PayPal refundTransfer API with Payments Standard Business account

Question

I’ve developed a feature rich Shopping Cart Plugin for Wordpress (yes another one, but mine has full featured bookkeeping on the backend integrated with PayPal Payments Standard on the front ;-)
I should preface this – lest anyone infer I’m asking their help in earning a paycheck -- my goal is to see it -- my baby -- community developed, freely available and widely embraced; a humble gift to the 99% (or 47% depending on your perspective ;-). I intend putting it up on gitHub before year-end, but in the interim I’m struggling with a final bit of PayPal integration. I need a little help.

I’ve read here and there that its possible to utilize the PayPal refundTransaction API with a Payments Standard account. Having deduced that a Business account is required for API access, I’ve established API credentials for a Business account in the sandbox using Payments Standard, but can’t seem to get it to work on my development server.

My experience with API’s in general is admittedly limited, and about the same with php CUL, but I've narrowed the problem down to (at least) one of three things:

1. There is problem with my code (not at all unlikely)
2. An SSL cert is required (really?) or…
3. It just isn’t possible!

If not possible… (or not possible without an SSL CERT) well, thank you for indulging me this far and -- on behalf of those who may find this discourse later -- for taking a moment to dispel the myth that it is.

Otherwise… the code… My best effort only returns the following error;

Error: RefundTransaction failed: Array
(
    [TIMESTAMP] => 2012/11/03   18:09:52
    [CORRELATIONID] => 9718ec23550ae
    [ACK] => Failure
    [VERSION] => 51.0
    [BUILD] => 4181146
    [L_ERRORCODE0] => 10002
    [L_SHORTMESSAGE0] => Security error
    [L_LONGMESSAGE0] => Security header is not valid
    [L_SEVERITYCODE0] => Error
)

given the API request string

METHOD=RefundTransaction&VERSION=51.0&PWD=my_pwd&USER=my_uname_biz_api1.domain.com&SIGNATURE=my_sig&PAYERID=3YK31605PA817942B&REFUNDTYPE=Full&CURRENCYCODE=USD&INVOICEID=1238rfd1246

and the offending code (derived from the sample code here)

function PPHttpPost($methodName_, $nvpStr_)
{   global $store_options;
    $API_Endpoint = "https://api-3t.sandbox.paypal.com/nvp";
    foreach($store_options->ppl_sdbx_api as $cred =>$val) $$cred = urlencode($val);
    if(isset($store_options->paypal_live) && $store_options->paypal_live ==='true')
    {   $API_Endpoint = "https://api-3t.paypal.com/nvp";
        foreach($store_options->paypal_api as $cred =>$val) $$cred = urlencode($val);
    }
    $version = urlencode('51.0');
    // Set the request.
    $nvpreq = "METHOD=$methodName_&VERSION=$version&PWD=$PWD&USER=$USER&SIGNATURE=$SIGNATURE$nvpStr_";
//  die("Error: $nvpreq");
    // Set the curl parameters.
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $API_Endpoint);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_POST, 1);
    // Set the request as a POST FIELD for curl.
    curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpreq);
    // not in example script but present in working ipn.php
        //curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded", "Content-Length:" . strlen($nvpreq)));
    // also not in example script but present in working ipn.php
        //curl_setopt($ch, CURLOPT_HEADER , 0);
    curl_setopt($ch, CURLOPT_VERBOSE, 1);
    // Turn off the server and peer verification (TrustManager Concept).
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
    // not in example script but present in working ipn.php
        curl_setopt($ch, CURLOPT_TIMEOUT, 30);
    // Get response from the server.
    $httpResponse = curl_exec($ch);
    if(!$httpResponse)
    {   die("Error: $methodName_ failed: ".curl_error($ch).'('.curl_errno($ch).')');
    }
    // Extract the response details.
    $httpResponseAr = explode("&", $httpResponse);
    $httpParsedResponseAr = array();
    foreach ($httpResponseAr as $i => $value) {
        $tmpAr = explode("=", $value);
        if(sizeof($tmpAr) > 1) {
            $httpParsedResponseAr[$tmpAr[0]] = $tmpAr[1];
        }
    }
    if((0 == sizeof($httpParsedResponseAr)) || !array_key_exists('ACK', $httpParsedResponseAr)) {
        die("Error: Invalid HTTP Response for POST request($nvpreq) to $API_Endpoint.");
    }
    return $httpParsedResponseAr;
}

Answer 1

Finally! I got it. Found the answer here. First, YES IT IS POSSIBLE and no SSL is NOT required so... Turns out I just needed to reorder the API request

    USER=zzzzzz_api1.xxxxxx
    PWD= xxxxxxxxxxxxxxxxxxxxxxx
    SIGNATURE=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    METHOD=RefundTransaction
    VERSION=59.0
    TRANSACTIONID=1234567890
    PAYERID=1234567890
    REFUNDTYPE=Partial
    AMT=0.01