer s transactional history Character length and limits 255 single byte characters DoCapture Response A DoCapture response contains the results of a capture of authorized funds TABLE 8 2 DoCapture Response Fields Field Description AUTHORIZATIONID The authorization identification number specified in the request Character length and limits 19 single byte characters maximum TRANSACTIONID Unique transaction ID of the payment Character length and limitations 17 single byte characteris
4. DE US PTOCOUNTRYCOD US PTOCOUNTRYNAM I a I asa amp SHIPTOSTATE CA I I IPTOZIP 94666 El El amp ADDRESSID EMATL YourSandboxBuyerAccountEmail PAYERID 7AKUSARZ7SAT8 amp PAYERSTATUS verified amp amp UnitedS20States amp ADDRESSSTATUS Confirmed 6 Invoke a form on your site that calls the DoExpressCheckoutPayment API on the Sandbox lt form method post action https api 3t sandbox paypal com nvp gt lt inpu lt inpu lt inpu lt inpu lt inpu lt inpu lt inpu lt inpu lt inpu lt form gt trctareare ace a E a E E 128 type hidden type hidden name USER value API_username gt type hidden name PWD value API_password gt type hidden name SIGNATURE value API_signature gt type hidden name VERSION value 3 3 gt type hidden name PAYMENTACTION value Authorization gt type hidden name PAYERID value 7AKUSARZ7SAT8 gt type hidden name TOKEN value EC 2d1NK66318YB717835M gt name AMT value 19 95 gt type submit name METHOD value DoExpressCheckoutPayment gt March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Testing Error Conditions 7 If the operation was successful the response should include ACK set to Success as follows TIMESTAMP 2007 2d04 2d05T23 3a30 3a16Z amp CORRELATIONID 333 b808bb23 amp ACK Success amp VERS ION 3 3e300000 amp
5. True or false Initiating a reauthorization after day 4 of the authorization period extends the entire authorization period by three days from 29 days to 32 days Ina RefundTransaction request if RI PayPal Certified Developer Program Study Guide March 20 EFUNDTYP Is SSL required for encrypting IPN transmissions 08 E is Full what should AMT be set to True or false Merchants can search for transactions that involve only mass payments What is the difference between a complaint and a chargeback 103 az Transactions Review Questions 104 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing In this chapter you will learn e How to set up test users in the Sandbox e How to test various aspects of an integrated e commerce application in the Sandbox e How to migrate the application to use the live PayPal server Overview The PayPal Sandbox is a self contained environment within which you can prototype and test PayPal features and APIs without using real money or impacting your production system s PayPal accounts The PayPal Sandbox is an almost identical copy of the live PayPal website Its purpose is to give developers a shielded environment for testing and integration purposes to help avoid problems that might occur while testing PayPal integration solutions on the live site Before moving any PayPal based application into production test the application in the Sa
6. ENDDATE EMAIL RECEIPTID TRANSACTIONID Description Required Name of API call TransactionSearch Yes The earliest transaction date at which to start the search Yes No wildcards are allowed The value must be in UTC GMT format The latest transaction date to be included in the search No Search by the customer s email address No Character length and limitations 127 single byte alphanumeric characters Search by the receiver s email address If the merchant account has No only one email this is the primary email This also can be a nonprimary email Search by the PayPal Account Optional receipt ID No Search by the Transaction ID No The returned results are from the merchant s transaction records Character length and limitations 19 single byte characters maximum PayPal Certified Developer Program Study Guide March 2008 95 Transactions Transaction Searches TABLE 8 9 TransactionSearch Request Parameters Continued Parameter Description Required INVNUM Search by the invoice identification key as set for the original No transaction This field searches the records for items sold by the merchant not for items purchased No wildcards are allowed Character length and limitations 127 single byte characters maximum ACCT Search by credit card number as set for the original transaction This No field searches the records for items sold by the merchant
7. Japanese Yen USD US Dollar ITEMAMT Sum of the cost of all items in this order No Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma 6 ITEMAMT is required if L_AMTn is specified SHIPPINGAMT Total shipping costs for this order No Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma If a value for SHIPPINGAMT is specified there also must be a value for ITEMAMT HANDLINGAMT Total handling costs for this order No Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma 6 If a value for HANDLINGAMT is specified there also must be a value for ITEMAMT TAXAMT Sum of the tax for all items in this order No Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma TAXAMT is required if L_TAXAMTn is specified DESC Description of items the customer is purchasing No Character length and limitations 127 single byte a
8. API Credentials on page 47 API Parameters The request body must contain the name of the API method in the METHOD parameter In addition each method has required and optional parameters METHOD methodName amp requiredAndOptionalParameters All API methods and their parameters are detailed in PayPal Name Value Pair API Developer Guide and Reference March 2008 PayPal Certified Developer Program Study Guide Name Value Pair NVP API ET Technical Details Response Format A response from the PayPal servers is a URL encoded name value pair string just like the request The general format of the response is described in Table 5 3 TABLE 5 3 General Format of a Successful Response Success response ACK Success amp TIMESTAMP date timeOfResponse amp CORRELATIONID fields debuggingTokens amp VERSION 3 3 amp BUILD buildNumber NOTE In the examples in this and other PayPal documents the successful response header fields sometimes appear like this successResponseFields API response fields amp NAME1 valuel amp NAME2 value2 Each response includes the ACK field If the ACK field s value is Success or SuccessWithWarning the application should process the API response fields In a successful response the application can ignore all fields up to and including BUTLD the important fields begin after BUILD The possible successful response fields for each method are detaile
9. Maintain an Information Security Policy 12 Maintain a policy that addresses information security The compliance level of each merchant is the responsibility of the merchant s acquiring bank a bank that provides credit card merchant accounts and is responsible for submitting credit card purchase information to the credit card associations The four merchant levels are based on annual credit card transaction volume TABLE 2 3 Merchant Levels for PCI Compliance Level Description Level 1 Any merchant regardless of acceptance channel processing over 6 million credit card transactions per year Any merchant that has suffered a hack or an attack that resulted in an account data compromise Any merchant identified by any card association as Level 1 Level 2 Any merchant processing 150 000 to 6 million e commerce transactions per year Level 3 Any merchant processing 20 000 to 150 000 e commerce transactions per year 32 March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention EN Disclosure and Compliance TABLE 2 3 Merchant Levels for PCI Compliance Level Description Level 4 Any merchant processing fewer than 20 000 e commerce transactions per year and all other merchants processing up to 6 000 000 credit card transactions per year In addition to adhering to the PCI Data Security Standard compliance validation is required for Level 1 Level 2 and Level 3 merchant
10. Take control find suspicious transactions with transaction review module resolve chargebacks using audit trails and tune filters to your business needs Unusual Order Filters X X Catch common fraud warnings like high dollar amounts high quantities and shipping billing address mismatch High Risk Payment Filters X X Catch suspicious transactions like rapid repeat buying from an internet address PayPal Certified Developer Program Study Guide March 2008 35 36 Internet Security and Fraud Prevention PayPal Fraud Protection Services TABLE 2 6 Comparison of Fraud Protection Services Basic Features Protection High Risk Address Filters X Check for suspect zip codes and freight forwarders plus IP address Automatic Rejection Lists Help protect you business from known offenders Automatic Acceptance Lists Keep good customers buying by automatically accepting their payments High Risk International Filters Identify risky international payments Additional Risk Filters Get more tools to catch warning signs like rapid card use risky banks and tighter address validations Custom Filter Wizard Customize new rules that match your specific business needs Operations Security X Identify vulnerabilities and list fixes with a security audit from Qualys Advanced Protection X X PayPal Fraud Protection Services Upgrade Options Account Monitoring The Account Monitoring service uses trained security pro
11. 6 Assign a unique ID to each person with computer Implement Strong Access Control access Measures 7 Use and regularly update antivirus software 8 Do not use vendor supplied defaults for system passwords and other security parameters 9 Track and monitor all access to network resources Maintain an Information Security and cardholder data Policy 10 Maintain a policy that addresses information security 11 Install and maintain a firewall configuration to protect data 12 Restrict access to data by business need to know Regularly Monitor and Test Networks 9 Define the following standard antifraud features included with each PayPal Payflow Gateway solution Card security code Address verification system AVS March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention Review Questions 10 Indicate if each statement is True T or False F PayPal s Basic Fraud Protection Service is the ideal solution for merchants who process low transaction volumes through a Payflow payment gateway while the Advanced Fraud Protection Service is essential for businesses processing medium to high transaction volumes Both the Basic Fraud Protection Service and the Advanced Fraud Protection Service catch common fraud warnings like high dollar amounts high quantities and shipping billing address mismatch To support automatic rejection lists and automatic a
12. Character length for Visa MasterCard and Discover Three digits Character length for American Express Four digits IMPORTANT To comply with credit card processing regulations once a transaction has been completed the application must not store the value of CVV2 Email address of payer No Character length and limit 127 single byte characters Second street address No Character length and limit 127 single byte characters Phone number No Character length and limit 20 single byte characters An optional shipping address as described in ShippingAddress No Parameter on page 153 ShippingAddress is optional but if it is included certain fields are required DoDirectPayment Response A DoDirectPayment response comes from the PayPal server after a request to charge a credit card or authorize a credit card for later capture TABLE 7 2 DoDirectPayment Response Fields Field AVSCODE CVV2MATCH TRANSACTIONID Description The amount of the payment as specified in the DoDirectPayment request Address Verification System response code Character limit One single byte alphanumeric character Result of the CVV2 check by PayPal Unique transaction ID of the payment NOTE If the PAYMENTACTION of the request was Authorization the value of TRANSACTIONID is the AuthorizationID for use with the Authorization amp Capture APIs Character length and limitation 19 single byte chara
13. B bank account adding 115 for Canadian test accounts 116 PayPal Certified Developer Program Study Guide for German test accounts 116 for UK test accounts 116 Bank Account Number 116 Basic Fraud Protection Service 34 billing a customer 124 BSB Number 116 Business account 114 business description 30 Buy Now 118 Buyer Authentication 34 C Canadian bank account info 116 card security code 34 cases 103 cash theft 25 chargebacks 26 103 chargebacks reduction 29 consumer identity theft 25 contact information 31 credit card associations 12 credit card validation testing 138 customer 12 customer issuing bank 12 D Direct Marketing Association DMA 33 Direct Payment 79 and Authorization amp Capture 76 85 DoDirectPayment API request 80 response 84 workflow 79 disclosure and compliance resources 33 disclosure policy 30 disputes 103 DoCapture request 88 response 89 March 2008 159 DoDirectPayment request 80 response 84 DoExpressCheckoutPayment request 68 response 71 DoReauthorization request 92 response 92 DoVoid request 91 response 92 E eCheck 123 email live payment notification 99 email in Sandbox 111 Email Payments 17 errors testing 129 Express Checkout 44 59 and Authorization amp Capture 76 85 87 button placement 73 DoExpressCheckoutPayment API request 68 response 71 GetExpressCheckoutDetails API request 66 response 66 SetExpressCheckout API and updating shipping ad
14. PAGESTYLE Sets the Custom Payment Page Style for payment pages associated with No this button link This value corresponds to the HTML variable page style for customizing payment pages The value is the same as the Page Style Name chosen when adding or editing the page style from the Profile subtab of the My Account tab of the PayPal account Character length and limitations 30 single byte alphabetic characters HDRIMG A URL for the image to appear at the top left of the payment page The No image has a maximum size of 750 pixels wide by 90 pixels high PayPal recommends that the image be stored on a secure HTTPS server Character length and limit 127 single byte alphanumeric characters 64 March 2008 PayPal Certified Developer Program Study Guide Express Checkout 6e Express Checkout API Reference Information TABLE 6 2 SetExpressCheckout Request Parameters Continued Parameter Description Required HDRBORDERCOLOR Sets the border color around the header of the payment page The border No is a 2 pixel perimeter around the header space which is 750 pixels wide by 90 pixels high Character length and limitations 6 character HTML hexadecimal color code in ASCII HDRBACKCOLOR Sets the background color for the header of the payment page No Character length and limitations 6 character HTML hexadecimal color code in ASCII PAYFLOWCOLOR Sets the background color for the payment page No Character length and limitatio
15. PayPal Certified Developer Program Study Guide March 2008 19 foe Online Payment Processing Review Questions 6 Match each PayPal solution to the service it offers Response PayPal Product Service Description Website Payments Pro 1 Lets you send customers email invoices that they can pay on PayPal This simple solution does not require you to have a shopping cart or an internet merchant account Website Payments Standard 2 A gateway that provides a secure connection between your online store and your internet merchant account Scalable and fully customizable this solution is recommended for merchants who require peak site performance and direct control over payment functionality on their site Merchants using this service can enhance the customer experience by allowing shoppers to complete the checkout process without ever leaving your site Payflow Pro 3 Allows merchants to put the PayPal logo on their own website to accept PayPal as an alternative payment source in addition to credit cards such as MasterCard or Visa Payflow Link 4 Anall in one payment solution that allows customers to shop and pay on your site You can accept credit cards directly on your site and get the features of a merchant account and gateway through a single provider at a lower cost PayPal Email Payments A gateway that provides a secure connection between your online store and your internet merchant account This service is designed for m
16. decimal separator must be a period and the optional thousands separator must be a comma Total handling costs for this order NOTE Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma Required No PayPal Certified Developer Program Study Guide March 2008 69 70 Express Checkout Express Checkout API Reference Information TABLE 6 6 DoExpressCheckoutPayment Request Parameters Continued Parameter Description Required TAXAMT Sum of tax for all items in this order No NOTE Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma NOTE TAXAMT is required if a value is specified for L_TAXAMTn CURRENCYCODE A three character currency code for one of the PayPal No supported transactional currencies Default value USD L NAMEN Item name No These parameters should be ordered sequentially beginning with 0 for example L_NAMEO L_NAME1 and so forth Character length and limitations 127 single byte characters L_NUMBERN Ttem number No These parameters should be ordered sequentially beginning with 0 for example L NUMBERO L_NUMBER1 and so forth Character length and li
17. merchants reject an estimated 5 of all transactions out of suspicion of fraud while only 2 of transactions are actually fraudulent The result is a significant amount of lost sales up to 3 of sales volume in an attempt to reduce fraud risk March 2008 PayPal Certified Developer Program Study Guide Response 7 PayPal Certified Developer Program Study Guide Consumer identity theft Merchant identify theft Accessing payment networks Chargebacks Risk Category Merchants with vulnerable security defenses High visibility merchants High ticket goods that are easily resold Goods that can be downloaded from the internet International customer base Heavy proportion of fourth quarter sales Special promotions Answers to Review Questions Chapter 2 List the four most common fraud related risks facing online merchants Match each participant in the payment processing network to the role they perform Potential Risk Description 1 Fraud attempts are higher for merchants who advertise heavily or are in the news because criminals know that merchants who experience high transaction volumes have less time to defend against fraud It is difficult to validate the address or identity of foreign buyers and it is more difficult to investigate and prosecute fraudulent activity from an overseas source These items including luxury goods computers and other electronic equipment are most attractiv
18. server The pages on the left represent your site Legend gt Web Flow API Call O Token 1 Request a PayPal sy SetExpressCheckout 2 4 Response Token O 3 PayPal Login L HTTP Redirect gt Confirm Details 4 HTTP Redirect RetumURL Token EEE Continue 2 5 Request Token gt GetExpressCheckoutDetails Confirm Order PayPal Sandbox Pay Response Customer Details 6 Request Final Transaction Details O gt Thank DoExpressCheckoutPayment PayPal You Sandbox 7 4 Response Transaction Results _ _____ Success Failure Norte For information about Express Checkout see Express Checkout Integration Guide and PayPal NVP API Developer Guide and Reference The following steps match the circled numbers in the diagram To test Express Checkout perform the actions in each step 1 Invoke a form on your site that calls the SetExpressCheckout API on the Sandbox To invoke the API set form fields whose names match the NVP names of the fields you want to set specify their corresponding values then post the form to https api 3t sandbox paypal com nvp as shown below lt form method post action https api 3t sandbox paypal com nvp gt lt input type hidden name USER value API usemame gt lt input type hidden name PWD value API_password gt lt input type hidden name SIGNATUR
19. 19 single byte characters DoReauthorization Request Use a DoReauthorization request to request a reauthorization for a given amount of money TABLE 8 5 DoReauthorization Request Parameters Parameter Description Required METHOD Name of API DoReauthorization Yes AUTHORIZATIONID The value of a previously authorized transaction identification number Yes returned by PayPal Character length and limits 19 single byte characters maximum Amount to authorize Yes Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma CURR ENCYCODE A three character currency code for one of the PayPal supported No transactional currencies Default value USD DoReauthorization Response A DoReauthorization response contains the results of the reauthorization TABLE 8 6 DoReauthorization Response Fields Field Description AUTHORIZATIONID A new authorization identification number Character length and limits 19 single byte characters 92 March 2008 PayPal Certified Developer Program Study Guide Transactions Refunds Authorization amp Capture Best Practices The following sections describe the best practices to follow in using Authorization amp Capture to ensure the best buying experience for customers and get the most benefit from Authoriz
20. 29 30 Internet Security and Fraud Prevention Disclosure and Compliance Disclosure and Compliance Disclosure Policy Your disclosure policy tells your customers that you re honest and dependable and that you care about them and protecting their information It shows your customers that you believe in transparency and accountability It provides a framework and standards for your business policies how you deal with your customer information and how you communicate with your customers Your disclosure policy typically includes five things a business description privacy policy shipping policy return policy and contact information The more your customers know about you the more comfortable they 1l be giving you their business So be honest open direct and precise Here are more details about the five areas you should cover 1 Business description Write a clear description of what your company does including what products and services it provides Post it in a prominent place on your website often the About Us section 2 Privacy policy Your privacy policy should clearly state how you treat and protect your customers information It s essential that your policy is easy to find on your website usually linked from your homepage Typical elements of a privacy policy include What personally identifiable customer information you collect How the information is used With whom you share and do not share this info
21. Aligned vertically or horizontally with your own buttons PayPal Button as a Payment Method The following figure shows PayPal as a payment method Payment Method PayPal Save time Checkout securely Pay without sharing your financial information O ll fi Display PayPal as the default payment option selected next to the other payment options at the end of checkout When displaying PayPal with other payment options PayPal highly recommends that you use radio buttons If your website cannot accommodate radio buttons you may use horizontal fields or an entry in a drop down list March 2008 PayPal Certified Developer Program Study Guide Express Checkout CAEN Redirecting to PayPal Using PayPal Hosted Images PayPal requires that you use Express Checkout button images hosted on PayPal s secure servers rather than hosting copies of these images on your own servers Also using the buttons on the PayPal servers eliminates the need for you to maintain them yourself If the buttons are updated the new buttons appear automatically in your application Using out of date PayPal buttons could reduce customer confidence in your PayPal deployment When you get the HTML code at https www paypal com express checkout buttons it will work only with PayPal hosted buttons Tips e Create checkout pages that are uncluttered and free from visual distractions e Keep the checkout flow to as few a number of pages as possible e Be su
22. BUILD 1 2e0006 amp TOKEN EC 2d1NK66318YB717835M amp TRANSACTIONID 043144440L4877427 amp TRANSACTIONTY PE expresscheckout amp PAYMENTTYPE instant amp ORDERTIME 2007 2d04 2d05T23 3a30 3a14Z amp AMT 19 2e95 amp CURRENCY CODE USD amp TAXAMT 032e00 amp PAYMENTSTATUS Pending amp PENDINGREASON authorization amp REASONCODE None Testing Error Conditions In default operation the Sandbox mimics the live PayPal site as closely as possible which means an error can be replicated only by creating the exact conditions and sequence of events to raise an error This positive test environment is well suited for testing logic that follows the typical error free path however it can be difficult to raise error conditions and test logic to handle errors The Sandbox can be set to allow negative testing which enables you to simulate an error You can test against the following kinds of errors e Errors that result from calling a PayPal API e Address verification and credit card validation errors that occur when using Virtual Terminal or calling DoDirectPayment IMPORTANT Negative testing is available only for PayPal APIs Version 2 4 and later To raise an error condition you set a value in a field passed to an API or a value in a field submitted to Virtual Terminal The value triggers a specific error condition Negative testing is available only in the Sandbox you cannot
23. PayPal Certified Developer Program Study Guide Online Payment Processing PayPal s Payment Processing Solutions your site and get the features of a merchant account and gateway through a single provider at a lower cost Website Payments Pro allows you to control your checkout from start to finish For more information on Website Payments Pro go to https www paypal com cgi bin webscr cmd wp pro overview outside Website Payments Standard Website Payments Standard lets customers shop on your website and pay on PayPal It offers a pay peruse model with no set up or monthly fees Like Website Payments Pro it includes shipping and tax calculators reporting tools to measure your business and support for international currencies For more information on Website Payments Standard go to https www paypal com cgi bin webscr cmd wp standard overview outside 2 Do you have your own internet merchant account or business bank account that allows you to process credit cards online If you do consider PayPal Payflow Gateway products A gateway provides a secure connection between your online store and your internet merchant account Payflow Pro Scalable and fully customizable the Payflow Pro solution is recommended for merchants who require peak site performance and direct control over payment functionality on their site Merchants using this service can enhance the customer experience by allowing shoppers to
24. Quickly set up filters that you can customize to fit your business needs e Online reports Easily review and then accept or reject online orders e Monitoring Standard reports let you check on filter and their effects Advanced Fraud Protection Service Advanced Fraud Protection Service is essential for businesses processing medium to high transaction volumes handling international customers or selling high risk merchandise through a Payflow payment gateway It is a flexible security solution that helps your business e Avoid losses Special tools flag unusual orders questionable addresses high risk payments and international orders e Lower costs Spend less money on fraud management by automating order reviews and tailoring the system to meet your needs Advanced Fraud Protection Service works by using e Enhanced filters Supplement the basic filters with ones specially suited for your high risk needs e Online reports Easily accept or reject online orders with the added security benefit of audit reports e Watch lists Create custom lists based on products or other criteria e Trusted transaction lists Establish lists that accept or deny transactions based on bad emails or credit cards e Full testing Test your system before going live to determine its effect on your business and customers TABLE 2 6 Comparison of Fraud Protection Services Basic Advanced Features Protection Protection PayPal Fraud Manager X X
25. Risk Description Fraud attempts are higher for merchants who advertise heavily or are in the news because criminals know that merchants who experience high transaction volumes have less time to defend against fraud It is difficult to validate the address or identity of foreign buyers and it is more difficult to investigate and prosecute fraudulent activity from an overseas source These items including luxury goods computers and other electronic equipment are most attractive to criminals Criminals know that you have limited time for fraud protection when sales volumes are high That s why internet fraud triples in the fourth quarter Criminals watch for special offers They know that you have limited time for fraud protection measures when sales volumes are high The purchase of these goods doesn t require physical address information making it easier for criminals to disguise a fraudulent transaction Criminals take advantage of sophisticated spidering techniques to identify merchants with network vulnerabilities and can then break into your network to steal account access information for hijacking or merchant takeovers 4 List two actions you can take to ensure that each transaction your website accepts and processes is valid March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention EN Review Questions 5 Fill in the blanks to c
26. Table 2 2 Table 2 3 Table 2 4 Table 2 5 Table 2 6 Table 4 1 Table 5 1 Table 5 2 Table 5 3 Table 5 4 Table 5 5 Table 6 1 Table 6 2 Table 6 3 Table 6 4 Table 6 5 Table 6 6 Table 6 7 Table 7 1 Table 7 2 Table 8 1 Table 8 2 Table 8 3 Table 8 4 Table 8 5 Table 8 6 Table 8 7 Table 8 8 Table 8 9 List of Tables PayPal Payment Processing Solutions 17 High Fraud Risk Quick Reference 26 PCI Data Security Standard 2200 4 32 Merchant Levels for PCI Compliance 32 PCI Compliance Validation Requirements 33 Fraud Protection Services Purchase Options 34 Comparison of Fraud Protection Services 0 4 35 Required Security Parameters 2 50 URL Encoding Methods 0 e o 55 General Format of a Request 2 e 2 56 General Format of a Successful Response 57 ACK Parameter Values o eo eee ee eee 57 Format of an Error Response e 57 Express Checkout Flow of Control and Integration Points 60 SetExpressCheckout Request Parameters 62 SetExpressCheckout Response Fields 65 GetExpressCheckoutDetails Request Parameters 66 GetExpressCheckoutDetails Response Fields 66 DoExpressCheckoutPayment Request Parameters 68 DoExpressC
27. can simulate the actions of a buyer by manually initiating the payment of funds You must use a Personal test account to represent the buyer To send funds from one test account to another follow these steps 1 Log in to https developer paypal com click the Test Accounts tab select a test account and click Enter Sandbox Test Site 2 Navigate to the Send Money tab 3 On the Send Money page enter the email address PayPal account name for the test account in Recipient s Email box 4 Inthe Amount box enter the amount to send to the seller s test account PayPal Certified Developer Program Study Guide March 2008 123 124 Sandbox Testing Testing PayPal Website Features 5 In the Currency drop down list select the currency for the funds Note Auction is not an option in the drop down list 6 In the Type drop down list select the reason for sending the funds 7 Enter text in the Subject box if desired This text is the subject of the email sent to the recipient about the transfer of funds 8 Enter text in the Note memo box This text appears in the body of the notification email 9 Click Continue This does not send the money a confirmation step follows 10 On the Check Payment Details page review the transaction details for correctness You can click More Funding Options to change the source of fund used for payment 11 Click Send Money This triggers the actual transfer of funds 12 Your Test Em
