Reputation: 15966
PayPal ExpressCheckout flow issue
I have implemented PayPal ExpressCheckout in my website. It worked fine, but I have a problem with the process flow. From what I did unerstand
- Your website gets a token, and then redirects the user to the PayPal website.
- The user login to his Paypal account. Then he is redirected to your Website.
- You process the payment in your website.
The problem is that the payment is actually processed in your website. It's possible that you charge the user any amount without even him knowing that. Isn't that a reasonably terrible security issue?
Am I missing something?
Upvotes: 0
Views: 97
Answers (2)
Reputation: 19356
You can't process a token with a higher amount than the buyer initially authorized (there are ways around this if you need to, with Reference Transactions, but that's not in the scope of this question).
Upvotes: 0
Reputation: 191819
Yes, you can come up with the amount to charge the user, but charging them for more than the amount you show them would be fraud and probably theft (i.e. highly illegal), especially if you provide a receipt and the amount on the receipt does not match the charge. Many credit card companies have a limit for large charges and will put a stop on them, or at least ask the holder if the charge is legitimate.
By the same token, you could give your card to a waiter in a restaurant and they can charge whatever they want to it before bringing it back to you. Offline credit card fraud is still much more prevalent.
Upvotes: 1
Related Questions
- Paypal AngellEye DoExpressCheckout - data mismatch
- php paypal express checkout problem
- weird issue with paypal payments
- PayPal Express Checkout won't work with php
- Payflow Pro Currency Configuration Issue
- Paypal Payflow refund issue
- Understanding PayPal Express Checkout flow
- PayPal SetExpressCheckout error
- Paypal Gateway Error
- Stuck in Paypal Integration