Integration Guide
Table Of Contents
- Order Management Integration Guide
- Preface
- Introduction
- Payment Data Transfer
- Instant Payment Notification (IPN)
- Transaction History and Reporting Tools
- IPN and PDT Variables
- About These Tables of Variables
- test_ipn Variable in Sandbox
- IPN Variables in All Posts
- Buyer Information
- Basic Information
- Advanced and Custom Information
- Website Payments Standard and Refund Information
- Currency and Currency Exchange
- Auctions
- Mass Payment
- Dispute Notification Variables
- PDT-Specific Variables
- Downloadable History Log Columns and Values
- Index
Instant Payment Notification (IPN)
IPN Notification Validation: Preventing Fraud
32 October 2006 Order Management Integration Guide
1. Sending a shared secret that only you know, described in “Shared Secret Validation” on
page 32. PayPal recommends this method because it ensures the validity of the data and
decreases network traffic to and from your website. Shared secret validation is appropriate:
– if you are not using a shared website hosting service.
– if you have enabled SSL on your web server.
– if you are using PayPal Encrypted Website Payments.
– if you use the notify_url variable on each individual payment transaction.
2. Sending a POST back to PayPal after you receive the IPN and verify the correctness of the
data, described in “Your HTTPS Postback to PayPal” on page 33. Postback is appropriate:
– if you rely on a shared website hosting service
– if you do not have SSL enabled on your web server
Both methods rely on the concept of a notification URL, which is described in the next
section.
Shared Secret Per Transaction or by Profile Setting
The URL to which PayPal posts IPN data is called the notification URL. It can be set either
with each individual payment transaction or globally in your Profile for all transactions:
z Per Transaction: If you want to receive payment notifications for different payments at
different URLs (for example, if you need to separate payments to different websites you
run), use the notify_url variable to pass the notification URL. With each payment PayPal
saves the value of the notify_url for a specific payment, and any subsequent updates to
that payment (such as a cleared eCheck) are sent to that notify_url. When you pass a
notify_url in your post, it overrides the setting in your Profile.
NOTE: The value of notify_url must be URL-encoded.
z Profile Setting. If you want to receive your IPNs at only a single URL, enter that URL in
the Preferences section of your Profile.
Likewise, the shared secret you can use to validate that you have received an IPN can be set
either with each individual payment transaction or globally in your Profile for all transactions:
z Per Transaction: If you want a distinct shared secret for each notification for each
payment, append a FORM variable name and a shared secret value to the value of the
notify_url variable. When you pass a shared secret in your payment post, it overrides
the setting in your Profile.
z Profile Setting. If you want the same shared secret for each and every transaction, enter
that shared secret in the Preferences section of your Profile.
Shared Secret Validation
The recommended method for notification validation is to use a shared secret on individual
payment transactions. Add a shared secret variable and value to the value of the notify_url