28. cards are active and have sufficient available credit limits e Settlements Processing authorized transactions to settle funds into a merchant s account e Payment processing service A service that connects merchants customers and banks involved in online transactions A third party such as PayPal with its secure payment gateway usually offers this service How Online Payment Processing Works Online payment processing consists of two principal steps authorization and settlement Authorization verifies that the card is active and the customer has sufficient credit to make the transaction Settlement is the process of charging the customer s card account and transferring money from the customer s account to the merchant s account Payment Processing Authorization During authorization a bank verifies that holders of a payment instrument like a credit card have sufficient credit or funds to make a purchase The payment authorization process engages multiple institutions and services to verify that sufficient credit is available to complete the transaction as follows 1 Customer decides to purchase online and inputs credit card information 12 March 2008 PayPal Certified Developer Program Study Guide Online Payment Processing What to Look for in an Online Payment Processing Solution 2 Merchant s website receives customer information and sends it to payment processing service Processing service routes information
29. computer with an internet connection For more information on PayPal Virtual Terminal go to https www paypal com cgi bin webscr cmd vt _hub outside PayPal Certified Developer Program Study Guide March 2008 15 Online Payment Processing PayPal s Payment Processing Solutions PayPal as an Additional Payment Option This option allows merchants to put the PayPal logo on their own website to accept PayPal as an alternative payment source in addition to credit cards such as MasterCard or Visa For more information on PayPal as an Additional Payment Option go to https www paypal com cgi bin webscr cmd _additional payment overview outside 16 March 2008 PayPal Certified Developer Program Study Guide Online Payment Processing a PayPal s Payment Processing Solutions TABLE 1 1 PayPal Payment Processing Solutions Additional payment option I have an internet merchant account I need an all in one solution I need basic payment processing Website Website Payments Payments Payflow Payflow Email Virtual Pro Standard Pro Link Payments Terminal PayPal Customer Experience Where Shop on Shop on Shop on Shop on Varies with Varies with Shop on customers merchant merchant merchant merchant merchant merchant merchant shop website website website website business business website Where Merchant Merchant PayPal Phone fax customers website or website or or mail che
30. effective way to accept repeat payments for installment plans monthly fees or subscription based services Recurring Billing Service Provides simple automated credit card fraud screening to enterprise grade perimeter security services to save you time and money while protecting your business PayPal Certified Developer Program Study Guide March 2008 45 Getting Started With Account Setup Review Question 5 What is the purpose of the PayPal Sandbox 46 March 2008 PayPal Certified Developer Program Study Guide API Credentials In this chapter you will learn e What API credentials are e How to establish API credentials e How to use API credentials What API Credentials Are Before using the PayPal API to communicate with the API server a developer must establish a set of API credentials which is data that uniquely identifies a developer to the PayPal API server The credentials are included with each API call Credentials are needed per merchant account for processing API credentials comprise the following e API username This is assigned by PayPal Although the API username is based on the email address used to set up the credentials it is not the same as the email address used to log in to the PayPal website e API password This is automatically generated and assigned by PayPal It is a randomly generated string of 16 characters e API certificate or API signature An API signature is a
31. flexible payment processing solution is critical A payment processing solution should be Secure e Backed by an established trustworthy company e Comply with the Payment Card Industry PCI Data Security Standard e Provide comprehensive and standard antifraud features e Store customer financial information with state of the art encryption e Supply password protected account management PayPal Certified Developer Program Study Guide March 2008 13 14 Online Payment Processing PayPal s Payment Processing Solutions Reliable e Provide reliable and cost effective acceptance and processing of a variety of payment types e Authorize credit cards in real time e Scale to thousands of transactions to meet peak demand e Based on a fault tolerant network of redundant servers to ensure uninterrupted operations Easy to Use e Provide easy flexible integration with merchant s website e Scale rapidly and seamlessly as transaction volume increases e Work with leading internet merchant account providers e Provide easy to use tracking and reporting system e Store transaction records securely e Process offline transactions through a virtual terminal e Provide recurring billing payment for services e Offer upgrade options to accommodate future growth PayPal s Payment Processing Solutions PayPal s payment processing solutions are designed to meet the demanding and diverse needs of a variety of online merchants By providing affor
32. not for items purchased No wildcards are allowed Character length and limitations Must be at least 11 and no more than 25 single byte numeric characters maximum Special punctuation such as dashes or spaces is ignored SALUTATION Customer s salutation No Character length and limitations 20 single byte characters FIRSTNAME Customer s first name No Character length and limitations 25 single byte characters MIDDLENAME Customer s middle name No Character length and limitations 25 single byte characters LASTNAME Customer s last name No Character length and limitations 2025 single byte characters SUFFIX Customer s suffix No Character length and limitations 12 single byte characters AUCTIONITEMNUMBER Search by auction item number of the purchased goods No 96 March 2008 PayPal Certified Developer Program Study Guide Transactions aa Transaction Searches TABLE 8 9 TransactionSearch Request Parameters Continued Parameter Description Required TRANSACTIONCLASS Search by classification of transaction No Some possible classes of transactions are not searchable with this field for example bank transfer withdrawals The following classes of transaction can be searched for e All All transaction classifications Sent Only payments sent Received Only payments received MassPay Only mass payments MoneyRequest Only money requests FundsAdded On
33. s names and and people s with the Sandbox create the details for all the postal addresses names and business roles you must fulfill postal The Sandbox simulates verification of postal addresses addresses and names Email The Sandbox has a special purpose email inbox for Real email address and inbox for each addresses your testing contained in the Sandbox itself business role and email inboxes Bank The Sandbox creates bank accounts credit card Actual verification of bank account account and credit card numbers Social Security Number for Billing Agreements PayPal transactions Fraud detection numbers and CVV2 numbers you need to develop and test all of these are fictitious and used only within the Sandbox The Sandbox simulates the verification of these numbers Transactions do not affect real accounts and money is never exchanged 111 nn nnnn The Sandbox creates all fictitious bank accounts credit card numbers and CVV2 numbers you need for development and testing The Sandbox simulates the verification of these numbers Fraud detection is not enabled for the Sandbox numbers credit card numbers and CVV2 numbers Real Social Security Numbers Live transactions cleared by live PayPal processes Full protection through PayPal s fraud detection March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Accessing the PayPal Sandbox TABLE 9 1 Differences between PayPal Sandbo
34. such as one created using a Buy Now button or by passing parameters in the URL as in the following example https www sandbox paypal com us cgi bin webscr cmd xclick amp business seller domain com 3 On the Review Purchase Page click on the Change link under funding method 4 Select eCheck as the funding method and click Continue 5 Click Pay to create the transaction To verify the creation of the transaction see Verifying a Test Payment on page 119 Completing or Canceling a Pending Transaction 1 In the buyer s transactions log click the Details link in the Details column 2 In the Transaction Detail window shown below there are two links to simulate actual bank clearing These links appear only in the Sandbox as shown below Clear Transaction Click to complete the transaction Fail Transaction Click to cancel the transaction 120 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing ae Testing PayPal Website Features My Account Send Money Request Money Merchant Services Overview Add Funds History Profile Transaction Details Add Funds from a Bank Account ID 2T856487xXV899364R Original Transaction Date Type Status Details Amount Apr 25 2008 Payment To Gary McCue s Test Store Uncleared Details 10 00 USD Related Transaction Date Type Status Details Amount Apr 25 2008 Add Funds from a Bank Account U
35. the Windows Server 2003 Resource Kit PayPal Certified Developer Program Study Guide March 2008 49 50 API Credentials Using API Credentials To import the API certificate execute the following command at a command prompt WinHttpCertCfg i encryptedCertificateName p prvateKeyPassword c LOCAL MACHINE my a username where e encryptedCertificateName is the name of the encrypted API certificate that was generated with OpenSSL e privateKeyPassword is the private key password of the encrypted API certificate e username is the name of the user executing the application If the API certificate will be used with the PayPal Sandbox set username to Everyone Do not use users on the server is not secure For an ASP NET application this value is ASPNET Under Windows IIS 5 default configuration this value is IWAM_machineName where machineName is the appropriate computer name Under Windows IIS 6 default configuration this value is NETWORK SERVICE including the quotation marks Everyone with a live API certificate because granting private key access to all Using API Credentials Each request to the PayPal server must include a set of required security parameters shown in Table 4 1 TABLE 4 1 Required Security Parameters Parameter USER PWD VERSION SIGNATURE SUBJECT Required Optional Required Required Required Optional only if using API sign
36. the bank makes that account number visible to you for use in testing later Except for UK or German test bank accounts leave all other automatically generated information as is Make a note of the test bank account number because it will be handy to have when you do your testing Click Add Bank Account March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Setting Up Test Accounts 6 In the resulting success window click the Continue button at the bottom The My Account gt Overview page opens 7 Click the Confirm Bank Account link in the Activate Account box at the left side 8 In the Confirm Bank Account window click Submit Adding Credit Cards A credit card is a source of funds for the buyer s PayPal account thus it can be used for transactions between a buyer s test account and other test accounts A test account can have multiple credit cards Test credit card numbers cannot be used to pay for real world transactions To create additional credit card accounts for an already existing test account follow these steps 1 Select a buyer s test account and click Enter Sandbox Test Site 2 Navigate to My Account gt Profile 3 Under the Financial Information header click the Credit Cards link 4 In the Credit Cards window click the Add button 5 In the Add Credit Card window make a note of the credit card number for use in later testing Leave the automatically gen
37. the banking community but as an internet merchant you access the financial networks for each transaction made on your site As a result security at the point of sale is becoming an increasing concern for both credit card associations and the government Credit card associations for their part hold merchants liable for fraudulent transactions because the credit card isn t physically present during online purchases So merchants must take additional steps against online fraud Credit card associations can impose stiff penalties for fraud expenses on top of stolen goods and related shipping costs Moreover American Express Diners Club Discover Card JCB MasterCard International and Visa U S A have adopted the Payment Card Industry PCI Data Security Standard developed to protect account and transaction information of cardholders The PCI standard requires merchants to adhere to a set of information security requirements or risk substantial fines Security must therefore be a key concern Liability for Internet Fraud In the offline world you can take steps to safeguard your transactions by getting a signature and authorization thereby shifting the liability of the transaction to the card issuer In the online world the liability for a fraudulent transaction always rests squarely with the merchant Online transactions are considered card not present transactions and are inherently riskier The financial consequences for a merchant wh
38. with GetTransactionDetails for example bank transfer withdrawals March 2008 PayPal Certified Developer Program Study Guide Transactions a Payment Notification Integration GetTransactionDetails Request Use a Get TransactionDetails request to search for a specific transaction TABLE 8 11 GetTransactionDetails Request Parameters Parameter Description Required METHOD Name of the method Get TransactionDetails Yes TRANSACTIONID Unique identifier of a transaction Yes Character length and limitations 17 single byte alphanumeric characters GetTransactionDetails Response A GetTransactionDetails response contains all the details and information on the specified transaction The complete list of parameters returned by the GetTransactionDetails response is documented in PayPal Name Value Pair API Developer Guide and Reference Payment Notification Integration Website Payments Pro offers multiple payment notification methods including e Email e Reporting Tools e Instant Payment Notification IPN Email Merchants automatically receive an email notification in the following cases e Successful payment e Pending payment e Canceled payment To turn off payment notifications through email follow these steps 1 In the My Account tab click the Profile subtab 2 In the Account Information column click the Notifications link 3 Find the Payment Notifications heading and clear the I receive PayPal Websi
39. 156 10 March 2008 PayPal Certified Developer Program Study Guide Online Payment Processing Online payment processing simplifies the operation of an online store by providing a reliable easy secure and seamless experience for merchants and customers In this chapter you will learn e Online payment processing basics e How the payment processing network operates e How payment processing works e What to look for in an online payment processing solution e PayPal s payment processing solutions Online Selling Basics With the right payment processing services online merchants can get paid quickly and easily while protecting themselves against fraud The most critical step in establishing an online store is ensuring that you can accept customer payments for single or repeated transactions Online payment processing tools offer customers the convenience of paying by credit card PayPal or other electronic payment sources like debit cards purchase cards and eChecks Additionally successful online merchants must make sure their stores are secure Online fraud rates are climbing but smart merchants can protect themselves with security and fraud prevention systems from a company they trust According to CyberSource Corp businesses lost nearly 2 8 billion USD to online fraud in 2005 up from 2 6 billion USD in 2004 PayPal s Fraud Protection Services provide secure and reliable tools that offer peace of mind The Paym
40. 21 Online Payment Processing Review Questions 22 March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention E commerce has become an essential sales channel for businesses both domestically and internationally Unfortunately e commerce has also become an attractive revenue source for criminals who perpetrate internet fraud You need to be aware and informed so that you can take steps to protect your business Security for online payments is everyone s responsibility In this chapter you will learn about e Why every merchant should be concerned about internet fraud e Liability for internet fraud e Internet fraud What it is and how it happens e Who is at risk for online fraud e How to reduce your exposure to fraud e What banks and credit card associations are doing to prevent online credit card fraud e What PayPal is doing to protect your business against fraud e Providing disclosure to your customers and compliance with the Payment Card Industry PCI standard e PayPal Fraud Protection Services Why Every Business Should Be Concerned About Internet Fraud Every merchant is at risk for fraud When doing business online you should be particularly aware of fraud Offline merchants can see who they are doing business with look at their customers credit cards and watch them sign the receipt In the online world however customers never sign a paper receipt so authenticati
41. 55 amp FIRSTNAME Designer LASTNAME Fotos TPADDRESS 255 55 167 002 amp STREET 1234 20AVS At20Street CITY San 20Jose amp STATE CA amp COUNTRY United 20States amp ZIP 95110 amp COUNTRYCODE US amp IPTONAMF Louise 20P 20Flowerchild IPTOSTREET 1234 20ERasy s20Street amp IPTOSTREET2 Apt 2022 20bis8 HI PTOCITY NewS200rleans amp E I I T PTOSTATE LA amp PTOCOUNTRY US amp PTOZIP 70114 amp MENTACTION Authorizationg ZBIN foo amp RSION 3 38 ER usemame amp PWD passwords SIGNATURE Aq9tJJ3ndj7r32JgX gAzqooC1JJAM7erWun CUZYFDtxffpKWU4EROG DPNnNnNNNNN NN I z H lt Gl The request invokes the following response TIMESTAMP 2007 2d04 2d04T03 3a35 33al0Z amp CORRELATIONID a7cbh 2d4d83dc amp ACK Failure amp L_ERRORCODE0 10555 amp L_SHORTMESSAGEO Filter 20Decline L_LONGMESSAGE0 This 20transaction 20cannot 20be 20processed 2e amp L_SEVERITYCODEO Error amp L_ERRORCODE1 10755 amp L_SHORTMESSAGE1 Unsupported 20Currency 2e amp L_LONGMESSAGE1 This 20transaction 20cannot 20be 20processed 20due 20to 20an s20unsupported 20currency 2e amp L _SEVERITYCODE1 Error VERS ION 3 33e400000 amp BUILD 1 2e0006 PayPal Certified Developer Program Study Guide March 2008 137 ES Sandbox Testing Testing Error Conditions Testing Using CVV Codes You can simulate credit card validation by triggering a CVV e
42. 77 Chapter 7 Direct Payment API 2 2 22 24 2 ee ee 79 How Direct Payment Works aaa oaa aa e 79 Direct Payment API Reference Information 0 000022 ee ee 80 DoDirectPayment Request 2 2 e 80 DoDirectPayment Response o 84 Authorization amp Capture 2 2 85 Review Questions esa a sas dor ena dodana sirsa ea 85 Chapter 8 Transactions 2 2 26 see lt a ee eee ee 287 Authorization 8 Capture APIS 2 2 2 o 87 Authorization Process oaoa a a 87 Honor Period and Authorization Period oaoa oaoa a a a a 88 Authorization amp Capture API Reference Information 88 Authorization amp Capture Best Practices 93 For More Information a a 93 FROTUNOS aaa Era a a a a aa Re Sy Bay oe dr tia da 93 RefundTransaction Request eee 94 RefundTransaction Response a a a a a 94 Transaction Searches aa 95 TransactionSearch Request oaoa a a a 95 TransactionSearch Response a e 98 Retrieving Transaction Details oaoa a a a ee 98 GetTransactionDetails Request 2 a a a a a a 99 GetTransactionDetails Response a 99 Payment Notification Integration oaoa a a 99 Emails 2 6 3 00 a Re a r OR a a A e a ee 99 o o rea me e ee ch Ge ON ce a ee ete ee Ao ee a a ee ce 100 PayPal Certified Developer Program Study Guide M
43. AGE13 The 20partial 20refunds20amount 20must 20be 20less 20than 2 Oor 20equal 20to 20the 20remaining 20amount amp L _SEVERITYCODE13 Error VERS ION 3 33e400000 amp BUILD 1 2e0006 Testing Using AVS Codes You can simulate address verification by triggering an AVS error code when you call DoDirectPayment or use Virtual Terminal To specify a code place AVS_code in the NVP SHIPTOSTREET field or the Street1 SOAP element when you call DoDirectPayment where code is an AVS code Alternately enter AVS_code in Address Line 1 when using Virtual Terminal For example if you set 123 AVS A Street in the NVP SHIPTOSTREET field AVS code A is set T NOTE AVS_code is case sensitive all characters must be uppercase For example AVS Aisa valid trigger but avs_a is not Table 9 3 identifies valid AVS codes corresponding triggers and description of the error conditions TABLE 9 3 AVS Error Conditions and Triggers AVS Code Trigger Description of Error A AVS A The address matches but no zip code is specified This results in an error if the Partial Address Match risk control is set AVS B The international address matches but no zip code is specified This results in an error if the Partial Address Match risk control is set AVS D Exact match no error The international address and postal code match March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing
44. CY 3 SBILLINGPERIOD Day amp BILLINGFREQUENCY 1 In the Sandbox the trial billing period would take approximately three minutes and the regular billing cycle would occur approximately every minute When you are ready to go live you would change the trial billing period and the billing period to Month March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Review Questions Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 True or false Sandbox email messages use the same email system as live PayPal email messages 2 What variable does the Sandbox use to differentiate between live PayPal and Sandbox IPN 3 What two pieces of information must be changed in the application code when moving the application from the Sandbox to live PayPal 4 True or false An application does not have to be published to a web server before a tester can test a Buy Now button 5 Which of the following applies to the passwords you can specify for your Sandbox accounts a They must be the same as the password for your Developer Central account b They can be the same for all your test accounts to make testing easler c They must begin with sb d They must be unique for each Sandbox account PayPal Certified Developer Program Study Guide March 2008 141 a Sandbox Testing Rev
45. E Testing Error Conditions TABLE 9 3 AVS Error Conditions and Triggers Continued AVS Code Trigger Description of Error F AVS F Exact match no error The UK address and postal code match P AVS P The postal code matches but no address is specified This results in an error if the Partial Address Match risk control is set W AVS W The 9 digit zip code matches but no address is specified This results in an error if the Partial Address Match risk control is set X AVS X Exact match no error The complete address and 9 digit zip code match Y AVS Y Exact match no error The complete address and 5 digit zip code match Z AVS Z The 5 digit zip code matches but no address is specified This results in an error if the Partial Address Match risk control is set N AVS N There is no address information This results in an error if the No Address Match risk control is set C AVS C There is no address information for an international address This results in an error if the No Address Match risk control is set E AVS E Not allowed for MOTO internet phone transactions I AVS I Service is unavailable internationally This results in an error if the Service Unavailable Unsupported risk control is set G AVS G Service is unavailable globally This results in an error if the Service Unavailable Unsupported risk control is set R AVS_R Retry This results in an error if the Service U
46. E value API_signature gt lt input type hidden name VERSION value 3 3 gt lt input type hidden name PAYMENTACTION value Authorization gt lt input name AMT value 19 95 gt 126 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Testing PayPal NVP APIs lt input type hidden name RETURNURL value http www YourRetumURL com gt lt input type hidden name CANCELURL value http www YourCancelURL com gt lt input type submit name METHOD value SetExpressCheckout gt lt form gt Note The API username is a Sandbox business test account for which a signature exists To obtain a signature see the Test Certificates tab of the Sandbox 2 PayPal responds with a message like the one shown below Note the status which should include ACK set to Success and a token that is used in subsequent steps TIMESTAMP 2007 2d04 2d05T23 3a23 3a07Z amp CORRELAT IONID 63cdac0b67b50 amp ACK Success amp VERS ION 3 3e300000 amp BUILD 1 2e0006 amp TOKEN EC 2d1NK66318YB717835M 3 Ifthe operation was successful use the token and redirect your browser to the Sandbox as follows https www sandbox paypal com cgi bin webscr cmd express checkout amp token EC 1NK66318YB717835M Norte You may need to replace hexadecimal codes in the token with ASCII codes for example you may need to replace 2d in the token with a hyphen 4 Log into the San
47. From the value that was sent to PayPal in the DoExpressCheckoutPayment request 10 000 USD in any currency Three hours On the shopping cart page aligned with any other checkout buttons Ak wo oN TAXAMT is required if a value for L_TAXAMTn is specified Chapter 7 1 True 2 Itis determined by the Merchant Account settings PayPal Certified Developer Program Study Guide March 2008 151 OA Answers to Review Questions Chapter 8 Chapter 8 1 Up to 115 of the originally authorized amount up to 75 USD False If REFUNDTYPE is Full do not set AMT True No aA Ae pp A complaint occurs when a customer registers a complaint about a payment to PayPal A chargeback occurs when a customer registers a complaint with the credit card company Chapter 9 1 False test_ipn The server address and the developer s API credentials True an hh W N b They can be the same for all your test accounts to make testing easier 152 March 2008 PayPal Certified Developer Program Study Guide General Reference Information This appendix contains information that may be valuable when using the PayPal NVP APIs ShippingAddress Parameter The ShippingAddress parameter is optionally used in a SetExpressCheckout or DoExpressCheckout Payment request in Express Checkout and in a DoDirectPayment request in Direct Payment TABLE B 1 ShippingAddress Parameter Description Required SHIPT
48. I error code 10755 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing Testing Error Conditions TABLE 9 2 API Fields That Trigger Error Conditions Continued API Name DoDirectPayment Set Get ExpressCheckout ExpressCheckout Details DoExpressCheckout DoCapture DoVoid DoReauthorization DoAuthorization Mas Bil sPay lUser NVP Field Name AMT MAXAMT TOKEN TOKEN AUTHORIZATIONID EMATLSUBJECT SOAP Element OrderTotal MaxAmount Token Token Amount AuthorizationID Amount Amount EmailSubject Amount Description Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 107 55 triggers PayPal API error code 10755 Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 107 55 triggers PayPal API error code 10755 Specify the error code to trigger as all digits in the field e g a token value of 10755 triggers PayPal API error code 10755 Specify the error code to trigger as all digits in the field e g a token value of 10755 triggers PayPal API error code 10755 Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 106 23 triggers PayPal API error code 10623 Specify the error code to trigger as all dig
49. Member Log In Email Address Password c ae to the test C Log me in automatically Need an account Sign up now to access PayPal s Sandbox Test Environment Trouble Logging In Use the Sandbox Test Environment to create and manage test accounts and their associated email Can We Help and API credentials You can also access valuable developer resources from Help Visit the PayPal Developer Sign Up Now Community to get answers to integration questions or to file a support ticket Fees Privacy Security Center Contact Us User Agreement PayPal an eBay Company Copyright 1999 2007 PayPal All rights reserved TRUST QuE Information about FDIC pass through insurance si G BBBONLINE 2 If you already have an account enter your Log In Email and Password and click Log In 108 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing Accessing the PayPal Sandbox 3 If you do not already have an account click Sign Up Now and provide the requested information shown below Sign Up for Access to the Sandbox Test Environment This account will allow you to use the PayPal Sandbox Test Environment to try out Website Payments Instant Payment Notification PayPal APIs and other features First Name 7 Last Name Email Address Do not use your PayPal account login email Password At least 8 characters long case sens
50. ONAME Person s name associated with this shipping address Yes Character length and limitations 32 single byte characters SHIPTOSTREET First street address Yes Character length and limitations 100 single byte characters SHIPTOCITY Name of city Yes Character length and limitations 40 single byte characters SHIPTOSTATE State or province Yes Character length and limitations 40 single byte characters SHIPTOCOUNTRYCODE Country code Yes Character limit Two single byte characters NOTE A complete list of country codes is available in the PayPal Name Value Pair API Developer Guide and Reference SHIPTOZIP U S ZIP code or other country specific postal code Yes Character length and limitations 20 single byte characters SHIPTOSTREET2 Second street address No Character length and limitations 100 single byte characters PHONENUM Phone number No Character length and limitations 20 single byte characters PayPal Certified Developer Program Study Guide March 2008 153 154 General Reference Information PayPal Supported Transactional Currencies PayPal Supported Transactional Currencies Table B 2 lists the currencies supported by PayPal for use in transactions TABLE B 2 PayPal Supported Currencies and Currency Codes for Transactions ISO 4217 Code Currency AUD Australian Dollar CAD Canadian Dollar CHF Swiss Franc CZK Czech Koruna DKK Danish Krone EUR Euro GBP P
51. PayPal PayPal Certified Developer Program Study Guide For Professional Use Only Currently only available in English A usage Professional Uniquement Disponible en Anglais uniquement pour l instant Last updated March 2008 PayPal Certified Developer Program Study Guide Document Number 100018 en_US 200803 2008 PayPal Inc All rights reserved PayPal is a registered trademark of PayPal Inc The PayPal logo is a trademark of PayPal Inc Other trademarks and brands are the property of their respective owners The information in this document belongs to PayPal Inc It may not be used reproduced or disclosed without the written approval of PayPal Inc PayPal Europe Ltd is authorised and regulated by the Financial Services Authority in the United Kingdom as an electronic money institution PayPal FSA Register Number 226056 Notice of non liability PayPal Inc is providing the information in this document to you AS IS with all faults PayPal Inc makes no warranties of any kind whether express implied or statutory with respect to the information contained herein PayPal Inc assumes no liability for damages whether direct or indirect caused by errors or omissions or resulting from the use of this document or the information contained in this document or resulting from the application or use of the product or service described herein PayPal Inc reserves the right to make changes to any information herein without
52. PayPal applications Before moving any PayPal based application into production test the application in the Sandbox to ensure that it functions properly For details about the Sandbox see Chapter 9 Sandbox Testing 44 March 2008 PayPal Certified Developer Program Study Guide Getting Started With Account Setup Review Question Review Question Answers to review questions are in Appendix A Answers to Review Questions 1 The following steps describe the getting started with account setup process Indicate the correct order of the steps by placing the step number to the left of each description _____ Set up an internet merchant account if you don t already have one _____ Customize your payment processing service with additional services _____ Choose payment processing services ____ Use the PayPal APIs to implement payment processing on the merchant website ______ Enroll in the selected PayPal services 2 What information do you need to set up an internet merchant account 3 How many days should you allow to set up an internet merchant account 4 Match each PayPal service that provides fraud protection to its description Response PayPal Product Service Description Fraud Protection Services 1 Provides your customers with a secure and convenient payment flow because they don t have to re enter information already stored in their PayPal account Express Checkout A fast cost
53. PayPal payment solution that separates the authorization for a purchase from the actual capture of the funds This is useful for merchants who have a delayed order fulfillment process or who need to modify the original authorization amount due to order changes Cc Case A claim registered with PayPal by a buyer who has a dispute with a merchant Chargeback A transaction in which a customer requests a refund from the credit card company and the credit card company bills the merchant Chargebacks often occur as a result of fraudulent transactions or disputes in which the customer was not properly credited after a return Card Verification Value CVV2 A three or four digit value printed on a credit card but not encoded on the card s magnetic strip This value provides security against credit card fraud in transactions in which the merchant does not directly handle the credit card such as e commerce transactions Instant Payment Notification IPN A PayPal solution that provides merchants with immediate notification and confirmation of PayPal payments received PayPal Certified Developer Program Study Guide March 2008 157 P PayPal Direct Payment API An API that enables merchants to accept credit card payments directly on their website PayPal remains invisible so that the merchant controls the customer experience PayPal Express Checkout An API that allows PayPal account holders to check out fast with saved info
54. Payment Notification March 2008 PayPal Certified Developer Program Study Guide Transactions e Dispute Notification Dispute Notification Customers can register claims about payments these claims are called cases PayPal notifies merchants about new cases with email and with IPN There are two kinds of cases A complaint occurs when a customer uses the PayPal Resolution Center to register a complaint about a payment to a merchant A chargeback occurs when a customer files a complaint with a credit card company and the credit card company issues a chargeback The credit card company notifies PayPal about the reason for the chargeback after investigating the case PayPal notifies the merchant of any action required The IPN messages for chargebacks resulting from a complaint are asynchronous that is the IPN message for the chargeback can be sent to the merchant before the IPN message related to the complaint Compare the IPN variable parent_txn_id ofall IPN messages to match the chargeback with the complaint IPN variables for cases include the type of case the reason and other information about the case For a complete list of IPN variables see PayPal Order Management Integration Guide Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 A N A 0 What percentage of the originally authorized amount can be authorized by using the payment s transaction ID
55. Record this value and store it in a document in a secure location The developer must take the appropriate steps to protect the API signature values these values should be stored in a secure location on the web server To use the Sandbox to test an application register a separate set of API credentials and use a second API signature The same API signature cannot be used for both the Sandbox and live servers API Certificate To establish credentials using an API certificate follow these steps 1 Generate the API certificate 2 Encrypt the API certificate 3 Install the API certificate in the Windows Certificate Store These steps are required regardless of whether the API certificate will be used with the PayPal Sandbox or with live PayPal Each step is detailed below 48 March 2008 PayPal Certified Developer Program Study Guide API Credentials ES Establishing API Credentials Generate the API Certificate 1 Log in to a PayPal Premier or Business account In the top navigation area click the Profile subtab Under the Account Information header click the API Access link Click the Request API Credentials link Complete the request form by clicking the agreement checkbox and clicking Submit Save the values for API Username and API Password NY A a hh U N Click the Download Certificate button A file named cert _key pem txt is downloaded this is the live API certificate 8 Rename the file to something more m
56. Reference Information Parameter DESC CUSTOM INVNUM BUTTONSOURCE NOTIFYURL ITEMAMT SHIPPINGAMT HANDLINGAMT Description Description of items the customer is purchasing Character length and limitations 127 single byte alphanumeric characters A free form field for the developer s own use Character length and limitations 256 single byte alphanumeric characters The merchant s own invoice or tracking number Character length and limitations 127 single byte alphanumeric characters An identification code for use by third party applications to identify transactions Character length and limitations 32 single byte alphanumeric characters The URL for receiving Instant Payment Notification IPN about this transaction NOTE If this value is not specified the notification URL from the Merchant Profile is used if one is available Character length and limitations 2 048 single byte alphanumeric characters Sum of cost of all items in this order NOTE Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma NOTE ITEMAMT is required if a value is specified for L_AMTn Total shipping costs for this order NOTE Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places
57. US Status of street address on file with PayPal CUSTOM A free form field for the developer s own use as set in the CUSTOM parameter of the SetExpressCheckout request Character length and limitations 256 single byte characters INVNUM The merchant s own invoice or tracking number as set in the INVNUM parameter of the SetExpressCheckout request Character length and limitations 127 single byte characters PHONENUM Payer s contact telephone number PayPal returns a contact telephone number only if the Merchant account profile settings require that the customer enter one Character length and limitations Field mask is XXX XXX XXXX for U S numbers or XXX XXXXXXXX for international numbers PayPal Certified Developer Program Study Guide March 2008 67 Express Checkout Express Checkout API Reference Information DoExpressCheckoutPayment Request The Do with PayPal Express Checkout ExpressCheckoutPayment request performs the actual request to obtain payment Note PayPal requires that a merchant using Express Checkout display to the customer the TABLE 6 6 DoExpressCheckoutPayment Request Parameters same amount that the merchant sends to PayPal in the AMT parameter of the ExpressCheckoutPayment request Parameter METHOD TOKEN PAYMENTACT ION PAY ERID Description Name of the API DoExpressCheckout Payment The timestamped token value that was returned by the Se
58. _SHORTMESSAGE0 Ga teway 20Decline amp L_LONGMESSAGEO This 20transaction 20cannot 20be 20processed 2e 20Please 20e nter 20a 20valid 20Credit 20Card 20Verification 20Number32e amp L_SEVERITYCODEO Error amp VERS ION 3 3e400000 amp BUILD 1 2e0006 Testing Recurring Payments On the live site a billing cycle repeats after the actual specified time elapses for example a one month billing cycle takes one month to occur You can simulate the elapsed time for a billing cycle in the Sandbox when testing a recurring payments profile in which case the actual elapsed time is reduced This is useful when you want to simulate a billing cycle without waiting for the actual time to elapse To reduce the actual elapsed time specify Day as the period When you specify Day the billing cycle occurs every n minutes in the Sandbox where n represents the frequency For example if you specify 1 for the billing frequency and Day for the period when executing the CreateRecurringPaymentsProfile API the billing cycle occurs every minute when testing in the Sandbox IMPORTANT Reducing the elapsed time works only if the period is Day other values do not change the actual elapsed time Consider a scenario in which you want to simulate a one month billing cycle after a three month trial without waiting four months In the Sandbox you could specify the following NVP parameters amp TRIALBILLINGPERIOD Day amp TRIALBILLINGFREQUEN
59. actionSearch request 95 response 98 Transit Number 116 U UK bank account info 116 URL encoding 55 V Virtual Terminal 17 Visa 33 W Website Payments 118 Website Payments Pro 14 17 43 111 117 Website Payments Standard 14 15 17 43 March 2008 PayPal Certified Developer Program Study Guide
60. address fields should be displayed whatsoever Character length and limitations 4 single byte numeric characters Allowable values 0 1 Default value 0 Required No No No No PayPal Certified Developer Program Study Guide March 2008 63 Express Checkout Express Checkout API Reference Information TABLE 6 2 SetExpressCheckout Request Parameters Continued Parameter Description Required ADDROVERRIDE The value 1 indicates that the PayPal pages should display the shipping No address set in this SetExpressCheckout request not the shipping address on file with PayPal for this customer NoTE Displaying the PayPal street address on file does not allow the customer to edit that address Allowable values 0 1 Default value 0 TOKEN A timestamped token that tells PayPal that the payment is being No processed with Express Checkout NOTE The token expires after three hours If the token is set here the value of TOKEN in the response will be identical to the value in the request Character length and limitations 20 single byte characters LOCALECODE Locale of pages displayed by PayPal during Express Checkout No Character length and limitations Any two character country code The following codes are supported by PayPal US All other values default to US A complete list of country codes is in PayPal Name Value Pair API Developer Guide and Reference
61. ail tab contains all the email messages sent to the test account sending the money and the test account receiving the money See Test Email on page 110 13 Log in as the seller test account and navigate to the My Account gt Overview tab to see the transaction for the recipient s account Billing A Customer PayPal business users can bill another PayPal user for the purchase of goods or services In PayPal terminology the feature to bill a customer is called Request Money In the PayPal Sandbox you can manually initiate a request for funds from a test account One test account is the seller the other the buyer To request funds from a buyer follow these steps 1 Log in to htips developer pavpal com click the Test Accounts tab select a test account for which funds are requested and click Enter Sandbox Test Site 2 Navigate to the Request Money tab 3 On the Request Money page enter the email address PayPal login name for the test account being billed in the Recipient s Email box 4 In the Amount box enter the billed amount 5 In the Currency drop down list select the currency for the funds 6 In the Type drop down list select the reason for the request for funds billing Note Auction is not an option in the drop down list 7 Enter text in the Subject box This text is the subject of the email sent to the recipient regarding the sent funds 8 Enter text in the Note memo box This text appears in t
62. ailable PayPal automatically encrypts your confidential information in transit from your computer to ours Once your information reaches us it resides on a server that is heavily guarded both physically and electronically Our servers sit behind a monitored electronic firewall and are not connected directly to the internet so your private information is available only to authorized computers How to Reduce Chargebacks Dealing effectively with customer issues is a great way to minimize risk and reduce chargebacks By communicating clearly and keeping good records you can avoid many potential problems today which are much easier than trying to resolve them with a credit card company tomorrow PayPal has developed these helpful tips for avoiding customer complaints that can lead to chargebacks e Provide realistic delivery time estimates and use tracking that shows proof that the items were received e Describe the sale item in as much detail as possible Include clear images and measurements so that customers have a good understanding of what they re getting e Make sure you clearly disclose the total cost to customers up front the price taxes shipping costs etc e Provide customers with a way to contact you should they have a problem Often a simple email exchange or phone call clears up a misunderstanding instantly e Respond promptly and courteously to customer inquiries PayPal Certified Developer Program Study Guide March 2008
63. and limitations 25 single byte characters STREET First street address No Character length and limitations 100 single byte characters CITY City No Character length and limitations 40 single byte characters STATE State or province No Character length and limitations 40 single byte characters For state or province abbreviations see PayPal Name Value Pair API Developer Guide and Reference COUNTRYCODE Country code No Character length and limitations Two single byte characters For a list of country codes see PayPal Name Value Pair API Developer Guide and Reference ZIP U S ZIP code or other country specific postal code No Character length and limitations 20 single byte characters NOTIFYURL The URL for receiving Instant Payment Notification IPN about this No transaction If a URL is not specified in the request the notification URL from the Merchant Profile is used if one exists Character length and limitations 2 048 single byte alphanumeric characters PayPal Certified Developer Program Study Guide March 2008 81 7 Direct Payment API Direct Payment API Reference Information TABLE 7 1 DoDirectPayment Request Parameters Continued Parameter Description Required CURRENCYCODE A three character currency code No Default USD This parameter accepts only the following currencies AUD Australian Dollar CAD Canadian DOllar EUR Euro GBP Pound Sterling JPY
64. ant makes a final sale and payment transaction through PayPal If at the point of sale the merchant does not know the complete cost of the order for example if the shipping handling and tax are not precisely known or there is an upsell a transaction can be authorized that can be captured later with Authorization amp Capture PayPal uses Authorization amp Capture in both Express Checkout and Direct Payment For information on Authorization amp Capture see Authorization amp Capture APIs on page 87 76 March 2008 PayPal Certified Developer Program Study Guide Express Checkout Review Questions Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 an Bb Ww N On the Order Review page from where should the application get the value of the total order Inthe SetExpressCheckout request what is the maximum allowed value for AMT How much time elapses before a TOKEN expires Where should the PayPal checkout button appear In the DoExpressCheckout Payment request when is a value required for the parameter TAXAMT PayPal Certified Developer Program Study Guide March 2008 77 az Express Checkout Review Questions 78 March 2008 PayPal Certified Developer Program Study Guide Direct Payment API In this chapter you will learn e How Direct Payment works e How to use the Direct Payment API How Direct Payment Works The Direct P
65. arch 2008 5 all Contents Instant Payment Notification IPN 2 0 o e o 100 Dispute Notification 0 o e 103 Review Questions 2 aaa a 103 Chapter 9 Sandbox Testing 2 6 2 ee ee ee ee eee 105 Overview aaa ee 105 At a Glance Differences between the Sandbox and Live PayPal 105 Accessing the PayPal Sandbox 0 0002 2p ee 107 Signing Up for Sandbox Access 000222 ete eee 108 Welcome to the PayPal Sandbox 00000 eee eee 110 Test Email qi ha Bide ae ee ee WR PS BE ey BA Sas Bowe ee we Be 110 Setting Up Test Accounts 2 a a 111 Planning the Types of Test Accounts You Need o 111 Managing Test Accounts 2 e 112 Adding a Funding Source 0000 eee ee 115 Signing Up for Website Payments Pro a aooaa a 117 Testing PayPal Website Features 000002 eee ee eee 118 Website Payments with the Buy Now Button o 118 Handling Pending Transactions o a 120 Instant Payment Notification IPN 2 o o e o 121 Verifying a Test Refund 2 o a 122 Transferring Funds to a Test Account o a 122 Clearing or Failing Test eCheck Transactions o 123 Sending Funds to a Seller eee ee 123 Billing A GUSTOME Foco citaciones o das O Raed 124 Testing PayPal NVP APIS
66. ation Note The customer does not see this step PayPal is completely invisible to customers before during and after the purchase PayPal does not send an email receipt to the customer nor will the customer s credit card statement indicate that PayPal processed the payment 4 The application transfers the customer to the order confirmation page PayPal Certified Developer Program Study Guide March 2008 79 7 Direct Payment API Direct Payment API Reference Information Direct Payment API Reference Information The following sections contain reference information about the parameters and fields used in the various requests and responses involved in PayPal Direct Payment Further reference information is available in PayPal Name Value Pair API Developer Guide and Reference DoDirectPayment Request Use a DoDirectPayment request to charge a credit card or to authorize a credit card for later capture TABLE 7 1 DoDirectPayment Request Parameters Parameter Description Required METHOD Name of the API DoDirectPayment Yes PAYMENTACTION How the merchant wants to obtain payment Yes IPADDRI CR ED TCAI e Authorization indicates this payment is a basic authorization subject to settlement with PayPal Authorization amp Capture e Sale indicates this is a final sale for which the merchant is requesting payment Character length and limit Up to 13 single byte alphabetic characters ESS IP addre
67. ation amp Capture Capturing Funds on Basic Authorizations PayPal recommends that a merchant capture funds within the honor period of three days because PayPal will honor the funds for a three day period after the basic authorization If the merchant tries to capture funds after the three day period and the authorization fails the request to capture funds may be denied After day 4 of the authorization period a merchant can initiate a reauthorization which starts a new three day honor period however the reauthorization does not extend the original authorization period past 29 days The merchant should capture funds within 24 hours after shipping the customer s order Customer Approval for Basic Authorizations A customer initiated authorization allows the merchant to capture funds from the customer s account of up to 115 of the originally authorized amount not to exceed an increase of 75 USD and up to 10 000 USD the limit for a single purchase through PayPal IMPORTANT If the merchant wants to update any details of the purchase that change the original authorization amount PayPal requires that the merchant obtain consent from the customer at the time of purchase or at the time of capture Voiding Basic Authorizations The merchant should void an authorization if the authorization or reauthorization will not be used Voiding the authorization unlocks the temporary hold placed on the customer s funding sources For M
68. ation amount Capture or reauthorize a higher amount up to 115 of the originally authorized amount not to exceed an increase of 75 USD Void a previous authorization PayPal Certified Developer Program Study Guide March 2008 87 Transactions Authorization amp Capture APIs Honor Period and Authorization Period When the customer approves an authorization the customer s balance can be placed on hold for a 29 day period to ensure the availability of the authorization amount for capture The merchant can reauthorize a transaction only once up to 115 of the originally authorized amount not to exceed an increase of 75 USD After a successful reauthorization PayPal honors 100 of the authorized funds for the first 3 days of the 29 day period A day is defined as the start of the calendar day on which the authorization or reauthorization was made from 12 AM PST to 11 59 PM PST A merchant can settle without a reauthorization from day 4 to day 29 of the authorization period but PayPal cannot ensure that 100 of the funds will be available after the 3 day honor period PayPal will not allow the merchant to capture funds if the customer s account is restricted or locked a fraudulent case occurs or the merchant s account has a high restriction level PayPal makes its best effort to capture funds outside the honor period however there is a possibility that funds will not be available at that time Buyer and selle
69. ature authentication Optional only if making a third party API call Value The API username The API password The version number of the NVP API service As of this printing this value must be 3 3 Future versions of the NVP API service will require different values The API signature string Do not include this parameter if an API certificate is being used The email address of the PayPal account that has granted permission to make the API call Do not use this parameter for requests that are not third party API calls March 2008 PayPal Certified Developer Program Study Guide API Credentials ES Review Questions IMPORTANT In the final implementation protect the values for USER PWD and SIGNATURE The values should be stored in a secure location with file permissions set so that only the system user who executes the web application can access it Norte To find the latest version number go to www paypal com IntegrationCenter Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 True or false API credentials must be included with only the first request sent to the PayPal server during each session 2 True or false The API username is separate from the email address used to access PayPal PayPal Certified Developer Program Study Guide March 2008 51 2 4 API Credentials Review Questions 52 March 2008 PayPal Certified Developer Pr
70. ayPal The customer logs in to PayPal The customer selects a shipping address and payment method stored on PayPal and clicks Continue Checkout to approve the use of PayPal PayPal redirects the customer to the merchant s website The application makes an API call to retrieve transaction details GetExpressCheckoutDetails and receives the response from PayPal The customer finishes the checkout process on the merchant s website reviews the order and completes the order See Order Review Page Setup on page 76 for recommendations on setting up an order review page NoTE The customer always reviews transaction details and makes the final payment on the merchant s website PayPal handles the payment verification and passes the application the customer s shipping information PayPal never shares the customer s financial information with anyone When the customer places the order the application requests payment from PayPal DoExpressCheckoutPayment PayPal sends a response and sends the customer an email receipt for the payment The application transfers the customer to the order confirmation page showing the details of the transaction The PayPal Express Checkout program flow of control and integration points are summarized in Table 6 1 TABLE 6 1 Express Checkout Flow of Control and Integration Points Customer Clicks Checkout with PayPal button Merchant PayPal Sends a SetExpressChec
71. ayment API allows a merchant to accept credit card transactions directly on the merchant s website Even though the website uses PayPal to process the credit card transaction this process is invisible to customers This means customers are not taken away from the website the website provides a single unified look and feel IMPORTANT Payments made through the Direct Payment API are not covered by the PayPal Seller Protection Policy The Direct Payments API is part of the Website Payments Pro solution The PayPal Direct Payment API calls work as follows 1 On the website the customer chooses to pay with a credit card and enters the credit card number and other details 2 The customer reviews the order 3 When the customer clicks Pay to place the order the application sends a The Do DoDirectPayment request to the PayPal server and the payment transaction is initiated DirectPayment request includes required information that was collected from the customer such as the amount of the transaction and the customer s credit card number and expiration date as well as the browser IP address and an element that specifies whether this transaction is a final sale complete transaction amount including shipping handling and tax or an authorization for a final amount that must be captured later with Authorization amp Capture The DoDirectPayment response includes a transaction identification number and other inform
72. ayment gateway while the Advanced Fraud Protection Service is essential for businesses processing medium to high transaction volumes T Both the Basic Fraud Protection Service and the Advanced Fraud Protection Service catch common fraud warnings like high dollar amounts high quantities and shipping billing address mismatch T To support automatic rejection lists and automatic acceptance lists you need to upgrade to PayPal s Advanced Fraud Protection Service F Correct answer The PayPal Account Monitoring service is an upgrade option that provides full time protection to keep an eye on suspicious activity related to credits and refunds PayPal Certified Developer Program Study Guide March 2008 149 150 Answers to Review Questions Chapter 3 Chapter 3 Response 1 The following steps describe the getting started with account setup process Indicate the correct order of the steps by placing the step number to the left of each description Set up an internet merchant account if you don t already have one Customize your payment processing service with additional services Choose payment processing services Use the PayPal APIs to implement payment processing on the merchant website GU pe N Enroll in the selected PayPal services What information do you need to set up an internet merchant account To set up an internet merchant account have the following information available Account business owner
73. backs occur when a cardholder disputes a credit card purchase During such disputes the card issuing bank initiates a chargeback against the merchant retrieving the funds for the sale from the merchant s bank account The bank initiating the chargeback is not required to notify the merchant or the merchant bank Proving that the disputed transaction was legitimate can cost merchants significant time and resources so keeping chargebacks to a minimum is essential Chargebacks can hurt a merchant s bottom line by lowering its credit rating diverting resources to resolve the dispute and siphoning revenue from lost goods and shipping costs The most common type of chargeback occurs when the customer e Did not receive the item ordered e Did not receive the item believed to be ordered e Had his or her credit card stolen and used by the thief e Stole merchandise or services through the fraudulent use of a chargeback Who Is at Risk for Online Fraud Fraud can happen to any merchant at any time and a single fraud incident can be enough to put a merchant out of business That said some merchants are at greater risk for certain types of fraud than others PayPal has put together the following quick reference to identify some of the higher than average risk categories TABLE 2 1 High Fraud Risk Quick Reference Merchant Type Potential Risk Merchants with vulnerable security defenses Criminals take advantage of sophisticated spidering tec
74. cceptance lists you need to upgrade to PayPal s Advanced Fraud Protection Service The PayPal Basic Fraud Protection Service provides full time protection to keep an eye on suspicious activity related to credits and refunds PayPal Certified Developer Program Study Guide March 2008 41 Internet Security and Fraud Prevention Review Questions 42 March 2008 PayPal Certified Developer Program Study Guide Getting Started With Account Setup In this chapter you will learn about e Steps for getting started with PayPal payment processing solutions e Enrolling with PayPal services e The PayPal Sandbox including how to get access to the Sandbox Basic Steps for Getting Started In three steps you can acquire everything you need to begin accepting online purchases 1 Choose payment processing services Website Payments Pro Website Payments Standard Payflow Pro Payflow Link Email Payments Virtual Terminal 2 Set up an internet merchant account if you don t already have one All online businesses need to operate with an internet merchant account primarily for depositing and refunding online payments Website Payments Pro and Standard feature an integrated internet merchant account and gateway to make it quick and easy for you to begin doing business online If you register for either Payflow Pro or Payflow Link and already have an internet merchant account PayPal will provide you the option t
75. ccount and does not have a withdrawal mechanism The merchant must manually accept or deny this payment from the Account Overview e multi currency The merchant does not have a balance in the currency sent and the merchant does not have the Payment Receiving Preferences set to automatically convert and accept this payment The merchant must manually accept or deny this payment e verify The payment is pending because the merchant is not yet verified The merchant must verify his account before accepting this payment e other The payment is pending for a reason other than those listed here For more information contact PayPal customer service g EASONCODE The reason for a reversal if the transaction type is reversal e none No reason code e chargeback A reversal has occurred on this transaction due to a chargeback by the customer e guarantee A reversal has occurred on this transaction due to the customer triggering a money back guarantee e buyer complaint A reversal has occurred on this transaction due to a complaint about the transaction from the customer e refund A reversal has occurred on this transaction because the merchant gave the customer a refund e other A reversal has occurred on this transaction due to a reason not listed here Button and Logo Placement and Use When you offer PayPal Express Checkout to customers you are required to display the option in two places o
76. ck out on PayPal on PayPal Customers need a PayPal account Integration Internet Included Not needed Required Required Not needed Included Required merchant account Shopping Yes Yes Yes Yes Not Not cart required required support Technical APIs HTML APIs or APIs or Not Not APIs or skills HTML HTML required required HTML Ability to Included Upgrade Included Included Upgrade Included Upgrade accept phone fax or mail orders Note This Study Guide and the PayPal Developer Certification cover the Website Payments Pro solution with Express Checkout PayPal Certified Developer Program Study Guide March 2008 17 a Online Payment Processing Review Questions Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 Indicate if each statement is True T or False F The most critical step in establishing an online store is ensuring that you can accept customer payments for single or repeated transactions According to Cybersource Corp businesses lost nearly 2 8 billion USD to online fraud in 2005 down from 3 0 billion USD in 2004 The payment processing network connects buyers sellers and banks to enable the secure and reliable execution of online transactions By providing affordable payment connections among merchants customers and financial networks PayPal s solutions take advantage of the latest technical resources to streamline transactions whi
77. complete the checkout process without ever leaving your site For more information on Payflow Pro go to https www paypal com cgi bin webscr cmd _payflow pro overview outside Payflow Link This service is designed for merchants who require a simple solution to selling on the web In order to use this service you need to add only a small piece of HTML code that will link your customers to order forms hosted by PayPal This simple package allows you to process payments by credit cards debit cards and checks online and offline It also works with most major shopping carts For more information on Payflow Link go to https Avww paypal com cgi bin webscr cmd _payflow link overview outside 3 Do you need a basic payment processing service Look first to a basic PayPal service for processing credit cards payments These include PayPal Email Payments Email Payments lets you send customers email invoices that they can pay on PayPal This simple solution does not require you to have a shopping cart or an internet merchant account For more information on PayPal Email Payments go to https www payvpal com cgi bin webscr cmd _email payments overview outside PayPal Virtual Terminal Virtual Terminal provides your business with the same functionality as a stand alone credit card processing terminal but allows you to accept credit card payments by phone fax and email You can use Virtual Terminal on any
78. containing the Buy Now Button Click the Buy Now Button Log in using your test buyer account os A Follow the on screen instructions to complete your test payment Verifying a Test Payment 1 Log in to https developer paypal com and click the Test Email tab Your Sandbox inbox shows payment confirmation email messages for the seller and buyer 2 To further verify that the payment was successful Check your web server for IPN notifications related to the payment Launch the Sandbox as your test buyer or seller account and navigate to My Account gt Overview to see the transaction in your Recent Activity PayPal Certified Developer Program Study Guide March 2008 119 ES Sandbox Testing Testing PayPal Website Features Handling Pending Transactions Transactions typically are credited to your PayPal account instantly after the buyer completes the transaction however a buyer might select a payment method that is not completed instantly In these cases the transaction goes into a pending state and the transaction is completed after a couple of days The following sections describe how to set up pending status transactions that can be either completed or canceled Creating a Pending Transaction 1 Log in to https developer paypal com click the Test Accounts tab select a buyer personal or premier test account and click Enter Sandbox Test Site 2 Log in to your test buyer account and create a transaction
79. count on the Test Email tab Visit the PayPal Developer Community to get answers to integration questions or Your test accounts are listed below You must have a test business account to represent a to file a support ticket A E A 5 merchant and a test personal account to represent a buyer To simulate an action on the live site paypal com select a test account and click Enter Sandbox Test Site Learn More Test Accounts Create Test Account Login Email Type Country Status Test Mode o buyer_1191002706_per gmail Personal United States Verified N A com D View Details Enter Sandbox Test Site Delete NoTE The Login Email is a pseudo randomized address based on the address you specified Credit card and bank account numbers also are generated randomly PayPal Certified Developer Program Study Guide March 2008 113 Sandbox Testing Setting Up Test Accounts Creating a Business Account To create a seller with a Business account follow these steps 1 After logging in select Test Accounts and click the Create Test Account link 2 For the Account Type choose Seller Make other selections or accept the defaults See the screenshot below Sandbox Home Test Accounts Test Email Create a Sandbox Test Account API Credentials zi en After creating the account your can delete the account or you can provide additional information in the Sandbox Test Site Can We Help Visit the PayPal Devel
80. cters Possible Values See description See AVS Response Codes on page 155 See CVV2 Response Codes on page 156 See description 84 March 2008 PayPal Certified Developer Program Study Guide Direct Payment API Authorization amp Capture Authorization amp Capture PayPal assumes that at the end of the checkout process the merchant makes a final sale and payment transaction through PayPal If at the point of sale the merchant does not know the complete cost of the order for example if the shipping handling and tax are not precisely known or there is an upsell a transaction can be authorized that can be captured later with Authorization amp Capture PayPal uses Authorization amp Capture in both Direct Payment and Express Checkout For more information about Authorization amp Capture see Authorization amp Capture APIs on page 87 Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 True or false If the merchant s application uses Direct Payment the name PayPal does not appear on the customer s credit card statement 2 How does PayPal determine if the CVV2 parameter is required in the DoDirectPayment request PayPal Certified Developer Program Study Guide March 2008 85 Direct Payment API Review Questions 86 March 2008 PayPal Certified Developer Program Study Guide Transactions In this chapter yo
81. d in the reference information for the API How the application handles the fields depends on the particular API method called such as filling in a form updating a database and so on ACK Parameter Values Table 5 4 lists the possible values for the ACK parameter TABLE 5 4 ACK Parameter Values Type of Response Value Successful response Success SuccessWithWarning Error response Error Error Responses If the ACK value is Error the API response fields are not returned The general format of an error response is described in Table 5 5 TABLE 5 5 Format of an Error Response Response ACK Error amp TIMESTAMP date timeOfResponse amp CORRELATIONID fields on debuggingToken amp VERSION 3 3 amp BUILD buildNumber amp error ERRORCODEO errorCode amp L_SHORTMESSAGEO shortMessage amp ONGMESSAGEO0 longMessage amp L_SEVERITYCODEO0 severityCode PayPal Certified Developer Program Study Guide March 2008 57 58 Name Value Pair NVP API Review Questions Multiple errors can be returned Each set of errors has a different numeric suffix starting with 0 and incrementing by 1 for each error For possible causes of errors and how to correct them see the error message reference information in PayPal Name Value Pair API Developer Guide and Reference Posting Using HTTPS The web application posts the URL encoded NVP string over an HTTPS connec
82. dable payment connections among merchants customers and financial networks PayPal s solutions take advantage of the latest technical resources to streamline transactions while helping to prevent fraud Products including Payflow Link Payflow Pro Website Payments Standard and Website Payments Pro allow everyone from mom and pop online retail stores to enterprise level businesses to process transactions easily reliably and securely PayPal s Fraud Protection Services and Recurring Billing Service for Payflow along with other customer service packages include professional integration support Most importantly Payflow offers one of the industry s few payment processing services with immediate connectivity to all major processors and most shopping carts Note however that you do not need a PayPal account to process credit cards on your website Once you have your own website ask a few simple questions to determine which product is right for you 1 Do you need an all in one solution that includes an internet merchant account and allows you to process credit cards online If you don t have your own internet merchant or business bank account PayPal can provide a total solution with its Website Payments Standard and Website Payments Pro solutions Website Payments Pro Website Payments Pro is an all in one payment solution that allows customers to shop and pay on your site You can accept credit cards directly on March 2008
83. dbox Test Site Delete NoTE The Login Email is a pseudo randomized address based on the address you specified Credit card and bank account numbers also are generated randomly Verified Account Status By default a test account has a confirmed bank account and email addresses To create an unverified account change the bank account to unconfirmed Adding a Funding Source To test transactions you must add a source of funds to your buyer test account The following sections describe your choices 1 Changing or Adding Additional Bank Accounts on page 115 You can add bank accounts but they will not contain funds unless you use Send Money to send the money to the bank account holder 2 Adding Credit Cards on page 117 For testing this is the most efficient way to add funds Note No money or funds are transferred in the Sandbox however to protect confidentiality do not use actual credit card numbers or bank accounts if you allow other people to log in to your Sandbox account Changing or Adding Additional Bank Accounts You add a bank account to the Sandbox test account representing a customer or buyer so you can test transactions between the buyer s account and another account typically the other account is a business account that represents yourself as a merchant Adding a bank account also changes the account status from Unverified to Verified PayPal Certified Developer Program Study Guide Ma
84. dbox and confirm details You must log in to ttps developer pavpal com and select the test account that represents the buyer not the AP _username business test account that represents you as the merchant Then click Enter Sandbox Test Site When you confirm the Sandbox redirects your browser to the return URL you specified when calling SetExpressCheckout as in the following example http www YourRetumURL com token EC 1NK66318YB717835M amp PayerID 7AKUSARZ7SAT8 5 Invoke a form on your site that calls the GetExpressCheckout API on the Sandbox lt form method post action https api 3t sandbox paypal com nvp gt lt input type hidden name USER value API_usemame gt lt input type hidden name PWD value API_password gt lt input type hidden name SIGNATURE value API_signature gt lt input type hidden name VERSION value 3 3 gt lt input name TOKEN value EC 1NK66318YB717835M gt lt input type submit name METHOD value GetExpressCheckoutDetails gt lt form gt PayPal Certified Developer Program Study Guide March 2008 127 ES Sandbox Testing Testing PayPal NVP APIs If the operation was successful the GetExpressCheckout API returns information about the payer such as the following TIMESTAMP 2007 2d04 2d05T23 3a44 3a112 amp CORRELAT IONID 6b174e 9bac3b3 amp ACK Success amp VERS ION 3 3e300000 amp BUILD 1 2e0006 amp TOKEN EC 2d1NK66318YB717835M
85. des CVV2 Response Codes Table B 4 lists the CVV2 response codes for U S credit cards Visa MasterCard Discover and American Express TABLE B 4 CVV2 Response Codes CVV2 Code Beal set Gas rg ee tS Meaning Match No match Not processed Service not supported Service not available No response Matched Details CVVv2 None Not applicable Not applicable Not applicable Not applicable March 2008 PayPal Certified Developer Program Study Guide Glossary A Address Verification System AVS A system used to verify the identity of a credit card holder API certificate A file downloaded from PayPal that includes a key and certificate that identify a developer An API certificate must be installed on a web server therefore it is an option only if the developer has full control of the web server API credentials A set of data that uniquely identifies a developer to the PayPal API server The credentials are attached to every API call API password This is automatically generated and assigned by PayPal It is a randomly generated string of 16 characters API signature An encrypted string value included with each API call API username This is assigned by PayPal Although the API username is based on the email address used to set up the credentials it is not the same as the email address used to log in to the PayPal website Authorization amp capture APIs A
86. dress 76 request 62 response 65 workflow 60 F Federal Trade Commission 33 fraud detection in Sandbox 106 Fraud Protection Services 14 28 34 44 G German bank account info 116 GetExpressCheckoutDetails 160 request 66 response 66 getting started 43 GetTransactionDetails request 99 response 99 identify theft 25 Instant Payment Notification IPN activating 100 processing 101 shared secret validation 101 validating 101 workflow 100 Instant Payment Notification See ZPN Institution Number 116 internet fraud 23 25 26 internet merchant account 43 IPN ipn_test variable 121 technical overview 121 testing in Sandbox 121 L liability 24 MasterCard 33 merchant 12 merchant identity theft 25 N name value pair API servers 58 definition 53 format 54 integrating with PayPal 53 request 54 56 request response model 54 response 54 57 samples 53 name value pair NVP APIs 125 March 2008 PayPal Certified Developer Program Study Guide negative testing 129 O OpenSSL 49 Order Review page 76 P Payflow Gateway products 15 Payflow Link 14 15 17 43 Payflow Pro 14 15 17 43 paying 123 Payment Card Industry PCI Data Security Standard 13 24 31 payment processing authorization 12 payment processing network 11 payment processing service 12 payment processing services 43 payment processing settlement 13 PayPal as an Additional Payment Option 16 PayPal Email Payments 15 PayPal Sandbo
87. e Test Accounts tab You can create and delete test accounts and enter the Sandbox Test Site which simulates the live paypal com site For more information see Setting Up Test Accounts on page 111 e Access email sent to test accounts from the Test Email tab For more information see Test Email on page 110 e View API credentials for business test accounts from the API Credentials tab An API signature which is the preferred kind of credential is created automatically when you create a Business test account You need the information on this tab when you test APIs e Obtain technical information about PayPal products and APIs using the Help link e Change the login password using the Profile link NoTE You cannot change the Log In Email address Test Email When certain kinds of transactions occur in the live PayPal system PayPal sends email messages to the real email addresses of the participants From these email messages the recipient or initiator of an event or transaction can verify that the event took place and the monetary amounts associated with the event are correct March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Setting Up Test Accounts PayPal test email however is a self contained email system in the Sandbox itself You see email messages addressed only to the Sandbox test accounts you set up Up to 30 of the latest email messages are listed on the Test Email tab The sub
88. e amount charged for the transaction Amount deposited in the merchant s PayPal account if there is a currency conversion Tax charged on the transaction if any Exchange rate if a currency conversion occurred Relevant only if the merchant is billing a currency other than the customer s primary currency If this is the case the conversion occurs in the customer s account Character length and limitations a decimal multiplier 90 March 2008 PayPal Certified Developer Program Study Guide Transactions aaa Authorization amp Capture APIs TABLE 8 2 DoCapture Response Fields Continued Field Description PAYMENTSTATUS The status of the payment e None No status e Canceled Reversal A reversal was canceled For example the merchant won a dispute with the customer and the funds for the transaction that was reversed were returned e Completed The payment was completed and the funds were added successfully to the merchant s account balance e Denied The merchant denied the payment This happens only if the payment was previously pending because of possible reasons described in the PENDINGREASON element e Expired The authorization period for this payment was reached e Failed The payment failed This happens only if the payment was made from the customer s bank account e Pending The payment is pending For more information see the PENDINGREASON field e Refunded The
89. e to criminals Criminals know that you have limited time for fraud protection when sales volumes are high That s why internet fraud triples in the fourth quarter Criminals watch for special offers They know that you have limited time for fraud protection measures when sales volumes are high The purchase of these goods doesn t require physical address information making it easier for criminals to disguise a fraudulent transaction Criminals take advantage of sophisticated spidering techniques to identify merchants with network vulnerabilities and can then break into your network to steal account access information for hijacking or merchant takeovers 4 List two actions you can take to ensure that each transaction your website accepts and processes is valid Select any two Authenticate buyer when possible Screen orders for fraud patterns Review suspicious transactions March 2008 147 OA Answers to Review Questions Chapter 2 5 Fill in the blanks to complete the following statements PayPal leverages the Secure Sockets Layer SSL protocol which provides crucial online identity and security to help establish trust between parties involved in e commerce transactions Using SSL with an encryption key length of 128 bits the highest level commercially available PayPal automatically encrypts your confidential information in transit from your computer to ours PayPal s serve
90. eaningful such as paypal _live cert pem it is not necessary to keep the txt suffix This will differentiate a live API certificate from one used in the PayPal Sandbox Encrypt the API Certificate Note This step is required only with the PayPal SDK for Java NET or Classic ASP 1 Install the OpenSSL encryption tool on the system where the encryption will be performed Make sure to include OpenSSL in the system s PATH variable 2 Open a command prompt 3 Go to the directory that contains the certificate to be encrypted 4 Execute the following command openssl pkcs12 export in cert key pem txt inkey certificateName out paypal cert pl where certificateName is the name of the API certificate to be encrypted 5 When prompted enter an encryption password This is the Private Key Password 6 The encryption creates a file named paypal_cert p12 Rename this file to something more meaningful and note the file location This is the encrypted API certificate Install the API Certificate NoTE This step is required only with the PayPal SDK for NET or Classic ASP To use the API certificate with the NET platform the certificate must be imported into the Windows Certificate Store This is a Windows requirement not a PayPal requirement To import the API certificate into the Windows Certificate Store use the Windows HTTP Services Certificate Configuration Tool or WinHttpCertCfg exe This tool is freely available as part of
91. ed Developer Program Study Guide March 2008 71 az Express Checkout Express Checkout API Reference Information TABLE 6 7 DoExpressCheckoutPayment Response Fields Continued Field Description AMT The final amount charged including any shipping and taxes from the Merchant Profile Limitations Must not exceed 10 000 USD in any currency No currency symbol Regardless of currency decimal separator is a period and the optional thousands separator is a comma Equivalent to 9 characters maximum for USD Possible values Transaction specific CURRENCYCODE A three character currency code for one of the PayPal supported transactional currencies Default value USD FEEAMT PayPal fee amount charged for the transaction Limitations Must not exceed 10 000 USD in any currency No currency symbol Regardless of currency decimal separator is a period and the optional thousands separator is a comma Equivalent to 9 characters maximum for USD Possible values Transaction specific SETTLEAMT Amount deposited in the merchant s PayPal account after a currency conversion Possible values Transaction specific TAXAMT Tax charged on the transaction Limitations Must not exceed 10 000 USD in any currency No currency symbol Regardless of currency decimal separator is a period and the optional thousands separator is a comma Equivalent to 9 characters maximum for USD Poss
92. em in a timely fashion and making it easy to do so you are gaining their loyalty A clear return policy also comes in handy if the order arrives damaged So make it easy for them to initiate returns Spell out exactly what your return policy is for example that you accept returns only as exchanges or you accept returns and will credit their payment card Be specific about how many days after purchase the item can be returned in order to get a credit or exchange Let them know if you charge a restocking fee on returns Include a return shipping label with every order Provide clear return instructions such as asking for a reason for the return and a telephone number in case you have questions Provide guidance on how to pack the return and where they should bring it to ship it back to you Include your customer service number or email address in case customers have questions or comments 5 Contact information Keep the channels of communication open Make it easy for your customers to get in touch with you Give examples of reasons they may want to contact you for example questions about privacy policy return policy availability of goods etc Provide a phone number and give the days and hours the phone lines are answered Provide an email address and give a timeframe when an answer can be expected Provide a mailing address and suggest to whose attention it should be addressed PCI Data Secu
93. ent NOTE If this value is set to Sale on SetExpressCheckoutRequest it cannot change to Authorization on the final DoExpressCheckoutPaymentRequest Character length and limit Up to 13 single byte alphabetic characters Default Sale Email address of the customer as entered during checkout PayPal uses this value to prefill the PayPal membership sign up portion of the PayPal login page Character length and limit 127 single byte alphanumeric characters Description of items the customer is purchasing Character length and limit 127 single byte alphanumeric characters A free form field for the developer s own use such as a tracking number or other value for PayPal to return in the GetExpressCheckoutDetails response and DoExpressCheckoutPayment response Character length and limitations 256 single byte alphanumeric characters The merchant s own unique invoice or tracking number PayPal returns this value in the DoExpressCheckoutPayment response Character length and limit 127 single byte alphanumeric characters The value 1 indicates that the merchant requires that the customer s shipping address on file with PayPal be a confirmed address NOTE Setting this field overrides the setting specified in the Merchant Account Profile Character length and limitations single byte numeric character Allowable values 0 1 Default value 0 The value 1 indicates that on the PayPal pages no shipping
94. ent Processing Network The payment processing network connects sellers buyers and banks to enable the secure and reliable execution of online transactions Sellers need an internet merchant account with an acquiring bank that allows them to accept customer credit cards electronically Customers need a bank that issues credit cards and verifies the customer s credit limit and available cash balance for proposed purchases The elements and participants include individuals institutions and processes and services PayPal Certified Developer Program Study Guide March 2008 11 wl Online Payment Processing How Online Payment Processing Works Individuals e Merchant Someone who sells goods or services e Customer The holder of the payment instrument Institutions e Customer issuing bank The institution providing the customer s credit card e Acquiring bank Provides internet merchant accounts required to enable online card authorization and payment processing e Credit card associations Financial institutions that provide credit card services in concert with credit card associations such as Visa and MasterCard e Processor A large data center that processes credit card transactions and settles funds for merchants A processor can be either a bank or a company dedicated to providing these services Ceridian is an example of a payment processor Processes and Services e Authorizations The process of verifying that customer credit
95. er data 2 Regularly test security systems and processes 3 Develop and maintain secure systems and applications 4 5 Protect Cardholder Data i 4 Encrypt transmission of cardholder data and 3 7 Maintain a Vulnerability sensitive information across public networks Management Program 5 Protect stored data 6 Assign a unique ID to each person with computer access 1 6 12 Implement Strong Access Control Measures 7 Use and regularly update antivirus software 2 9 Regularly Monitor and Test Networks 8 Do not use vendor supplied defaults for system passwords and other security parameters 9 Track and monitor all access to network resources 10 Maintain an Information Security and cardholder data Policy 10 Maintain a policy that addresses information security 11 Install and maintain a firewall configuration to protect data 12 Restrict access to data by business need to know 9 Define the following standard antifraud features included with each PayPal Payflow Gateway solution Card security code A three or four digit number printed on the physical card which a customer provides to you at checkout Address verification system AVS A system that verifies the credit card holder s personal address and billing information 10 Indicate if each statement is True T or False F T PayPal s Basic Fraud Protection Service is the ideal solution for merchants who process low transaction volumes through a Payflow p
96. er to define the application requirements and ensure that your application complies with PayPal standards This guide describes PayPal standards as they apply to each component of a merchant application 5 Customize your payment processing service with additional services Protect the business and customers from fraud Fraud Protection Services From simple automated credit card fraud screening to enterprise grade perimeter security services PayPal can save you time and money while protecting your business Express Checkout Provides your customers with a secure and convenient payment flow because they don t have to re enter information already stored in their PayPal account Accept repeat payments from customers Recurring Billing Service A fast cost effective way to accept repeat payments for installment plans monthly fees or subscription based services Offer customers an alternative to credit card payments Providing customers with a variety of payment choices including credit cards and PayPal has been shown in several industry studies to contribute to an increase in revenue For More Information For additional PayPal product and pricing information call 1 888 847 2747 send an email to paymentsales paypal com or visit the PayPal Merchant Services section of the PayPal website at www paypal com PayPal Sandbox The PayPal Sandbox is a self contained environment in which developers can prototype and test
97. erated information as is 6 Click Add Credit Card Generating a Credit Card Number to Test PayPal Account Optional To obtain a test credit card number for testing PayPal Account Optional 1 Select a buyer s test account and click Enter Sandbox Test Site Navigate to My Account gt Profile Under the Financial Information header click the Credit Cards link A Y N Make a note of the credit card number for use in later testing Signing Up for Website Payments Pro To sign up for Website Payments Pro create a Business account as described in Creating a Business Account on page 114 To complete the application for Website Payments Pro you must enter a Social Security Number You can enter a Social Security Number in the following format 111XXXXXX where x is any digit Norte You cannot use a Social Seuciryt Number that is already recorded for another account in the Sandbox PayPal Certified Developer Program Study Guide March 2008 117 118 Sandbox Testing Testing PayPal Website Features Testing PayPal Website Features Website This chapter describes PayPal products features you can test in the Sandbox without PayPal APIs Website Payments with Buy Now Buttons Use the Sandbox to test accepting PayPal as a payment mechanism on a website Shopping Cart Purchases Use the Sandbox to test the purchase of multiple items in a single transaction using a single payment Instant Payment No
98. erchant account A gateway that provides a secure connection between your online store and your internet merchant account Scalable and fully customizable this solution is recommended for merchants who require peak site performance and direct control over payment functionality on their site Merchants using this service can enhance the customer experience by allowing shoppers to complete the checkout process without ever leaving your site Allows merchants to put the PayPal logo on their own website to accept PayPal as an alternative payment source in addition to credit cards such as MasterCard or Visa An all in one payment solution that allows customers to shop and pay on your site You can accept credit cards directly on your site and get the features of a merchant account and gateway through a single provider at a lower cost A gateway that provides a secure connection between your online store and your internet merchant account This service is designed for merchants who require a simple solution to selling on the web In order to use this service you need to add only a small piece of HTML code that will link your customers to order forms hosted by PayPal Provides your business with the same functionality as a stand alone credit card processing terminal but allows you to accept credit card payments by phone fax and email Lets customers shop on your website and pay on PayPal It offers a pay pe
99. erchants who require a simple solution to selling on the web In order to use this service you need to add only a small piece of HTML code that will link your customers to order forms hosted by PayPal PayPal Virtual Terminal Provides your business with the same functionality as a stand alone credit card processing terminal but allows you to accept credit card payments by phone fax and email PayPal as an Additional Payment Lets customers shop on your website and pay on Option PayPal It offers a pay peruse model with no set up or monthly fees It includes shipping and tax calculators reporting tools to measure your business and support for international currencies 20 March 2008 PayPal Certified Developer Program Study Guide Online Payment Processing Review Questions 7 Select the PayPal payment processing solutions that enable a customer to checkout on the merchant s website ____ Website Payments Pro _____ Website Payments Standard ____ Payflo Pro ___ Payflow Link _____ Email Payments ___ Virtual Terminal ____ PayPal as an Additional Payment Option 8 Select the PayPal payment processing solutions that require API or HTML technical skills to develop payment processing applications _____ Website Payments Pro _____ Website Payments Standard ____ Payflo Pro _____ Payflow Link Email Payments ___ Virtual Terminal ____ PayPal as an Additional Payment Option PayPal Certified Developer Program Study Guide March 2008
100. ering enabled in your mail software the email sent by PayPal might be filtered out or stored in a folder where you do expect it to be located For instance with Microsoft Outlook mail software your filtering might cause the email to be stored in Junk or Spam 4 Respond to the confirmation e mail and log in PayPal Certified Developer Program Study Guide March 2008 109 110 Sandbox Testing Accessing the PayPal Sandbox Welcome to the PayPal Sandbox When you log in to the Sandbox the Sandbox Test Environment home page appears 3 p PayPal Developer Central A Sandbox Test Accounts Test Email Put YC Cc e to the test API Credentials Can We Help The Sandbox Test Environment create and manage test accounts and their email and API credentials You can also get developer resources in Help visit the PayPal Developer Community to get answers to integration questions or to file a support ticket Create accounts to test your PayPal interface Test Accounts Test Email Access email sent to your test accounts API Credentials Manage API credentials for your test accounts Fees Privacy Security Center Contact Us User Agreement PayPal an eBay Company Copyright 1999 2007 PayPal All rights reserved Teviewedb PT TRUSTU BBBOnLine Information about FDIC pass through insurance On this page you can perform the following actions e Manage test accounts from th
101. esources About Disclosure and Compliance PayPal Fraud Protection Services 20000 eee eee Detailed Service Descriptions 22 0 00222200 PayPal Fraud Protection Services Upgrade Options Review Questions 2 4 2 au d a dow oh Go a a ew ce Ge a ed we PayPal Certified Developer Program Study Guide March 2008 11 11 11 12 12 12 12 12 13 13 14 18 all Contents Chapter 3 Getting Started With Account Setup 43 Basic Steps for Getting Started 0 0 e e 43 PayPal Sandbox a e e a e a a a a a a a a L a E a 44 Review Question oaoa oaa a ee 45 Chapter 4 API Credentials aoao a 2 4 46484 e vA What API Credentials Are ooa a aa a 47 Choosing an Authentication Method aooaa a a 47 Establishing API Credentials 2 2 a 48 API Signature sha add Aa aa daw es 48 API Certificate 6 3 448 ded tet ee ek bed et ee ak a eee de A 48 Using API Credentials cig aca ce ee a a ee Re Oe ee ee ee 50 Review Questions 51 Chapter 5 Name Value Pair NVP API 4 4 93 Integrating with the PayPal API 2 200000222200 53 BASIC Steps sae ea eK oa ba EOE a Pe Pde PS RP RPE a d 53 Create a Web Application 0 0002 eee ee ees 53 Get API Credentials 2 2 2200002 eee ee ee 53 Create and Post the Request 000000 eee ee eee 54 Interpret the Response
102. fessionals who constantly monitor your business for suspicious activities and take action to protect it Account Monitoring provides e Security Our full time protection keeps an eye on suspicious activity related to credits and refunds e Assistance Our security professionals help prevent fraud by blocking settlements of suspicious transactions If loss occurs we work with law enforcement and your bank to assist in recovery e Prevention We give customized recommendations to avoid future fraud e Ease of use No lengthy set up or configuration process Buyer Authentication Buyer Authentication provides the Verified by Visa and MasterCard SecureCode By adding Buyer Authentication to your Basic or Advanced Fraud Protection Service your business receives merchant liability protection on qualified credit card transactions Buyer Authentication gives you e Single pre integrated solution Add Buyer Authentication and take full advantage of both services without wasting staff and infrastructure resources integrating them yourself March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention EN Review Questions e Extra security measure At checkout customers are required to enter a password to verify their identity with their credit card company e Maximum protection Once the cardholder s password is authenticated Visa and MasterCard cover the merchant s liability for that transact
103. force or simulate an error on the live site You must create a Business test account and enable negative testing otherwise setting a value in the API or transaction will not raise an error unless the error would be raised in the default positive test environment To enable negative testing set Test Mode to Enabled The following screen shows two Business accounts The first test account enables negative testing and the second account disables negative testing PayPal Certified Developer Program Study Guide March 2008 129 130 Sandbox Testing Testing Error Conditions Home Sandbox Sandbox Test Certificates Email Forums Help Center The Sandbox is a safe testing environment where you can test PayPal payments and API calls The Sandbox is a mirror of the real PayPal site except that real financial transactions are not made Learn More Test Accounts Create Account User lo lo Type Business us U S Business us U S CountryCode Country Balance Confirmed Verified a 0 00 USD Yes Unverified Enabled 0 00 USD Yes Unverified Disabled To test Virtual Terminal you must set risk controls for address verification and credit card security respectively to Decline or Accept and Report depending on the kind of negative testing you want to perform If you do not set the appropriate risk controls default processing occurs which is to accept the transaction Severe error conditions such as bad arguments
104. further notice Contents Chapter 1 Online Payment Processing Online Selling Basics s e ss saama asiradi ranea ra aa The Payment Processing Network a aoaaa 2 e eo lindividuial 2 2 105 42 2 2 rs dr ob ed a de a INSUUIONS He lt i ct tare ast tay ete Ge thet eR Sea ape cca Ode Mar Ae Peaks a shat oe Processes and Services o How Online Payment Processing Works 0 0 000 eee eee Payment Processing Authorization 0 000204 eae Payment Processing Settlement o aoa aa a What to Look for in an Online Payment Processing Solution PayPal s Payment Processing Solutions 0 20 02500 Review Questions a a a a a a a a a Chapter 2 Internet Security and Fraud Prevention Why Every Business Should Be Concerned About Internet Fraud Liability for Internet Fraud 0 o o Internet Fraud What It ls and How lt Happens Who Is at Risk for Online Fraud 2 aa e Reducing Exposure to Fraud 0 0000 eee ee eee What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud What PayPal Is Doing to Protect Your Business Against Fraud How to Reduce Chargebacks 2 000052 ee eee Disclosure and Compliance a a a Disclosure Policy e e ta ee ee PCI Data Security Standard Compliance 2 2 Additional R
105. he body of the notification email 9 Click Continue March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing Testing PayPal NVP APIs 10 On the Request Money Confirm page click Request Money This triggers the actual request for funds 11 Navigate to the My Account gt Overview tab The request for money should be listed 12 Log in as the buyer and navigate to the My Account gt Overview tab to see the transaction for the buyer s test account The transaction for the request for money appears on the My Account gt Overview tab with Pay and Cancel buttons Click Pay and in the confirmation window click Send Money This completes the transfer of requested funds To view the email messages sent to both test accounts select the Test Email tab For details about your Sandbox email see Test Email on page 110 Testing PayPal NVP APls This chapter describes how to test the Express Checkout name value pair NVP API in the Sandbox For more sophisticated examples PayPal recommends you use the PayPal SDK that matches your environment such as PHP or ASP You also can use this chapter for ideas on how to establish a general testing procedure for PayPal APIs called from your site PayPal Certified Developer Program Study Guide March 2008 125 ee Sandbox Testing Testing PayPal NVP APIs Testing Express Checkout The following diagram shows the Express Checkout flow which uses the Sandbox as the API
106. heckoutPayment Response Fields 71 DoDirectPayment Request Parameters 80 DoDirectPayment Response Fields 0 84 DoCapture Request Parameters ee 88 DoCapture Response Fields 89 DoVoid Request Parameters 91 DoVoid Response Fields 2 2 92 DoReauthorization Request Parameters 92 DoReauthorization Response Fields 92 RefundTransaction Request Parameters 94 RefundTransaction Response Fields 94 TransactionSearch Request Parameters 95 PayPal Certified Developer Program Study Guide March 2008 EN List of Tables Table 8 10 TransactionSearch Response Fields 98 Table 8 11 GetTransactionDetails Request Parameters 99 Table 9 1 Differences between PayPal Sandbox and Live PayPal 105 Table 9 2 API Fields That Trigger Error Conditions 130 Table 9 3 AVS Error Conditions and Triggers 134 Table 9 4 CVV Error Conditions and Triggers 0 000 004 138 Table B 1 ShippingAddress 2 2 sakes tader adr eraa Ena 153 Table B 2 PayPal Supported Currencies and Currency Codes for Transactions 154 Table B 3 AVS Response Codes a a a a 155 Table B 4 CVV2 Response Codes a a
107. hniques to identify merchants with network vulnerabilities and can then break into your network to steal account access information for hijacking or merchant takeovers High visibility merchants Fraud attempts are higher for merchants who advertise heavily or are in the news because criminals know that merchants who experience high transaction volumes have less time to defend against fraud Products Services Sold Potential Risk High ticket physical goods that are easily These items including luxury goods computers and other resold electronic equipment are most attractive to criminals Goods that can be downloaded from the The purchase of these goods doesn t require physical address internet information making it easier for criminals to disguise a fraudulent transaction March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention ER Reducing Exposure to Fraud TABLE 2 1 High Fraud Risk Quick Reference Customer Base Potential Risk International It is difficult to validate the address or identity of foreign buyers and it is more difficult to investigate and prosecute fraudulent activity from an overseas source Sales Season Potential Risk Heavy proportion of fourth quarter sales Criminals know that you have limited time for fraud protection when sales volumes are high That s why internet fraud triples in the fourth quarter Special promotions Criminals watch for special offe
108. ible values Transaction specific EXCHANGERATE Exchange rate if a currency conversion occurred Relevant only if the merchant is billing in a currency other than the primary currency If a conversion must occur it occurs in the customer s account Character length and limitations A decimal that does not exceed 17 characters including the decimal point Possible values Transaction specific PAYMENTSTATUS Status of the payment e Completed The payment has been completed and the funds have been added successfully to the merchant s account balance e Pending The payment is pending See the PENDINGREASON element for more information 72 March 2008 PayPal Certified Developer Program Study Guide Express Checkout e Button and Logo Placement and Use TABLE 6 7 DoExpressCheckoutPayment Response Fields Continued Field Description PENDINGREASON The reason the payment is pending e none No pending reason e address The payment is pending because the customer did not include a confirmed shipping address and the merchant s Payment Receiving Preferences are set such that the payments must be manually accepted or denied To change these preferences the merchant must go to the Preferences section of the Profile e echeck The payment is pending because it was made by an eCheck that did not yet clear e int1 The payment is pending because the merchant holds a non US a
109. iew Questions 142 March 2008 PayPal Certified Developer Program Study Guide Answers to Review Questions Chapter 1 1 Indicate if each statement is True T or False F T The most critical step in establishing an online store is ensuring that you can accept customer payments for single or repeated transactions F Correct answer According to Cybersource Corp businesses lost nearly 2 8 billion USD to online fraud in 2005 up from 2 8 billion USD in 2004 T The payment processing network connects buyers sellers and banks to enable the secure and reliable execution of online transactions T By providing affordable payment connections among merchants customers and financial networks PayPal s solutions take advantage of the latest technical resources to streamline transactions while helping to prevent fraud 2 Match each participant in the payment processing network to the role they perform Response Participant Role Performed 3 Merchant services in concert with credit card associations such 1 Customer as Visa and MasterCard 1 2 6 Customer Issuing Bank 3 Someone who sells goods or services i 4 5 The holder of the payment instrument A financial institution that provides credit card 5 Acquiring Bank A large data center that processes credit card transactions and settles funds for merchants 2 Credit Card Association An institution that provides merchant accounts required to enable online ca
110. ification number No Character length 64 single byte characters ShippingAddress An optional shipping address as described in No ShippingAddress Parameter on page 153 ShippingAddress is optional but if it is included certain fields are required DoExpressCheckoutPayment Response A DoExpressCheckout Payment response is sent by the PayPal server after an Express Checkout transaction TABLE 6 7 DoExpressCheckoutPayment Response Fields Field Description TOKEN The timestamped token value that was returned by the SetExpressCheckout response and passed by the GetExpressCheckoutDetails request Character length and limitation 20 single byte characters TRANSACTIONID Unique transaction ID of the payment NoTE If the PaymentAction of the request was Authorization or Order this value is the AuthorizationID for use with the Authorization amp Capture APIs Character length and limitations 19 single byte characters Possible values Transaction specific TRANSACTIONTYPE The type of transaction Character length and limitations 15 single byte characters Possible values e cart e express checkout PAYMENTTYPE Indicates whether the payment is instant or delayed Character length and limitations 7 single byte characters Possible values e none e echeck e instant ORDERTIME Time date stamp of payment Possible values Transaction specific PayPal Certifi
111. information Once they ve obtained the credit card information these criminals can use it to steal products outright or open other accounts by impersonating the victim Merchant Identity Theft Just as offline criminals can break into a cash register online criminals can hack into the accounts of web merchants and funnel money to themselves These criminals might be employees or visitors to a building who copy unprotected login information They then can use the information to hack into a back end system to hijack a merchant s payment gateway account which provides the secure connection between your online store and your internet merchant account Through this move they can steal cash directly from the business by issuing themselves credit cards and payments Accessing Payment Networks Once criminals have stolen an identity they may access a payment network to complete the fraud Most do this through two primary channels a web merchant s checkout page or a payment gateway account Although a checkout page provides convenience for both buyer and seller it can raise some security concerns For example some criminals use the page to test PayPal Certified Developer Program Study Guide March 2008 25 26 Internet Security and Fraud Prevention Who ls at Risk for Online Fraud stolen credit cards For the merchant it is crucial to use products with built in fraud protection to prevent this sort of digital theft Chargebacks Charge
112. ion Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 Indicate if each statement is True T or False F Every merchant is at risk for fraud Internet fraud is as easy to detect as in the brick and mortar world Credit card associations hold merchants liable for fraudulent transactions because the credit card is not physically present during online purchases American Express Diners Club Discover Card JCB MasterCard International and Visa U S A have adopted the Payment Card Industry PCI Data Security Standard developed to protect account and transaction information of cardholders According to Gartner Group estimates merchants reject an estimated 2 of all transactions out of suspicion of fraud while in reality 5 of transactions are actually fraudulent 2 List the four most common fraud related risks facing online merchants PayPal Certified Developer Program Study Guide March 2008 37 38 Internet Security and Fraud Prevention Review Questions Response 3 Match each participant in the payment processing network to the role they perform Risk Category Merchants with vulnerable security defenses High visibility merchants High ticket goods that are easily resold Goods that can be downloaded from the internet International customer base Heavy proportion of fourth quarter sales Special promotions 1 Potential
113. ion Required Name of the API GetExpressCheckoutDetails Yes A timestamped token the value of which was returned by the Yes SetExpressCheckout response Character length and li mitations 20 single byte characters Allowable values An unexpired token GetExpressCheckoutDetails Response The Get ExpressCheckoutDetails response provides the customer s checkout details which were stored in the PayPal system TABLE 6 5 GetExpressCheckoutDetails Response Fields Parameter TOKEN EMAIL PAYERID PAYERSTATUS SALUTATION FIRSTNAME MIDDLENAME LASTNAME Description The timestamped token value that was returned by the SetExpressCheckout response and passed in the GetExpressCheckoutDetails request Character length and limitations 20 single byte characters Email addr ess of payee Character length and limitations 127 single byte characters Unique PayPal customer account identification number Character 1 ength and limitations 13 single byte alphanumeric characters Status of payer Character 1 ength and limitations 10 single byte alphabetic characters Possible values verified unverified Payer s salutation Character ength and limitations 20 single byte characters Payer s first name Character ength and limitations 25 single byte characters Payer s middle name Character ength and limitat
114. ions 25 single byte characters Payer s last name Character ength and limitations 25 single byte characters 66 March 2008 PayPal Certified Developer Program Study Guide Express Checkout 6e Express Checkout API Reference Information TABLE 6 5 GetExpressCheckoutDetails Response Fields Continued Parameter Description SUFFIX Payer s suffix Character length and limitations 12 single byte characters COUNTRYCODE Payer s country of residence in the form of ISO standard 3166 two character country codes Character length and limitations 2 single byte characters BUSINESS Payer s business name Character length and limitations 127 single byte characters SHIPTONAME Person s name associated with this address Character length and limitations 32 single byte characters SHIPTOSTREET First street address Character length and limitations 100 single byte characters SHIPTOSTREET2 Second street address Character length and limitations 100 single byte characters SHIPTOCITY Name of city Character length and limitations 40 single byte characters SHIPTOSTATE State or province Character length and limitations 40 single byte characters SHIPTOCOUNTRYCODE Country code Character length and limitations 2 single byte characters SHIPTOZIP US ZIP code or other country specific postal code Character length and limitations 20 single byte characters ADDRESSSTAT
115. ipn IPN Notification Validation After the server receives an IPN the merchant must confirm it was received This is known as notification validation which is a means for PayPal to help prevent spoofing or man in the middle attacks A merchant can validate the notification in one of two ways e Send a shared secret that is known only to the merchant PayPal recommends this method because it ensures the validity of the data and decreases network traffic to and from the merchant s website Shared secret validation is appropriate if The merchant is not using a shared website hosting service The merchant has enabled SSL on the web server The merchant is using PayPal Encrypted Website Payments EWP The merchant uses the NOTIFYURL variable on each individual payment transaction e Send a POST back to PayPal after receiving the IPN and verifying the correctness of the data Postback is appropriate if The merchant relies on a shared hosting service The merchant does not have SSL enabled on the web server Both concepts rely on a notification URL which is the URL to which PayPal posts IPN data The notification URL can be set either with each transaction if the merchant wants to receive notifications for different transactions at different URLs or globally in the Profile Set the notification URL on a per transaction basis with the NOTIFYURL variable which must be URL encoded If the merchant se
116. itive Confirm Password Security Question select a question v Security Answer Communications Please keep me informed on PayPal s Web Services the PayPal Sandbox and Developer Central Terms of Use The User Agreement and Privacy Policy are designed to protect and inform you of your rights within the PayPal Developer Central service User Agreement Printer Friendly Version THE FOLLOWING DESCRIBES THE TERMS ON WHICH PAYPAL OFFERS YOU A ACCESS TO OUR PAYPAL DEVELOPER CENTRAL SERVICES This User Agreement Agreement is a contract between you and PayPal Inc and applies to your use of the PayPal Developer 3 Privacy Policy Printer Friendly Version The Privacy Policy below governs your PayPal Developer Central N account and any information you provide on the PayPal Developer Central site A Overview a Do you agree to the User Agreement and Privacy Policy and terms incorporated therein O Yes O No IMPORTANT Do not use the same login email address or password that you use for logging into the live paypal com site because later you may allow someone to work in the Sandbox on your behalf but not want to allow access to your regular PayPal account You can specify the same password not email address for all your test accounts so you can more easily remember it After you sign up PayPal sends login instructions to the email address you used to sign up If you have mail filt
117. its in the field e g an ID of 10623 triggers PayPal API error code 10623 Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 106 23 triggers PayPal API error code 10623 Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 106 23 triggers PayPal API error code 10623 Specify the error code to trigger as all digits in the field e g a subject of 10755 triggers PayPal API error code 10755 Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 107 55 triggers PP API error code 10755 PayPal Certified Developer Program Study Guide March 2008 131 539 Sandbox Testing Testing Error Conditions TABLE 9 2 API Fields That Trigger Error Conditions Continued API Name NVP Field Name SOAP Element Description BAUpdate MPID MpID Specify the error code to trigger as all Version 2 4 digits in the field e g an ID of 10755 triggers PayPal API error code 10755 BAUpdate REFERENCEID ReferenceID Specify the error code to trigger as all Version 3 0 digits in the field e g an ID of 10755 triggers PayPal API error code 10755 AddressVerify Not supported for negative testing Note If the trigger value is not a valid error code for the API being tested positive testing occurs for the request which migh
118. ject lines of unread email messages are in boldface To read the message click a subject line Setting Up Test Accounts Depending on the business application you are developing and testing you need different types of test accounts There are two types of test accounts Personal or Premier and Business Planning the Types of Test Accounts You Need You need to determine the types of test accounts you need to test the applications you are developing In addition you must determine the number of different accounts you need Typically you create at least one seller Business account and one buyer Personal or Premier account You might need several different Personal or Business PayPal test accounts to test your application When you create a test account the following information is generated for you e Mailing address e Email address and password for the test PayPal account You can specify the same password not email address for all your test accounts so you can more easily remember it e Security questions and answers You can use the same security questions and answers for all your test accounts so you can more easily remember them IMPORTANT Never use real email addresses or live paypal com passwords for a test account Only use fictitious information in your answers to the security questions All this data should be fictional e Personal or Business account e Your agreement to the terms of using the Sandbox For B
119. kout request with the required information estimated OrderTotal ReturnURL and CancelURL and optional fields such as MaxAmount Returns a SetExpressCheckout response with Token Adds value of Token from response as a name value pair and redirects the user s browser to https www paypal com cgi bin webscr cmd express checkout amp token value March 2008 PayPal Certified Developer Program Study Guide Express Checkout 6e Express Checkout API Reference Information TABLE 6 1 Express Checkout Flow of Control and Integration Points Continued Customer Merchant Logs in to PayPal approves PayPal use and clicks Continue or Pay Optionally sends a GetExpressCheckoutDetails request with Token to retrieve customer s information Renders page in customer s browser for the next step in checkout process such as the Order Review page Clicks Calls DoExpressCheckoutPayment API with the Confirm required elements Token OrderTotal Order button PaymentAction and PayerID returned by GetExpressCheckoutDetails response Displays final page PayPal Redirects user s browser to merchant s ReturnURL with Token value appended Returns a GetExpressCheckout Details response with PayerID email address shipping address confirmed or unconfirmed status or that shipping address and other details Returns payment info with important TransactionID value and o
120. l posts FORM variables to a URL specified by the merchant either globally in the Profile or on a per transaction basis with the NOTIFYURL variable that runs a program to process the variables The customer s payment information such as customer name and payment amount is included in the notification 3 The server validates the notification to ensure it is legitimate Because credit card and bank information are not transmitted in IPN PayPal does not require SSL to encrypt IPN transmissions Activating IPN There are two ways to activate IPN e Include the NOTIFYURL variable in the DoDirectPayment or DoExpressCheckoutPayment API call Doing this activates IPN on a per transaction basis e Inthe merchant s PayPal profile under Selling Preferences click Instant Payment Notification Preferences click Edit click the checkbox and enter the URL of the program March 2008 PayPal Certified Developer Program Study Guide Transactions c Payment Notification Integration that will process the IPN posts and click Save Doing this activates IPN for all transactions Setting Up an IPN Processing Program The data sent by IPN is in the form of name value pairs At a minimum a program must process these pairs other processing may be necessary based on the merchant s order management needs database and other factors outside the scope of this guide Code samples for several environments are available at http Awww paypal com
121. le helping to prevent fraud 2 Match each participant in the payment processing network to the role they perform Response Participant Role Performed Merchant 1 The holder of the payment instrument Customer 2 A financial institution that provides credit card services in concert with credit card associations such as Visa and MasterCard Customer Issuing Bank 3 Someone who sells goods or services Acquiring Bank 4 A large data center that processes credit card transactions and settles funds for merchants Credit Card Association 5 An institution that provides merchant accounts required to enable online card authorization and payment processing Processor The institution providing the customer s credit card 18 March 2008 PayPal Certified Developer Program Study Guide Online Payment Processing Review Questions 3 The following steps describe the payment authorization process Indicate the correct order of the steps by placing the step number to the left of each description Processor routes information to bank that issued customer s credit card Merchant s website receives customer information and sends it to payment processing service Processing service sends results to merchant Merchant decides to accept or reject purchase Customer decides to purchase online and inputs credit card information Processor routes transaction results to payment processing service Processing service routes informati
122. link in the Selling Preferences column Click Edit Click the checkbox and enter the URL where you want to receive your IPN notifications Click Save gt uN Install IPN on your web server You might want to start with one of PayPal s source code samples available at https Avww pavpal com ipn under the Code Samples section There are source code samples for several programming languages and development environments For details see Order Management Integration Guide Verifying a Test Refund To verify a test refund you must have already made a test payment Follow these steps 1 Log in to https developer pavpal com 2 Click the Test Email tab Your Sandbox inbox shows refund confirmation email messages for the seller and buyer 3 To further verify that the refund was successful Check your Web server for IPN notifications related to the refund Launch the Sandbox as your test buyer or seller account and navigate to My Account gt Overview to see the transaction in your Recent Activity Transferring Funds to a Test Account To transfer funds to a test account follow these steps 1 After logging into htips developer paypal com select a test account and click Enter Sandbox Test Site 2 Navigate to My Account gt Add Funds 3 Click the Transfer funds from a Bank Account link 122 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Testing PayPal Website Features 4 On
123. lphanumeric characters CUSTOM A free form field for the developer s own use No Character length and limitations 256 single byte alphanumeric characters 82 March 2008 PayPal Certified Developer Program Study Guide Direct Payment API Direct Payment API Reference Information TABLE 7 1 DoDirectPayment Request Parameters Continued Parameter INVNUM BUTTONSOURCE NOTIFYURL L NAMEN L_NUMBERN L_OTYn L_TAXAMTN L_AMTn Description The merchant s own invoice or tracking number Character length and limitations 127 single byte alphanumeric characters An identification code for use by third party applications to identify transactions Character length and limitations 32 single byte alphanumeric characters The URL for receiving Instant Payment Notification IPN about this transaction If this URL is not specified in the request the notification URL from the Merchant Profile is used if one exists Character length and limitations 2 048 single byte alphanumeric characters Item name Character length and limitations 127 single byte characters These parameters should be ordered sequentially beginning with 0 for example L NAMEO L_NAME1 and so on Item number Character length and limitations 127 single byte characters These parameters should be ordered sequentially beginning with 0 for example L_NUMBERO L NUMBER and so on Ite
124. lure amp L_ERRORCODE0 10603 amp L_SHORTMESSAGEO The 20buyer 20is 20restricted 2e amp L_LONGMESSAGE0 The 20buyer 20account 20is 20restricted 2e amp L _SEVERITYCODEO Error amp VERS ION 3 3e400000 amp BUILD 1 2e0006 Negative Testing With Multiple Messages The following example sets up testing for error 10009 for RefundTransaction which returns 14 possible error message sets METHOD RefundTransactiong TRANSACTIONID asdf REFUNDTYPE Partial AMT 100 09 amp VERSION 3 3 amp USER usemame amp PWD password amp SIGNATURE signature The request invokes the following response PayPal Certified Developer Program Study Guide March 2008 133 134 Sandbox Testing Testing Error Conditions TIMESTAMP 2007 2d04 2d04T03 3a10 3a23Z amp CORRELATIONID 81cccl1 8eaec4 9 amp ACK Failure amp L_ERRORCODE0 10009 amp L_SHORTMESSAGEO Transaction 20refused L_LONGMESSAGE0 You 20can 20not 20refund 20this 20type 200f 20transaction amp L_SEVERITYCODEO Error amp L_ERRORCODE1 10009 amp L_SHORTMESSAGE1 Transaction 20refused L_LONGMESSAGE1 You 20are 20o0ver 20the 20time 201limit 20tot20performs20a 20r efund 200n 20this 20transaction amp L_SEVERITYCODE1 Error amp L_ERRORCODE2 10009 amp L_SHORTMESSAGE2 Transaction 20refused amp L_LONGMESSAGE2 Account 20is 20restricted L_SEVERITYCODE2 Error amp L_ERRORCODE13 10009 amp L_SHORTMESSAGE13 Transaction 20refused amp L_LONGMESS
125. ly funds added to balance FundsWithdrawn Only funds withdrawn from balance Referral Only transactions involving referrals Fee Only transactions involving fees Subscription Only transactions involving subscriptions Dividend Only transactions involving dividends Billpay Only transactions involving BillPay Transactions Refund Only transactions involving refunds CurrencyConversions Only transactions involving currency conversions e BalanceTransfer Only transactions involving balance transfers e Reversal Only transactions involving BillPay Reversals e Shipping Only transactions involving UPS shipping fees e BalanceAffecting Only transactions that affect the account balance e ECheck Only transactions involving eCheck AMT Search by transaction amount No STATUS Search by transaction status No e Pending The payment is pending The specific reason the payment is pending is returned by the Get TransactionDetails API e Processing The payment is being processed e Success The payment was completed and the funds were added successfully to the merchant s account balance e Denied The merchant denied the payment This happens only if the payment was previously pending e Reversed A payment was reversed due to a chargeback or other type of reversal The funds were removed from the merchant s account balance and returned to the customer PayPal Certified Develope
126. m quantity Character length and limitations Any positive integer These parameters should be ordered sequentially beginning with 0 for example L_OTYO L OTY1 and so on Item sales tax Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma 6 These parameters should be ordered sequentially beginning with 0 for example L TAXAMTO L TAXAMT1 and so on Cost of the item Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma 6 These parameters should be ordered sequentially beginning with 0 for example L_AMTO L_AMT1 and so on If a value for L_AMTn is specified there must be a value for IT EMAMT Required No No PayPal Certified Developer Program Study Guide March 2008 83 7 Direct Payment API Direct Payment API Reference Information TABLE 7 1 DoDirectPayment Request Parameters Continued Parameter CVV2 EMAIL STREET2 PHONENUM ShippingAddress Description Card Verification Value version 2 Required See The Merchant Account settings determine whether this field is required description Contact a PayPal Account Manager for more information
127. me z Card Type Visa v Card Number 401123825125607 A g Expiration Date 0 v 2008 Card Security Code pog MRE On the back of your card locate the final 3 digit number What s this Using Amex Address Line 1 Address Line 2 City State ZIP Code Email Address Home Telephone Shipping Address No shipping address required Use the same above billing address as the shipping address Enter a separate shipping address When you try to process the transaction the following AVS error message appears from Virtual Terminal PayPal Log Out Security Center Overview Add Funds ES Profile Virtual Terminal Order Entry Form Secure Transaction A 10555 This transaction cannot be processed e Filter Decline e Processor Response Code 0000 AVS A Address only match e CW M Pass Reference F1OCC2B1F2B34 136 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing EE Testing Error Conditions The following example sets up testing for AVS code A and error code 10755 in DoDirectPayment for which AVS code A indicates no zip code is specified and results in an error if the Partial Address Match risk control is set regardless of whether other errors occur Testing an AVS Code Using DoDirectPayment METHOD DoDirect Payment amp CREDITCARDTYPE VISAS ACCT 46830754105166848 EXPDATE 1120078 CVV2 808 amp AMT 107
128. merchant refunded the payment e Reversed A payment was reversed due to a chargeback or other type of reversal The funds were removed from the merchant s account balance and returned to the customer The reason for the reversal is specified in the REASONCODE element Processed A payment was accepted e Voided An authorization for this transaction was voided DoVoid Request Use a DoVoid request to request a void for an authorization TABLE 8 3 DoVoid Request Parameters Parameter Description Required METHOD Name of API DoVoid Yes AUTHORIZATIONID The value of the original authorization identification number returned by Yes PayPal IMPORTANT If the merchant is voiding a transaction that was reauthorized use the ID from the original authorization not the reauthorization Character length and limits 19 single byte characters NOTE An informational note about this void that is displayed to the customer No in email and in the transaction history Character length and limits 255 single byte characters PayPal Certified Developer Program Study Guide March 2008 91 Transactions Authorization amp Capture APIs DoVoid Response A DoVoid response contains the results of an authorization void TABLE 8 4 DoVoid Response Fields Field Description AUTHORIZATIONID The authorization identification number specified in the request Character length and limits
129. mitations 127 single byte characters L OTYn Item quantity No These parameters should be ordered sequentially beginning with 0 for example L OTYO L QTY1 and so forth Character length and limitations any positive integer L_TAXAMTN Item sales tax No These parameters should be ordered sequentially beginning with 0 for example L_TAXAMTO L_TAXAMT1 and so forth Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma L_AMTn Cost of item No These parameters should be ordered sequentially beginning with 0 for example L_AMTO L_AMT1 and so on Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma L_EBAYITEMNUMBERN Auction item number No Character length 765 single byte characters March 2008 PayPal Certified Developer Program Study Guide Express Checkout 6e Express Checkout API Reference Information TABLE 6 6 DoExpressCheckoutPayment Request Parameters Continued Parameter Description Required EBAYITEMAUCTIONTXNIDA Auction transaction identification number No Character length 255 single byte characters EBAYITEMORDERIDN Auction order ident
130. n encrypted string value included with each API call An API certificate is a file downloaded from PayPal that includes a key and certificate that identify a developer An API certificate must be installed on a web server therefore it is an option only if the developer has full control of the web server Choosing an Authentication Method Each authentication method API signature and API certificate has pros and cons An API signature is easier and quicker to implement An API certificate offers greater security PayPal recommends the use of an API signature because of its greater simplicity however the PayPal API performs equally well with API signatures or API certificates PayPal Certified Developer Program Study Guide March 2008 47 az API Credentials Establishing API Credentials Establishing API Credentials The two authentication methods have separate processes for establishing API credentials API Signature To establish credentials using an API signature as the authentication method follow these steps 1 Log in to a PayPal Premier or Business account In the top navigation area click the Profile subtab Under the Account Information header click the API Access link Click Request API Credentials Under Credential Type click the API Signature radio button Click the agreement checkbox and click Submit Record the API username and API password values The API signature is the Signature Hash value
131. n your website 1 Asa checkout choice on the shopping cart page display the Express Checkout button as follows 2 As a Payment Method on the billing page display the PayPal acceptance mark as a payment option If your site requires customers to sign in or create a store account before checkout the Express Checkout button should be visible before users are required to sign in PayPal Certified Developer Program Study Guide March 2008 73 74 Express Checkout Button and Logo Placement and Use If your site has a Checkout button on pages other than the Shopping Cart page such as on product pages PayPal requires that you put a PayPal Express Checkout button next to these Checkout buttons as well if the Checkout button initiates the checkout flow If the Checkout button links to the Shopping Cart page you are not required to place a PayPal button The HTML for the Express Checkout button and PayPal Acceptance Mark are available at https www paypal com express checkout buttons PayPal Button as a Checkout Choice The following figure shows PayPal as a checkout choice button Check The safer easier way to pay Place the Express Checkout button on the shopping cart page arranged as follows e Always clickable e Right below or next to each of your own cart s checkout buttons with the word or between them e Before your website collects any shipping or billing details or displays any other payment methods e
132. navailable Unsupported risk control is set S AVS S Service is not supported This results in an error if the Service Unavailable Unsupported risk control is set U AVS U Service is unavailable This results in an error if the Service Unavailable Unsupported risk control is set Note The specified AVS code is set regardless of whether a PP API error code is set If no AVS code is specified or the AVS risk control is not specified AVS code X is returned PayPal Certified Developer Program Study Guide March 2008 135 Sandbox Testing Testing Error Conditions Testing an AVS Code Using Virtual Terminal Consider an example of testing for AVS code A using Virtual Terminal You enter AVS_A in the Address Line 1 field aa a D Virtual Terminal Order Entry For 3 si ole ci My Account Send Money Request Money Merchant Services Overview Add Funds ES Profile Virtual Terminal Order Entry Form Secure Transaction indicates required fieldsHide optional fields Order Details Currency JS Dollars af Net Order Amount 5 Shipping 0 Tax Rate 000 7 Apply tax to shipping Tax Amount i Total 5 00 Transaction Type Auth EJ Item Name Service Order Number Billing Information Please enter the following information exactly as it appears on the customer s credit card statement Country United States x First Name j Last Na
133. ncleared 10 00 USD Name Bank Account Total Amount 10 00 USD Date Apr 25 2008 Time 21 57 17 PDT Status Uncleared Expected Clearing Date Apr 30 2008 Funding Type eCheck Funding Source Chase Manhattan Checking Confirmed xxxxxx9243 e Clear Transaction Transaction peturpita Log my Instant Payment Notification IPN You can use the Sandbox to test Instant Payment Notification such as the PayPal Buy Now button or reversals Setting up IPN in the Sandbox For information about implementing IPN see the following e Technical overview at Attps www paypal com cgi bin webscr cmd p xcl rec ipn techview outside e Order Management Integration Guide test_ipn Variable The Sandbox sets the test_ipn variable to a value of 1 in the HTTP response back to your IPN page The purpose of this variable is to clearly differentiate between live and Sandbox IPN so you can write your processing programs to work with either one If the test_ipn variable is not in the HTTP response you are working with Live PayPal PayPal Certified Developer Program Study Guide March 2008 121 ae Sandbox Testing Testing PayPal Website Features To enable IPN for a test account follow these steps 1 Log in to https developer paypal com click the Test Accounts tab select a test account and click Enter Sandbox Test Site 2 Click the Profile subtab a Click the Instant Payment Notification Preferences
134. ndbox to ensure that it functions as you intend At a Glance Differences between the Sandbox and Live PayPal Table 9 1 compares the Sandbox and Live PayPal This is a high level view of the differences from a developer s perspective You also can use this table as a checklist TABLE 9 1 Differences between PayPal Sandbox and Live PayPal Live PayPal Website and Item PayPal Sandbox API Service Type of Depending on the feature you want to develop and Personal Business or Premier account PayPal test you need a Personal Business or Premier Accounts account Site logos in https www sandbox paypal com https www paypal com upper left corner PayPal PayPal NVP API https api sandbox paypal com nvp For API certificate security Servers https api paypal com nvp For API signature security https api 3t paypal com nvp PayPal Certified Developer Program Study Guide March 2008 105 Sandbox Testing Overview TABLE 9 1 Differences between PayPal Sandbox and Live PayPal Continued Live PayPal Website and Item PayPal Sandbox API Service SOAP API https api sandbox paypal com 2 0 For API certificate security Servers https api paypal com 2 0 For API signature security https api 3t paypal com 2 0 Business You fill all roles you need to test merchant buyer Real world people fill these roles roles and seller Company Completely fictitious Before you begin working Real companies and people
135. nk during a transaction Buyer Authentication provides essential merchant liability protection against fraudulent credit card transactions TABLE 2 5 Fraud Protection Services Purchase Options Service Merchant Type Key Benefits Package Options Basic Advanced Designed for merchants with low Maximum ease and convenience transaction volume Designed for merchants with mid to Maximum customization and protection high level transaction volumes Upgrade Options Account Monitoring All merchants Account activity monitoring seven days a week Buyer Authentication All merchants Card association liability protection for authenticated shoppers Detailed Service Descriptions Basic Fraud Protection Service Basic Fraud Protection Service is the ideal solution for merchants who process low transaction volumes through a Payflow payment gateway It offers industry leading security technology at an affordable price and lets your business e Maximize liability protection Meet credit card company standards for address verification and card security codes March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention E PayPal Fraud Protection Services e Reduce chargeback costs Automatically reject or flag transactions that you deem suspicious e Get started fast Quickly set up and manage your security system with easy to use tools Basic Fraud Protection Service works by using e Filters
136. ns 6 character HTML hexadecimal color code in ASCII CHANNELTYPE Type of channel No e Merchant Non auction seller e eBayItem eBay auction SOLUTIONTYPE Type of checkout flow No e Sole Express Checkout for auctions e Mark Normal Express Checkout Shipping Address An optional shipping address as described in ShippingAddress No Parameter on page 153 ShippingAddress is optional but if it is included certain fields are required SetExpressCheckout Response The SetExpressCheckout response is returned by the PayPal server after a SetExpressCheckout request is posted TABLE 6 3 SetExpressCheckout Response Fields Parameter Description TOKEN A timestamped token that tells PayPal that the payment is being processed with Express Checkout NOTE The token expires after three hours If the token was set in the SetExpressCheckout request the value of TOKEN in the response will be identical to the value in the request Character length and limitations 20 single byte characters PayPal Certified Developer Program Study Guide March 2008 65 Express Checkout Express Checkout API Reference Information GetExpressCheckoutDetails Request A GetExpressCheckoutDetails request asks PayPal to respond with the customer s checkout information such as shipping address TABLE 6 4 GetExpressCheckoutDetails Request Parameters Parameter METHOD TOKEN Descript
137. nsactions are settled to the card issuers and funds move between the acquiring bank and issuing bank Funds received for these transactions are sent to the merchant s bank account Payment processing service sends transactions to processor 5 Finding a reliable secure and flexible payment processing solution is critical What features should a payment processing solution offer Select all that apply X X gt 144 Backed by an established trustworthy company Comply with Payment Card Industry PCI Data Security Standard Store customer financial information in plain sight Authorize credit cards in real time Based on a network that provides near real time credit card transactions Scale rapidly and seamlessly as transaction volume increases Offer upgrade options to accommodate future growth Provide recurrent billing payment for service March 2008 PayPal Certified Developer Program Study Guide Answers to Review Questions Chapter 1 6 Match each PayPal solution to the service it offers Response PayPal Product Service Description 4 Website Payments Pro 7 Website Payments Standard 2 Payflow Pro 5 Payflow Link 1 PayPal Email Payments 6 PayPal Virtual Terminal 3 PayPal as an Additional Payment Option PayPal Certified Developer Program Study Guide Lets you send customers email invoices that they can pay on PayPal This simple solution does not require you to have a shopping cart or an internet m
138. o apply for an internet merchant account with PayPal s preferred merchant account provider To set up an internet merchant account go to Attps www paypal com cgi bin webscr cmd _registration run Have the following information available Account business owner s name address and email Business name and address Customer service information Allow up to three to five business days to complete the setup and approval PayPal Certified Developer Program Study Guide March 2008 43 Getting Started With Account Setup PayPal Sandbox 3 Enroll in the selected PayPal services A merchant must enroll for each service they plan to use Once you have a merchant internet account you can sign up for each service individually To apply for Website Payments Pro follow these steps Go to https www paypal com cgi bin webscr cmd wp pro overview outside At the bottom of the page click Apply for Website Payments Pro When prompted sign in using your Email Address and PayPal Password Complete the steps to enroll with Website Payments Pro You will submit an application that includes business information and your social security number or employer identification number and accept the billing agreement 4 Use the PayPal APIs to implement payment processing on the merchant website You should carefully design and plan each merchant website implementation and feature Work with the website own
139. o processes a fraudulent online transaction can be significant e Inventory loss and shipping costs for physical goods that are fraudulently purchased and then delivered e Chargeback penalties assessed by the acquiring bank of 15 30 USD per fraudulent transaction According to Gartner Group estimates merchants reject an estimated 5 of all transactions out of suspicion of fraud while only 2 of transactions are actually fraudulent The result is a significant amount of lost sales up to 3 of sales volume in an attempt to reduce fraud risk In addition to losing product and paying chargeback penalties your business also faces costs due to fraud e Higher discount rates assessed as a result of processing fraudulent payments e Labor cost for the merchant to investigate and resolve the chargeback e Five to six figure card association fines or cancellation of a merchant s account when card fraud rates are consistently high Implementing better tools and raising awareness can help you reduce lost revenue by turning away fewer legitimate customers who seem suspicious You can also resolve chargebacks March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention Internet Fraud What It Is and How It Happens more quickly thus saving time and money In some cases online merchants have reduced their chargeback rate from 7 to 2 Internet Fraud What It Is and How It Happens All internet pa
140. ocation header in the HTTPS response Ensure that the application uses an SSL enabled server to prevent browser warnings about a mix of secure and nonsecure graphics PayPal Certified Developer Program Study Guide March 2008 75 6 Express Checkout Order Review Page Setup Order Review Page Setup PayPal recommends that order review pages be set up as follows 1 Shipping Information Section Display the shipping address supplied by PayPal On first use of the SetExpressCheckout API call if the customer selected a shipping address stored in the PayPal account redirect the customer s browser back to PayPal to edit the shipping address To redirect the browser a second time use the SetExpressCheckout API again and include the Token that was received in the first SetExpressCheckout response On the second SetExpressCheckout API call include ReturnURL CancelURL and other required elements only if their values are different from the values included in the first SetExpressCheckout API call These values most likely will be different on the second request 2 Billing Information Section Display the customer s PayPal email address provided in Express Checkout 3 Order Total The application must display the same exact OrderTotal value that was sent to PayPal in the DoExpressCheckout Payment request Authorization amp Capture PayPal assumes that at the end of the checkout process the merch
141. od for validating receipt of an IPN is to post the exact variables and values received in the IPN back to PayPal The guidelines for constructing the IPN HTTPS POST to PayPal for notification validation are as follows 1 The POST must be sent to Attps Avww paypal com cgi bin webscr 2 Include the variable cmd with the value validate 3 Post all the form variables exactly as they were received PayPal responds to the postback with a single word in the body of the response VERIFIED or NVALID After receiving a VERIFIED response perform the following checks before updating a database Move on to the next check in the sequence only if the previous one passes 1 Check that payment status is COMPLETED 2 Check txn id against the previous PayPal transaction to ensure it is not a duplicate 3 Make sure receiver email is an email address registered in the merchant s PayPal account 4 Check that the price mc_gross and currency mc_currency are correct for the item item name or item number 5 Check that the shared secret is correct In the case of an INVALID response further investigation is necessary in some cases the response is caused by an IPN error possibly from a change in the IPN format To determine if it is an IPN error first examine the IPN code For further assistance go to http www paypal com wf click Seller Tools and click Instant
142. ogram Study Guide Name Value Pair NVP API In this chapter you will learn e The basic steps for using the PayPal Name Value Pair NVP API to integrate an application with PayPal e How to communicate with the PayPal server using the request response model and secure HTTP Integrating with the PayPal API The NVP API is a simple programmatic interface that allows merchants to access the PayPal API The NVP API makes it easy to integrate PayPal with a web Simply construct an NVP string and post it to the PayPal server using HTTPS PayPal posts back a response in NVP format To get started with the PayPal NVP API see the samples at https www paypal com IntegrationCenter ic_nvp html An application can use the samples to send API calls to the PayPal Sandbox test environment The web samples are documented in PayPal Name Value Pair API Developer Guide and Reference Basic Steps This section describes the basic steps for programming with the NVP API Create a Web Application The NVP API implementation usually runs in a web application You can write a new application from scratch or use one of the samples as a starting point Get API Credentials To access the API API credentials are needed for identification either an API signature or API certificate For more information on API credentials see API Credentials on page 47 PayPal Certified Developer Program Study Guide March 2008 53 Name Val
143. omplete the following statements PayPal leverages the which provides crucial online identity and security to help establish trust between parties involved in e commerce transactions Using SSL with an encryption key length of the highest level commercially available PayPal automatically encrypts your confidential information in transit from your computer to ours PayPal s servers sit behind a monitored and are not connected directly to the internet so your private information is available only to authorized computers 6 List three ways to reduce chargebacks 7 List the five areas you should cover in your website disclosure policy PayPal Certified Developer Program Study Guide March 2008 39 40 Internet Security and Fraud Prevention Review Questions 8 The left column in the table lists the PCI data security standards The right column contains a list of requirements Indicate which requirements meet each standard Note Each standard has one or more requirements Response Standards Requirements Build and Maintain a Secure Network 1 Restrict physical access to cardholder data 2 Regularly test security systems and processes 3 Develop and maintain secure systems and Protect Cardholder Data P y applications 4 Encrypt transmission of cardholder data and Maintain a Vulnerability sensitive information across public networks Management Program 5 Protect stored data
144. on becomes a challenge Moreover in the online world hackers can break into your network without your knowledge and steal money products and sensitive information They can also steal customer identities and commit crimes against other merchants using your business as a launch pad for further crimes Internet fraud is also more difficult to detect than in the brick and mortar world Criminals who break into a physical store are much more visible than criminals who break in through the web and erase their footprints Additionally in the online world criminals have multiple access points for break ins because the merchant store is networked internally and to other businesses Because of these vulnerabilities total losses from online payment fraud have steadily increased According to CyberSource s 2006 Online Fraud Report an estimated 2 8 billion USD was lost to online fraud in the U S and Canada in 2005 The Nilson Report a payment PayPal Certified Developer Program Study Guide March 2008 23 24 Internet Security and Fraud Prevention Liability for Internet Fraud trade publication estimates the rate of credit card fraud to be 18 cents to 24 cents per 100 USD of online sales three to four times higher than the overall fraud rate The threat of online fraud is so pervasive that the U S government now mandates security requirements for businesses that handle financial information online Today these regulations apply mainly to
145. on to processor Issuing bank sends authorization or declination to processor 4 The following steps describe the payment processing settlement process Indicate the correct order of the steps by placing the step number to the left of each description Acquiring bank credits merchant s bank account Merchant informs the payment processing service to settle transactions _____ Processor checks the information and forwards settled transaction information to the card association and card issuing bank ______ Issuing bank includes merchant s charge on customer s credit card account Transactions are settled to the card issuers and funds move between the acquiring bank and issuing bank Funds received for these transactions are sent to the merchant s bank account Payment processing service sends transactions to processor 5 Finding a reliable secure and flexible payment processing solution is critical What features should a payment processing solution offer Select all that apply ______ Backed by an established trustworthy company ______ Comply with Payment Card Industry PCI Data Security Standard Store customer financial information in plain sight Authorize credit cards in real time Based on a network that provides near real time credit card transactions ____ Scale rapidly and seamlessly as transaction volume increases ____ Offer upgrade options to accommodate future growth ____ Provide recurrent billing payment for service
146. oper Country United States v Community to get answers E y g Account Type O Buyer Use to represent your customer s experience to integration questions or O seller Use to represent yourself as the merchant to file a support ticket This email address is only used inside the Sandbox Password 12345678 Your password must be at least 8 characters E Hide Advanced Options Add Credit Card Visa v Add Bank Account Yes Required for Confirmed account status O no Confirm Email Yes Required for Confirmed account status O no Account Balance 0 00 USD Create Account Cancel 3 Click Create Account The result is shown below 114 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Setting Up Test Accounts Test Accounts You have successfully created a test account You can view email for this account on the Test Email tab Your test accounts are listed below You must have a test business account to represent a merchant and a test personal account to represent a buyer To simulate an action on the live site paypal com select a test account and click Enter Sandbox Test Site Learn More Test Accounts Create Test Account Login Email Type Country Status Test Mode o seller_1191260733_biz gmail Business United States Verified Disabled com DO View Details O buyer_1191002706_per gmail Personal United States Verified N A com DO View Details Enter San
147. or invalid login preempt negative testing because the error cannot be handled by negative or positive testing In these cases the error condition for positive testing is raised regardless of whether the account was enabled for negative testing API Testing For APIs you trigger an error condition by setting a field to the value of the error you want to trigger The value you specify depends on the kind of field e For amount related fields specify a value as a number with two digits to the right of the decimal point for example 107 55 triggers PayPal API error 10755 e For other kinds of fields specify the actual PayPal API error for example 10755 triggers PP API error 10755 Table 9 2 identifies the API the NVP name or SOAP element of the field that triggers the error and a description of how to set the value in the field TABLE 9 2 API Fields That Trigger Error Conditions API Name RefundTransaction GetTransaction Details TransactionSearch NVP Field Name AMT TRANSACTIONID INVNUM SOAP Element Description Amount Specify the error code to trigger as all digits in a number with two digits to the right of the decimal point e g 107 55 triggers PayPal API error code 10755 TransactionID Specify the error code to trigger as all digits in the field e g 10755 triggers PayPal API error code 10755 InvoicelD Specify the error code to trigger as all digits in the field e g 10755 triggers PayPal AP
148. ore Information For more information on all capabilities of Authorization amp Capture including order authorization see the PayPal documentation available through the Integration Center Refunds A merchant can refund the full amount or a partial amount of a transaction with the RefundTransaction API PayPal Certified Developer Program Study Guide March 2008 93 az Transactions Refunds RefundTransaction Request Use a RefundTransaction request to initiate a full or partial refund of a transaction TABLE 8 7 RefundTransaction Request Parameters Parameter Description Required METHOD Name of API call RefundTransaction Yes TRANSACTIONID Unique identifier of a transaction Yes Character length and limitations 17 single byte alphanumeric characters REFUNDTY PE Type of refund to make Yes e Full e Partial e Other AMT Refund amount No AMT is required if REFUNDTYPE is Partial NOTE If REFUNDTYPE is Full do not set AMT NOTE Custom memo about the refund No Character length and limitations 255 single byte alphanumeric characters RefundTransaction Response A RefundTransaction response contains the results of the refund TABLE 8 8 RefundTransaction Response Fields Field REFUNDTRANSACTIONID NETREFUNDAMT FEEREFUNDAMT GROSSREFUNDAMT Description Unique transaction ID of the refund Character length and limitations 17 single byte charac
149. orms to the following guidelines 54 March 2008 PayPal Certified Developer Program Study Guide Name Value Pair NVP API ET Technical Details e The name is separated from the value by an equals sign for example Robert FIRSTNAME e Name value pairs are separated by an ampersand amp for example Robert amp MIDDLENAME Herbert amp LASTNAME Moore FIRSTNAME e The NVP string is URL encoded URL Encoding You must URL encode the values included in each API request The values in all API responses are also URL encoded URL encoding ensures the proper transmission of special characters characters that are not allowed in a URL and characters that have special meaning in a URL such as the equal sign and ampersand For example notice the following NVP string NAME Robert MooresCOMPANY R H Moore Associates The NVP string is URL encoded as follows NAME Robert Moore amp COMPANY RS2E HS2E Mooret 26 Associates Use the methods listed in Table 5 1 to URL encode or URL decode NVP strings TABLE 5 1 URL Encoding Methods Encode Language Decode Method ASP NET Encode System Web HttpUtility UrlEncode buffer Encoding Default Decode System Web HttpUtility UrlDecode buffer Encoding Default Classic ASP Encode Server URLEncode Decode No built in function ColdFusion Encode URLEncodedFormatstring cha
150. ost effectively deploy a rules engine as well as benefit from PayPal s continuously updated lists of high risk indicators Review suspicious transactions Finally review each transaction that is suspicious to make sure you are doing business with a legitimate customer Online merchants today reject 5 of all transactions because they do not have the time or information to determine whether a suspicious transaction is actually a good one PayPal Fraud Protection Services allows you to PayPal Certified Developer Program Study Guide March 2008 27 28 Internet Security and Fraud Prevention What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud automatically and continuously review only the suspicious orders before you process them allowing time to make an informed decision Account Level Make sure that only authorized users have access to your payment gateway account and be alert for suspicious account access patterns Lock down administrative access With PayPal Fraud Protection Services you can limit access to high risk administrative transactions such as issuing credits You should also change your account password on a regular basis Monitor account level activity for suspicious patterns Watch your account for signs of unauthorized access which could indicate merchant account takeover Account Monitoring from PayPal offers affordable customized live account monitoring staffed by experienced fraud profe
151. ound Sterling HKD Hong Kong Dollar HUF Hungarian Forint JPY Japanese Yen NOK Norwegian Krone NZD New Zealand Dollar PLN Polish Zlotny SEK Swedish Krona SGD Singapore Dollar USD U S Dollar March 2008 PayPal Certified Developer Program Study Guide General Reference Information AVS Response Codes AVS Response Codes Table B 3 lists the AVS response codes for U S credit cards Visa MasterCard Discover and American Express TABLE B 3 AVS Response Codes AVS Code Meaning Matched Details A Address Address only no ZIP B International A Address only no ZIP G International N None NoTE The transaction is declined D International X Address and Postal Code E Not allowed for MOTO Not applicable internet phone transactions NoTE The transaction is declined F UK specific X Address and postal code G Global Unavailable Not applicable International Unavailable Not applicable N No None NOTE The transaction is declined P Postal International Z Postal code only no address R Retry Not applicable S Service not supported Not applicable U Unavailable Not applicable W Whole ZIP Nine digit ZIP code no address X Exact match Address and nine digit ZIP code Y Yes Address and five digit ZIP code Z Zip Five digit ZIP code no address All others Error Not applicable PayPal Certified Developer Program Study Guide March 2008 155 156 General Reference Information CVV2 Response Co
152. r Program Study Guide March 2008 97 Transactions Retrieving Transaction Details TransactionSearch Response A TransactionSearch response contains the results of the transaction search Norte Each of these parameters should be numbered sequentially beginning with 0 for example L_TIMESTAMPO L_TIMESTAMP1 L_TIMESTAMP2 and so on TABLE 8 10 TransactionSearch Response Fields Field TIMESTAMPN TIME iZONEN TYPEN EMATLN NAMEN L_TRANSACTIONIDn L_STATUSN L_AMTn FREE AMTN NETAMTn Description Date and time in UTC GMT format the transaction occurred Time zone of the transaction Type of the transaction Email address of the payer or the payment recipient the payee If the payment amount is positive this field is the recipient of the funds If the payment is negative this field is the paying customer Display name of the payer Seller s transaction ID Status of the transaction Total gross amount charged including any profile shipping cost and taxes Fee that PayPal charged for the transaction Net amount of the transaction Retrieving Transaction Details 98 If the merchant has the Transaction ID of a transaction the merchant can retrieve all of the details about that transaction from the PayPal server Note The details for some kinds of transactions cannot be retrieved
153. r accounts cannot be closed if there is a pending unsettled authorization Authorization amp Capture API Reference Information There are three APIs related to Authorization amp Capture e DoCapture e DoVoid e DoReauthorization The following sections display reference information about the parameters and fields used in the various requests and responses involved in Authorization amp Capture DoCapture Request Use a DoCapture request to capture a complete or partial authorized amount TABLE 8 1 DoCapture Request Parameters Parameter Description METHOD Name of API DoCapture AUTHORIZATIONID The authorization identification number of the payment to capture This is the transaction ID returned from DoExpressCheckoutPayment or DoDirectPayment Character length and limits 19 single byte characters maximum Amount to capture Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma Required Yes Yes Yes 88 March 2008 PayPal Certified Developer Program Study Guide Transactions c Authorization amp Capture APIs TABLE 8 1 DoCapture Request Parameters Continued Parameter Description Required Ea A three character currency code for one of the PayPal supported No transactional currencies Default value USD CURRENCYCOD
154. rch 2008 115 116 Sandbox Testing Setting Up Test Accounts The bank account is a source of funds for a user s PayPal account and thus for transactions between that test account and other test accounts A test account can have multiple bank accounts but at least one is required to verify the test account The Sandbox automatically generates bank account and sort code numbers when you add a bank account For Australia Canada Germany or UK Use the automatically generated bank account information only for test US bank accounts To add test Canadian German or UK bank account information follow the guidelines below e Australia BSB Number 242 200 Account Number any random number e Canada Transit number 00001 Institution number 311 Bank account number Any 1 to 12 digit number e Germany Routing number 37020500 Bank account number Any 10 digit number Sort code Any 8 digit number e UK Bank account number Any 8 digit number Sort code 609204 or 700709 Steps for All Countries Follow these steps 1 Select a test account and click Enter Sandbox Test Site Navigate to My Account gt Profile Under the Financial Information header click the Bank Accounts link In the Bank Account window click Add an Bb Ww N In the Add Bank Account window Enter a fictitious bank name Using the automatically generated bank account number as the name of
155. rd authorization and payment processing 4 Processor 6 The institution providing the customer s credit card PayPal Certified Developer Program Study Guide March 2008 143 OA Answers to Review Questions Chapter 1 3 The following steps describe the payment authorization process Indicate the correct order of the steps by placing the step number to the left of each description 4 2 nA UU or N Processor routes information to bank that issued customer s credit card Merchant s website receives customer information and sends it to payment processing service Processing service sends results to merchant Merchant decides to accept or reject purchase Customer decides to purchase online and inputs credit card information Processor routes transaction results to payment processing service Processing service routes information to processor Issuing bank sends authorization or declination to processor 4 The following steps describe the payment processing settlement process Indicate the correct order of the steps by placing the step number to the left of each description 5 1 3 2 Acquiring bank credits merchant s bank account Merchant informs the payment processing service to settle transactions Processor checks the information and forwards settled transaction information to the card association and card issuing bank Issuing bank includes merchant s charge on customer s credit card account Tra
156. re that the PayPal Express Checkout button is clickable and all PayPal buttons are used for the use they were intended e Do not use the Preview button when the next page is actually a purchase e Avoid using warning or legal text as part of the primary checkout experience e Do not alter recolor or resize the PayPal Express Checkout button or adding text around the PayPal checkout button Redirecting to PayPal After the response from SetExpressCheckout the application must redirect the customer s browser to PayPal The SetExpressCheckout response includes an Express Checkout session token Add the value of the Token from the SetExpressCheckout response as a name value pair where noted and redirect the customer s browser to the following URL https ww paypal com cgi bin webscr cmd express checkout amp token value_from_SetExpressCheckoutResponse Note Express Checkout has a variation on this redirect URL called user action that allows the application to bypass the second request response pair GetExpressCheckoutDetails and GetExpressCheckoutDetailsResponse and change the text of the final button displayed on PayPal For more information on this variation see PayPal Website Payments Pro Integration Guide Recommendation for Browser Redirection To redirect the customer s browser to the PayPal URL PayPal recommends the HTTPS response 302 Object Moved with the PayPal URL as the value of the L
157. rges are known include them in this value otherwise this value should be the current subtotal of the order Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma A three character currency code for one of the PayPal supported transactional currencies Default value USD The expected maximum total amount of the complete order including shipping cost and tax charges Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma Required Yes Yes Yes Yes 62 March 2008 PayPal Certified Developer Program Study Guide Express Checkout Express Checkout API Reference Information TABLE 6 2 SetExpressCheckout Request Parameters Continued Parameter PAYMENTACTION EMAIL DESC CUSTOM INVNUM 2 EOCONFIRMSHIPPING NOSHIPPING Description How the merchant wants to obtain payment e Authorization indicates this payment is a basic authorization subject to settlement with PayPal Authorization amp Capture e Order indicates this payment is an order authorization subject to settlement with PayPal Authorization amp Capture e Sale indicates this is a final sale for which the merchant is requesting paym
158. rity Standard Compliance Just as a disclosure policy describes your business and states your business practices your compliance with the PCI Data Security Standard communicates how much you care about your customers and reinforces an atmosphere of safety for all online merchants Consumers are becoming increasingly aware of the dangers of identity theft due to compromised data and stolen credit card information PCI compliance assures your customers that you re looking out for their safety and well being Approach it with that in mind and you transform compliance into a competitive edge and asset instead of a dreaded must do Today virtually all major credit card companies including American Express Diners Club Discover Card JCB MasterCard International and Visa U S A require merchants and service providers to comply with the PCI standard When you process credit card transactions through a merchant account you also need to meet PCI validation requirements including quarterly and annual audits security self assessments and security scans Your exact validation requirements are determined by your volume of credit card transactions PayPal Certified Developer Program Study Guide March 2008 31 NS Internet Security and Fraud Prevention Disclosure and Compliance While validating that you re in compliance with the PCI standard is a requirement it s also an opportunity Finding and fixing compliance gaps before
159. rmation What choices are available to your customers regarding collection use and distribution of the information What choices are available to your customers regarding communications from you email direct mail etc The kind of security procedures in place to protect the loss misuse or alteration of information under your control How your customers can correct any inaccuracies in the information 3 Shipping policy You ve made the sale Your customers are anxious to get their purchases So keep that excitement and positive momentum going with a shipping policy that s simple and straightforward Spell out your shipping terms in detail disclosing if costs are determined by weight or the amount of the purchase Indicate the classes of shipping you offer ground express overnight etc Indicate if you ship to APO FPO and international addresses Tell your customers in what timeframe they can expect their purchase Show your customers how they can track their shipment Your shippers should be able to provide most of this information for you March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention Disclosure and Compliance 4 Return policy Your customers love simplicity and forgiveness They sometimes make mistakes and order the wrong products They may be unfamiliar with what they are ordering and it s not what they had in mind By allowing your customers to return an it
160. rmation and enables merchants to gain incremental sales from the growing base of PayPal users R Redirect To automatically induce a web browser to go to a new location Request response model A message exchange pattern in which an application sends a request message to a server and the server executes the request and returns a message in response to the application S Sandbox A self contained environment in which developers can prototype and test PayPal applications 7 Token A parameter used in Express Checkout to identify a transaction WwW Website Payments Pro An all in one payment solution that includes the Direct Payment API and Express Checkout 158 March 2008 PayPal Certified Developer Program Study Guide Index A acquiring bank 12 adding a bank account 115 address verification system AVS 34 address verification testing 134 Advanced Fraud Protection Service 35 API certificate 48 and Sandbox 50 encrypting 49 generating 49 installing 49 API credentials 56 definition 47 required security parameters 50 API server for Sandbox 105 106 API signature 48 protecting 48 API testing 130 Authorization amp Capture and Direct Payment 76 85 and Express Checkout 76 85 87 authorization period 88 authorization process 87 best practices 93 definition 87 DoCapture API request 88 response 89 DoReauthorization API request 92 response 92 DoVoid API request 91 response 92 authorizations 12
161. rror code when you call DoDirectPayment or use Virtual Terminal To specify a CVV code place a trigger value in the NVP CVV2 field or the CVV2 SOAP element when you call DoDirect Payment or enter the trigger in Card Security Code when using Virtual Terminal Table 9 4 identifies valid CVV codes corresponding triggers and descriptions of the error conditions TABLE 9 4 CVV Error Conditions and Triggers CVV Code Trigger Description of Error M N U 115 CVV2 matches no error 116 CVV2 does not match 125 Service unavailable 193 Service not supported 120 Transaction not processed 130 No response 138 Note The specified CVV2 code is set regardless of whether a PP API error code is set If no CVV2 code is specified Mis returned Virtual Terminal displays the CVV2 error only if the risk control blocks the payment Testing a CVV Code Using Virtual Terminal Consider an example of testing for CVV code N using Virtual Terminal You enter 116 in the Card Security Code field PayPal Lan Out Security Center March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing Testing Error Conditions When you try to process the transaction the following CVV error message appears from Virtual Terminal Virtual Terminal Order Entry Form Sacura Transaction amp 15004 This transaction cannot be processed Please enter a valid Credit Card Verification Number e Ga
162. rs They know that you have limited time for fraud protection measures when sales volumes are high Reducing Exposure to Fraud It is possible to significantly reduce your exposure to fraud There are essentially three levels of exposure to fraud on the internet the individual transactions the payment gateway account and the merchant network Protecting your business from fraud requires that you address each of these levels in an integrated manner Transaction Level Ensure that each transaction you accept and process is valid You should also be careful not to deny suspicious transactions that are actually valid Authenticate buyers when possible This includes understanding who your repeat customers are and keeping lists of repeat customers who have legitimately transacted on your site Make sure all customer information is encrypted and stored safely Also take advantage of MasterCard and Visa buyer authentication programs to authenticate customers and reduce your liability Screen orders for fraud patterns There is a wealth of information associated with each transaction that can help you understand the risk level To effectively manage all the risk information associated with a transaction 1t is important to use a rules engine A rules engine automates the process of transaction screening so that you quickly fulfill orders for good customers and proactively block risky orders PayPal Fraud Protection Services allows you to c
163. rs sit behind a monitored electronic firewall and are not connected directly to the internet so your private information is available only to authorized computers 6 List three ways to reduce chargebacks Select any three Provide realistic delivery time estimates and use tracking that shows proof that the items were received Describe the sale item in as much detail as possible Include clear images and measurements so that customers have a good understanding of what they re getting Make sure you clearly disclose the total cost to customers up front the price taxes shipping costs etc Provide customers with a way to contact you should they have a problem Often a simple email exchange or phone call clears up a misunderstanding instantly Respond promptly and courteously to customer inquiries 7 List the five areas you should cover in your website disclosure policy Business description Privacy policy Shipping policy Return policy Contact information 148 March 2008 PayPal Certified Developer Program Study Guide Answers to Review Questions Chapter 2 8 The left column in the table lists the PCI data security standards The right column contains a list of requirements Indicate which requirements meet each standard Note Each standard has one or more requirements Response Standards Requirements 8 11 Build and Maintain a Secure Network 1 Restrict physical access to cardhold
164. rset Decode URLDecodeurlEncodedString charset Java Encode jJava net URLEncoder encode Decode java net URLEncoder decode PHP Encode urlencode Decode urldecode PayPal Certified Developer Program Study Guide March 2008 55 56 Name Value Pair NVP API Technical Details Request Format Each NVP request consists of required and optional parameters and their values Parameter names are not case sensitive As shown in Table 5 2 this document uses UPPERCASE for parameter names and divides the parameters into required security parameters and body parameters TABLE 5 2 General Format of a Request Required security USER apiUsername amp PWD apiPassword amp SIGNATURE apiSignature amp parameters SUBJECT optionalThirdPartyEmailAddress amp VERSION 3 3 The following parameters are always required e USER e PWD e VERSION 3 3 e SIGNATURE NOTE In the examples in this and other PayPal documents the required security parameters sometimes appear like this requiredSecurityParameters Body parameters amp METHOD methodName amp o0therRequiredAndOptionalParameters In practice concatenate all parameter names and URL encoded values in a single string After the METHOD parameter the parameters can be specified in any order Required Security Parameters The required security parameters are the same as the developer s PayPal API credentials which are described in
165. ruse model with no set up or monthly fees It includes shipping and tax calculators reporting tools to measure your business and support for international currencies March 2008 145 146 Answers to Review Questions Chapter 2 7 Select the PayPal payment processing solutions that enable a customer to checkout on the merchant s website X X Website Payments Pro Website Payments Standard Payflo Pro Payflow Link Email Payments Virtual Terminal PayPal as an Additional Payment Option 8 Select the PayPal payment processing solutions that require API or HTML technical skills to develop payment processing applications X Website Payments Pro X Website Payments Standard X Payflo Pro X Payflow Link Email Payments Virtual Terminal X PayPal as an Additional Payment Option Chapter 2 1 Indicate if each statement is True T or False F T Every merchant is at risk for fraud F Correct answer Internet fraud is more difficult to detect than in the brick and mortar world T Credit card associations hold merchants liable for fraudulent transactions because the credit card is not physically present during online purchases T American Express Diners Club Discover Card JCB MasterCard International and Visa U S A have adopted the Payment Card Industry PCI Data Security Standard developed to protect account and transaction information of cardholders F Correct answer According to Gartner Group estimates
166. s and may be required for Level 4 merchants TABLE 2 4 PCI Compliance Validation Requirements Level Validation Action Validated By Level 1 Annual Onsite PCI Data Security Assessment Qualified Data Security Company or Internal and Audit if signed by Officer of the company Quarterly Network Scan Qualified Independent Scan Vendor Level 2 and 3 Annual PCI Self Assessment Questionnaire Merchant and Quarterly Network Scan Qualified Independent Scan Vendor Level 4 Annual PCI Self Assessment Questionnaire Merchant and Quarterly Network Scan Qualified Independent Scan Vendor Norte Level 4 merchants must comply with the PCI Data Security Standard However compliance validation for merchants in this category is determined by the merchant s acquirer Additional Resources About Disclosure and Compliance There are other online resources that can help you in developing your own disclosure policy and meeting PCI compliance requirements They include e The Privacy Planner from BBBOnLine helps you create a simple solid online privacy policy for your e commerce business http www privacyplanner com e The Direct Marketing Association DMA offers a small businessfriendly online privacy policy generator http www the dma org privacy privacypolicygenerator shtml e The Federal Trade Commission offers valuable information on preventing identity theft at http www consumer gov idtheft Also be sure to visit the central FTC site at http
167. s name address and email Business name and address Customer service information How many days should you allow to set up an internet merchant account Three to five business days Match each PayPal service that provides fraud protection to its description PayPal Product Service Description Fraud Protection Services 1 Provides your customers with a secure and convenient payment flow because they don t have to re enter information already stored in their PayPal account Express Checkout 2 A fast cost effective way to accept repeat payments for installment plans monthly fees or subscription based services Recurring Billing Service 3 Provides simple automated credit card fraud screening to enterprise grade perimeter security services to save you time and money while protecting your business What is the purpose of the PayPal Sandbox The PayPal Sandbox is a self contained environment in which developers can prototype and test PayPal applications Before moving any PayPal based application into production test the application in the Sandbox to ensure that it functions properly March 2008 PayPal Certified Developer Program Study Guide Answers to Review Questions CE Chapter 4 Chapter 4 1 False API credentials must be included with every request sent to the PayPal server 2 True Chapter 5 1 An ampersand 4 True The METHOD parameter AY y True Chapter 6 1
168. ss of the payer s browser Yes PayPal records this IP address as a means of detecting possible fraud Character length and limitations 15 single byte characters including periods for example 255 255 255 25 Allowable values Any valid Internet Protocol address Total of the order including shipping handling and tax Yes Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma RDTYPE Type of credit card Yes Character length and limitations Up to 10 single byte alphabetic characters Allowable values Visa MasterCard Discover Oo Oo Oo e Amex 80 March 2008 PayPal Certified Developer Program Study Guide Direct Payment API Direct Payment API Reference Information TABLE 7 1 DoDirectPayment Request Parameters Continued Parameter Description Required ACCT Credit card number Yes Character length and limitations Numeric characters only No spaces or punctuation Must conform with the length required by each credit card type EXPDATE Credit card expiration date Yes Format MMYYYY Character length and limitations 6 single byte numeric characters including leading 0 FIRSTNAME Payer s first name Yes Character length and limitations 25 single byte characters LASTNAME Payer s last name Yes Character length
169. ssionals The service can help you catch account takeover before it does any damage whether the takeover is due to a hacker or fraudulent employee usage of your service Network Level Ensure your network or perimeter is defended against unauthorized access Lock down network access With PayPal Manager you can ensure that only IP addresses you Select have access to your network Update all patches on servers and operating systems Invest in regularly scheduled security audits or port scans to identify network vulnerabilities PayPal Fraud Protection Services offers a free network scan from Qualys included with every Basic or Advanced PayPal Fraud Protection Service Monitor firewall activity Enterprise e commerce companies should also monitor their network s perimeter security on a 24 hour basis What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud Consumers shop online for convenience and speed but historical authentication requirements have often proved to be cumbersome time consuming and ineffective New buyer authentication programs such as MasterCard SecureCode and Verified by Visa provide more streamlined and customer friendly authentication through passwords These programs enable you to gain liability protection by prompting consumers to provide a password with their card issuers at checkout similar to providing a PIN number for ATM transactions Transactions in which consumers a
170. t result in another error occurring Negative Testing Using an Amount Related Trigger Field The following example sets up testing for error 10623 for DoAuthorization in which the error code is specified in the AMT field METHOD DoAuthorization amp TRANSACTIONID 0 1GU0288989807143B amp AMT 106 238 TRANSACTIONENTITY 0rder VERSION 3 38 USER usemame amp PWD passwords SIGNATURE signature The request invokes the following response TIMESTAMP 2007 2d04 2d04T03 3a10 3a1 9Z amp CORRELATIONID 447d121150529 amp ACK Failure amp L_ERRORCODE0 10623 amp L_SHORTMESSAGEO Maximum 20number 200 20authorization 20allowed 20for 20the S200rder 20is 20reached 2e amp L_LONGMESSAGE0 Maximum 20number 200 20authorization 20allowed 20fors20thes 20order 20is 20reached32e amp L SEVERI TYCODEO Error amp VERS ION 3 3e400000 amp BUILD 1 2e0006 132 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Testing Error Conditions The following example sets up testing for error 10603 for DoVoid in which the error code is specified in the AUTHORIZATIONID field Negative Testing Using a Non Amount Trigger Field METHOD DoVoid amp AUTHORIZATIONID 10603 amp VERSION 3 3 amp USER usemame amp PWD passwords SIGNATURE signature The request invokes the following response TIMESTAMP 2007 2d04 2d04T03 3a10 3a22Z amp CORRELATIONID 51b0c5054dee6 amp ACK Fai
171. tExpressCheckout response and passed by the GetExpressCheckoutDetails request Character length and limitation 20 single byte characters How the merchant wants to obtain payment e Authorization indicates that this payment is a basic authorization subject to settlement with PayPal Authorization amp Capture e Order indicates that this payment is an order authorization subject to settlement with PayPal Authorization amp Capture e Sale indicates that this is a final sale for which the merchant is requesting payment NoTE If this value was set to Sale on SetExpressCheckoutRequest then it cannot change to Authorization on the final DoExpressCheckoutPaymentRequest Character length and limit Up to 13 single byte alphabetic characters Default Sale Unique PayPal customer account identification number as returned by the GetExpressCheckoutDetails response Character length and limit 13 single byte alphabetic characters Total of order including shipping handling and tax NOTE Limitations Must not exceed 10 000 USD in any currency No currency symbol Must have two decimal places decimal separator must be a period and the optional thousands separator must be a comma Required Yes Yes Yes Yes Yes 68 March 2008 PayPal Certified Developer Program Study Guide TABLE 6 6 DoExpressCheckoutPayment Request Parameters Continued Express Checkout Express Checkout API
172. te Payments and Instant Purchase checkbox 4 Click Save PayPal Certified Developer Program Study Guide March 2008 99 100 Transactions Payment Notification Integration Reporting Paypal Reporting Tools provide the information necessary to effectively measure and manage a business With PayPal Reporting Tools merchants can e Analyze revenue sources to better understand customers buying behaviors e Automate time consuming bookkeeping tasks e Accurately settle and reconcile transactions The following reports are available e Monthly Account Statements Every month view a summary of all credits and debits that affect the account balance e Merchant Sales Reports Every week receive a valuable analysis of revenue by sales channel and currency e History Log View an online record of received and sent payments e Downloadable Logs Keep track of transaction history by downloading it into various file formats suitable for financial settlements For more information about PayPal reports see the PayPal Reporting Tools website http www paypal com cgi bin webscr cmd p xcl rec reports intro outside Instant Payment Notification IPN IPN provides immediate notification and confirmation of PayPal payments received IPN consists of three parts 1 A customer issues payment from one of a number of processes Website Payments Standard FORMs the Express Checkout APIs MassPay or a refund 2 PayPa
173. ters Amount subtracted from PayPal balance of original recipient of payment to make this refund Transaction fee refunded to original recipient of payment Amount of money refunded to original payer 94 March 2008 PayPal Certified Developer Program Study Guide Transactions Transaction Searches Transaction Searches To find all transactions that occurred on a particular date use the TransactionSearch API The date must be in UTC GMT format With TransactionSearch always set the StartDate field Also note the following e Setting TransactionID overrides all other fields including StartDate e The effect of setting other elements is additive or can alter the search criteria TransactionSearch returns up to 100 matches Partial matches are displayed For example setting the FirstName parameter of the TransactionSearch request to Jess returns results including Jessica and Jesse The most important element returned in the TransactionSearch response is TransactionTD which can be passed to Get TransactionDetails to retrieve all available information about a specific transaction For more information on the GetTransactionDetails API see Retrieving Transaction Details on page 98 TransactionSearch Request Use a TransactionSearch request to search for transactions that occurred on a given date TABLE 8 9 TransactionSearch Request Parameters Parameter METHOD STARTDAT El
174. teway Dedine Processor Response Code 0000 AVS X Address and Whole Zip Match CW N Does not match Reference 9582BF5CB9B98BV Note Other errors are also reported in addition to CVV code N Testing a CVV Code Using DoDirectPayment The following example sets up testing for CCV code N in DoDirectPayment which indicates a mismatch in the card validation code METHOD DoDirect Payment amp CREDITCARDTY PE VISA amp ACCT 4 683075410516684 amp EXPDATE 112007 amp Cvv2 1168 AMT 1 55 amp FIRSTNAME Designer LASTNAME F otos amp TPADDRESS 255 55 167 002 amp STREET 1234 20Easys20Street amp CITY San 20Jose amp STATE CA amp COUNTRY UnitedS20States amp ZIP 95110 amp COUNTRYCODE US amp SHIPTONAME LouiseS20P 20Flowerchild amp SHIPTOSTREET 1234320Easy S20Street amp SHIPTOSTREET2 Apt 2022 20bis amp SHIPTOCITY New 200rleans amp SHIPTOSTATE LA amp SHIPTOCOUNTRY US amp SHIPTOZIP 70114 amp PAYMENTACTION Authorizationg FIZBIN foo amp VERS ION 3 3 amp USER usemame amp PWD passwords SIGNATURE signature PayPal Certified Developer Program Study Guide March 2008 139 140 Sandbox Testing Testing Recurring Payments The request invokes the following response TIMESTAMP 2007 2d04 2d04T03 3a35 33al12Z amp CORRELATIONID 2499856319532 amp ACK Failure amp L_ERRORCODE0 15004 amp L
175. th a Personal or Premier account follow these steps 1 After logging in select Test Accounts and click the Create Test Account link 2 For the Account Type choose Buyer Make other selections or accept the defaults See the screenshot below 112 March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing Setting Up Test Accounts Home Test Accounts Test Email Create a Sandbox Test Account API Credentials A y eN A ia After creating the account your can delete the account or you can provide additional information in the Sandbox Test Site Can We Help Country United States Y Visit the PayPal Developer Community to get answers to integration questions or to file a support ticket Account Type Buyer Use to represent your customer s experience O seller Use to represent yourself as the merchant This email address is only used inside the Sandbox Password Your password must be at least 8 characters E Hide Advanced Options Add Credit Card Visa v Add Bank Account Yes Required for Confirmed account status O No Confirm Email Yes Required for Confirmed account status O no Account Balance 10 00 USD Create Account Cancel 3 Click Create Account The result is shown below Test Email Test Accounts API Credentials Can We Help You have successfully created a test account You can view email for this ac
176. the Add Funds by Electronic Funds Transfer page Inthe From drop down list select the bank account from which the funds are coming Inthe Amount box enter the amount to transfer Click Continue 5 On the resulting Add Funds Confirmation page click Submit Navigate to My Account gt Overview to see that the transfer transaction is listed Clearing or Failing Test eCheck Transactions When you use eCheck to transfer funds or send payments the transaction appears as pending until you manually clear or fail it Manual clearing is necessary only in the Sandbox To clear or fail test eCheck transactions follow these steps 1 In the transactions log click the Details link in the Details column 2 In the Transaction Detail window there are two links to simulate actual bank clearing These links appear only in the Sandbox Clear Transaction Click to complete the transaction Fail Transaction Click to cancel the transaction 3 Click Return to Log to see the transfer completed and the money in the Sandbox account The My Account gt Overview page opens 4 Click the View Limits links on the My Account gt Overview page to see the spending limits for the current test account For an alternative example see Completing or Canceling a Pending Transaction on page 120 Sending Funds to a Seller To purchase goods or services a PayPal user must send funds to a seller In the PayPal Sandbox you
177. ther details about the payment Express Checkout API Reference Information The following sections provide reference information about the parameters and fields used in the various requests and responses involved in PayPal Express Checkout Further reference information is available in PayPal Name Value Pair API Developer Guide and Reference PayPal Certified Developer Program Study Guide March 2008 61 Express Checkout Express Checkout API Reference Information SetExpressCheckout Request The SetExpressCheckout notifies PayPal that the application is using Express Checkout to obtain payment from the customer TABLE 6 2 SetExpressCheckout Request Parameters Parameter METHOD RETURNURL CANCELURL CURRENCY CODE MAXAMT Description Name of the API SetExpressCheckout A secure URL to which the customer s browser is returned after the customer chooses to pay with PayPal NOTE PayPal recommends that the value be the final review page on which the customer confirms the order and payment Character length and limitations no limit The URL to which the customer is returned if the customer does not approve the use of PayPal to pay the merchant NOTE PayPal recommends that the value be the final review page on which the customer confirms the order and payment Character length and limitations no limit The total cost of the order to the customer If shipping cost and tax cha
178. tics PayPal Certified Developer Program Study Guide March 2008 89 Transactions Authorization amp Capture APIs TABLE 8 2 DoCapture Response Fields Continued Field PARENTTRANSACTIONID RECEIPTID TRANSACTIONTYP GI PAYMENTTYPE ORDERT IME EXCHANGERATE Description Parent or related transaction identification number This field is populated for the following transaction types Reversal Capture of an authorized transaction Reversal Reauthorization of a transaction Capture of an order The value of PARI OrderTD Authorization of an order The value o original OrderTD e Capture of an order authorization e Void of an order The value of PARENTTRANSACTIONID is the original OrderID ENTTRANSACTIONID is the original f PARENTTRANSACTIONID is the Character length and limits 16 digits in xxxx xxxx xxXxx xxxx format Receipt identification number Character length and limits 16 digits in xxxx xxxx xXxx xxxx format The type of transaction cart express checkout Character length and limits 15 single byte characters Indicates whether the payment is instant or delayed Character length and limits 7 single byte characters Time date stamp of payment For example 2006 08 15T17 23 152 The final amount charged including any shipping and taxes from the Merchant Profile PayPal fe
179. tification IPN Use the Sandbox to test IPN for updates and payment notifications Refunds Use the Sandbox to test refunding payments from a test buyer Subscriptions Use the Sandbox to test subscription buttons IMPORTANT To execute test transactions on Sandbox you need to complete a purchase as a test buyer with your buyer test account Typically you go through your website purchase flow as a buyer Ensure that you execute your test on www sandbox paypal com instead of www paypal com Payments with the Buy Now Button You can use the Sandbox to familiarize yourself with the PayPal Buy Now button with which you can associate PayPal with a specific item you sell on your website To create a test Buy Now button follow these steps 1 2 3 From the Test Accounts tab select a business account and click Enter Sandbox Test Site Go to the Merchant Services tab Under the Key Features heading select the Buy Now Buttons link to get to the Button Factory You also can search the Help for Button Factory Follow the online instructions to create a Buy Now button For details see the Website Payments Standard Integration Guide Copy and paste the code into your web page file wherever you want the button image to appear Typically the button should be located next to the description of the item or service Your web page does not have to be published to your web server for you to check the but
180. tion to one of the PayPal API servers PayPal provides a live server It also provides a Sandbox server that allows applications to process transactions in a test environment API Servers for API Signature Security If the application uses an API signature post requests to one of the following servers e Sandbox https api 3t sandbox paypal com nvp e Live https api 3t pavpal com nvp API Servers for API Certificate Security If the application uses an API certificate post requests to one of the following servers e Sandbox https api sandbox paypal com nvp e Live https api paypal com nvp Review Questions Answers to review questions are in Appendix A Answers to Review Questions 1 What character is used to separate name value pairs in an NVP string 2 True or false In an NVP request parameter names are not case sensitive 3 In an NVP request what parameter gives the name of the API call 4 True or false More than one error can be returned in a single error response March 2008 PayPal Certified Developer Program Study Guide Express Checkout In this chapter you will learn e How Express Checkout works e How to use the Express Checkout APIs e How to use the PayPal Express Checkout buttons and logos How Express Checkout Works PayPal Express Checkout is a combination of the website checkout process PayPal login and review pages on https www paypal com and PayPal API req
181. to processor Processor routes information to bank that issued customer s credit card Issuing bank sends authorization or declination to processor Processor routes transaction results to payment processing service Processing service sends results to merchant Sot oe ke Merchant decides to accept or reject purchase Here the merchant should take additional precautions to ensure the credit card is not stolen and that the customer actually owns this card Payment Processing Settlement Once the merchant has shipped the product or authorized the download of merchandise the merchant may request that the payment processing service settle the transaction During settlement funds are transferred from the customer s account to the merchant s bank account 1 Merchant informs the payment processing service to settle transactions 2 Payment processing service sends transactions to processor 3 Processor checks the information and forwards settled transaction information to the card association and card issuing bank 4 Transactions are settled to the card issuers and funds move between the acquiring bank and issuing bank Funds received for these transactions are sent to the merchant s bank account 5 Acquiring bank credits merchant s bank account 6 Issuing bank includes merchant s charge on customer s credit card account What to Look for in an Online Payment Processing Solution Finding a reliable secure and
182. ton placement it can be on you own local hard drive IMPORTANT You must change the form action to redirect to the Sandbox using the following URL https www sandbox paypal com cgi bin webscr method post Use the PayPal Help link to answer related questions such as How do I make a Buy Now button compatible with the shopping cart feature For general information see March 2008 PayPal Certified Developer Program Study Guide Sandbox Testing E Testing PayPal Website Features https www paypal com pdn item For general information about shopping cart purchases see https www paypal com shoppingcart For general information about subscriptions see https www paypal com pdn recurring Encrypted Website Payments The Sandbox also supports Encrypted Website Payments EWP as does the PayPal SDK console For information about EWP and how to use it see Website Payments Standard Integration Guide For information about using the PayPal SDK console to generate EWP HTML see PayPal SDK Guide for any supported platforms Testing Payments with Buy Now Button To test the Buy Now button your web page does not need to be published to your web server it can reside on your local hard drive You do need to be logged in to the Sandbox Follow these steps 1 Log in to https developer paypal com click the Test Accounts tab select the desired test account and click Enter Sandbox Test Site Open the HTML file
183. ts the notification URL in the Profile specifying the NOTIFYURL variable overrides the value in Profile Norte If the merchant does not use EWP or shared secret validation he must check the price transaction ID PayPal receiver email address and other data sent by IPN to ensure they are correct Shared Secret Validation The recommended method for notification validation is to use a shared secret on individual payment transactions Add a shared secret variable and value to the NOTIFYURL variable to which the IPN data is posted after a payment is made The shared secret consists of the following PayPal Certified Developer Program Study Guide March 2008 101 102 Transactions Payment Notification Integration NOTIFYURL IPNnotificationURL shared_secret_variable_name shared_secret_value where e IPNnotificationURL is the notification URL e shared_secret_variable_name is any variable name e shared_secret_value is the shared secret itself The merchant can also specify a shared secret in his Profile which is used for all transactions Specifying a shared secret in the NOTIFYURL variable explicitly overrides the value in the Profile Note The value of the shared secret is not encrypted it is in clear text for easier processing therefore the shared secret value is recorded in the merchant s web server s access logs Always practice proper security for server access logs HTTPS Postback to PayPal The second meth
184. u will learn e How to use the Authorize amp Capture APIs to authorize payments without actually receiving them and how to get authorized payments e How to refund a customer s payment e How to search for transactions and find details of a specific transaction e How to use PayPal s automated payment notification capabilities Authorization amp Capture APIs PayPal uses Authorization amp Capture in both Express Checkout and Direct Payment Authorization amp Capture APIs provide merchants with increased flexibility in obtaining payments from their customers Authorization amp Capture separates the authorization of payment from the capture of the authorized payment Authorization amp Capture is for merchants who have a delayed order fulfillment process It enables merchants to modify the original authorization amount due to order changes occurring after the initial order is placed such as taxes shipping or item availability Authorization amp Capture allows merchants to authorize capture reauthorize and void funds Authorization Process 1 Authorization amp Capture starts when the customer authorizes a payment amount during checkout for example by using the PayPal Express Checkout API with the PAYMENTACTION element set to Authorization 2 After the customer completes checkout use the payment s transaction ID with Authorization amp Capture APIs to Capture a partial amount or the full authoriz
185. ue Pair NVP API Technical Details Create and Post the Request Create an NVP request string and post it to the PayPal server Add code to the web application to do the following tasks 1 Encode the name and value parameters in the request to ensure the correct transmission of all characters This is described in URL Encoding on page 55 2 Construct the NVP API request string as described in NVP Format on page 54 and Request Format on page 56 3 Post the NVP request to the PayPal server as described in Posting Using HTTPS on page 58 Interpret the Response PayPal processes the request and posts back a response in NVP format Add code to the web application to do the following tasks 1 Decode the name and value parameters in the response 2 Parse the NVP API response string as described in NVP Format on page 54 and Response Format on page 57 3 Take appropriate actions based on successful and failed responses Technical Details This section describes details of the technologies used by the NVP API Request Response Model When using the NVP API the application posts a request to PayPal and PayPal returns a response URL Format The request and response are in URL encoded format which is defined by the Worldwide Web Consortium W3C URL is defined as part of the URI specification NVP Format NVP is a way of specifying name value pairs in a string An NVP string conf
186. uests and responses Express Checkout gives developers the flexibility to put PayPal either first in the checkout process or on the billing page along with other payment options The customer always starts and completes an order on the merchant s website The following figure summarizes the Express Checkout work flow _ Calats PayPal Flow haa Payrol ebsites PayPal redirects customer to EA Your Webste merchant site Add PayPal Checkout button Call GetExpressCheckoutDetails API Shopping Cat Login Stored Shipping Receipt Contimation amp Billing Into E ca Pa aj al mm a m a Customer reviews Customer views gt Customer views The anlar sasar may to poy skipping and kiling order review page order confinretion Customer pays wth info then pays PayPal SN Call SetExpressCheckout API Call DoExpressCheckoutPayment API Redirect customer to PayPal PayPal Certified Developer Program Study Guide March 2008 59 60 Express Checkout How Express Checkout Works The PayPal Express Checkout API calls work as follows 1 After selecting products to purchase the customer clicks the Checkout with PayPal button on the merchant s website This allows the customer to quickly skip entering shipping and billing information on the merchant s website The application passes PayPal the transaction details SetExpressCheckout receives the response from PayPal and redirects the customer s browser to P
187. usiness accounts the following additional information is generated for you e Business name and address e Customer service contact information e Business owner contact information e Business owner address e Social Security Number to sign up for Website Payments Pro PayPal Certified Developer Program Study Guide March 2008 111 ES Sandbox Testing Setting Up Test Accounts Managing Test Accounts You can view work with or launch the Sandbox Test Site for all your test accounts You also can create new accounts or remove test email addresses from your view e To work with test accounts log in to https developer pavpal com and click the Test Accounts tab e To create a new account click the Create Account link e To work with the account select it by clicking the radio button associated with it on the left To simulate the live paypal com site for the selected account click Enter Sandbox Test Site When you logged in to https developer paypal com if you set the Log me in automatically checkbox to allow direct access to https www sandbox paypal com you do not have to launch the Sandbox to access it NoTE The Delete button does not delete the test account It removes the test account from your list of accounts but the email address for the test account is still on file for the Sandbox You cannot re use an email address that is still on file for the Sandbox Creating a Personal Account To create a buyer wi
188. uthenticate themselves to issuers effectively shift liability from the merchant to the issuer Merchants are not held liable for fraudulent transactions processed using buyer authentication PayPal s suite of Fraud Protection Services makes it easy for you to take advantage of this powerful system Check with your internet merchant account provider directly to determine if March 2008 PayPal Certified Developer Program Study Guide Internet Security and Fraud Prevention EN What PayPal Is Doing to Protect Your Business Against Fraud they have deployed buyer authentication Through Fraud Protection Services one seamless integration gives you access to both Verified by Visa and MasterCard SecureCode with your PayPal gateway service What PayPal Is Doing to Protect Your Business Against Fraud The security of your information transactions and money is the core of our business and our top priority at PayPal We help you protect against fraud so you can grow your business and minimize losses PayPal leverages the Secure Sockets Layer SSL protocol which provides crucial online identity and security to help establish trust between parties involved in e commerce transactions Customers can be assured that the website they re communicating with is genuine and that the information they send through web browsers stays private and confidential Moreover using SSL with an encryption key length of 128 bits the highest level commercially av
189. www ftc gov for additional information and advice e Both the Visa and MasterCard websites have extensive information about meeting PCI Payment Data Security Standards http www visa com and http www mastercard com PayPal Certified Developer Program Study Guide March 2008 33 34 Internet Security and Fraud Prevention PayPal Fraud Protection Services PayPal Fraud Protection Services Protecting your business against the consequences of even a single fraud attempt requires a significant time commitment and ties up valuable resources PayPal has designed its suite of Fraud Protection Services based on merchant feedback and the needs of the online business community Our solution not only gives you added protection against credit card fraud cash fraud and hacking attempts but it also allows you to manage all these features quickly and easily with a single intuitive interface Each PayPal Payflow Gateway solution includes standard antifraud features e Card security code A three or four digit number printed on the physical card which a customer provides to you at checkout e Address verification system AVS A system that verifies the credit card holder s personal address and billing information Each Fraud Protection service also offers a Buyer Authentication upgrade option that seamlessly integrates an advanced antifraud feature that allows credit card holders to submit a special password directly to their card issuing ba
190. x and Live PayPal Continued Item Digital certificates PayPal Merchant Features supported Live PayPal Website and PayPal Sandbox API Service After you request digital certificates for use with the To safeguard your and your customers PayPal Web Services API the Sandbox security requests for digital certificates for automatically generates them They are available for use with the Live PayPal Web Services immediate downloading API must be verified by PayPal before they are issued You are notified in email when your request is approved All features of the live PayPal website except closing an account auction features monthly statements shipping preferences and PayPal Shops Accessing the PayPal Sandbox To access the PayPal Sandbox sign up for an account at Attps developer paypal com After signing up you access the Sandbox programatically or by logging in Depending on the PayPal feature you want to test with an application you need to set up different types of test accounts PayPal Personal or Premier and Business accounts See Planning the Types of Test Accounts You Need on page 111 PayPal Certified Developer Program Study Guide March 2008 107 Sandbox Testing Accessing the PayPal Sandbox Signing Up for Sandbox Access To sign up for Sandbox access follow these steps 1 Goto https developer paypal com The login screen is shown below PayPal Developer Central IA
191. x 44 PayPal Virtual Terminal 15 pending transactions 120 Personal account 112 positive test 129 Privacy Planner 33 privacy policy 30 processor 12 product theft 25 R Recurring Billing Service 44 Recurring Billing Service for Payflow 14 recurring payments testing 140 refunds 93 RefundTransaction API request 94 response 94 RefundTransaction request 94 response 94 reporting tools 100 request 54 56 Request Money testing 124 PayPal Certified Developer Program Study Guide request response model 54 URL encoding 55 response 54 57 errors 57 return policy 31 S Sandbox 44 API server for 105 106 email 111 search GetTransactionDetails API request 99 response 99 TransactionSearch API request 95 response 98 Secure 29 secure HTTP HTTPS 58 Secure Sockets Layer SSL protocol 29 Send Money 123 SetExpressCheckout and updating shipping address 76 request 62 response 65 settlements 12 shared secret validation 101 shipping policy 30 Social Security Number for Website Payments Pro 117 sort code for Canada Germany and UK 116 source code samples for IPN 122 Y test accounts 111 test email 111 test_ipn 121 testing address verification 134 APIs 130 billing a customer 124 Buy Now 119 credit card validation 138 eCheck 123 IPN 121 March 2008 161 162 negative 129 paying 123 Send Money 123 verifying a payment 119 verifying arefund 122 Website Payments 118 testing recurring payments 140 Trans
192. yment fraud is based on stolen consumer or merchant identities It also requires access to payment networks to complete the fraud The result is product theft identity theft and cash theft e Product Theft Occurs when a criminal uses stolen credit card information to purchase goods and services e Identity Theft Occurs when stolen credit card information is combined with readily available social security numbers and address information to open new credit cards under the victim s name and address e Cash Theft Occurs when criminals break into a virtual cash register by stealing merchant account access information and impersonating you in order to issue credits or payments to themselves Fortunately there are ways to protect against fraud The most important thing you can do is choose a reliable and secure payment solution that includes basic and advanced antifraud features Here are some of the most common fraud related risks facing online merchants Consumer Identity Theft Criminals steal consumer credit card information through a variety of methods including dumpster diving for paper receipts hacking into e commerce networks or using handheld skimmers to digitally scan numbers from credit cards of unsuspecting people at restaurants or cash registers Phishers meanwhile will send fraudulent emails to consumers warning for instance of a problem with a credit card account in an attempt to trick the person to provide personal
193. your audit keeps your company running smoothly and your reputation intact It provides you with tangible proof that you can communicate to your customers on how well you re protecting them The quickest and easiest way to meet PCI compliance standards is to outsource the job A number of PayPal payment solutions are hosted relieving the online merchant of the compliance responsibility The PayPal Gateway payment solution which allows the merchant to handle credit data does require compliance and validation by the merchants themselves TABLE 2 2 PCI Data Security Standard Standards Requirements Build and Maintain a Secure Network 1 Install and maintain a firewall configuration to protect data 2 Do not use vendor supplied defaults for system passwords and other security parameters Protect Cardholder Data U Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks gt Maintain a Vulnerability Management Program Use and regularly update antivirus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to data by business need to know Assign a unique ID to each person with computer access Restrict physical access to cardholder data O 0 E Regularly Monitor and Test Networks 10 Track and monitor all access to network resources and cardholder data 11 Regularly test security systems and processes
Download Pdf Manuals
Related Search