Integration Guide
Table Of Contents
- Order Management Integration Guide
- Preface
- Introduction
- Payment Data Transfer
- Instant Payment Notification (IPN)
- Transaction History and Reporting Tools
- IPN and PDT Variables
- About These Tables of Variables
- test_ipn Variable in Sandbox
- IPN Variables in All Posts
- Buyer Information
- Basic Information
- Advanced and Custom Information
- Website Payments Standard and Refund Information
- Currency and Currency Exchange
- Auctions
- Mass Payment
- Dispute Notification Variables
- PDT-Specific Variables
- Downloadable History Log Columns and Values
- Index
Order Management Integration Guide October 2006 33
Instant Payment Notification (IPN)
IPN Notification Validation: Preventing Fraud
variable to which the IPN data is posted after a payment is made. The shared secret consists of
the following:
notify_url=yourIPNnotificationURL?shared_secret_variable_name=shared_secret_value
where:
yourIPNNotificationURL is a URL on your website at which you want to receive notification.
shared_secret_variable_name is any variable name you want.
shared_secret_value is the shared secret itself.
For example, the value of notify_url variable might look like this:
notify_url=https%3A//www.mysite.com/PP-IPN-Validate.cfm?secret=s hhhhhhh
Security Considerations with Shared Secret Validation
To ensure the security of your shared secret, you should use Encrypted Website Payments
(EWP). For information about EWP, see the PayPal Website Payments Standard Checkout
Integration Guide.
The value of the shared secret is not encrypted; it is in clear text for easier processing.
Therefore, the shared secret value is recorded in your web server’s access log. Be sure to
practice proper security for your server access logs. If you use a web server hosting service,
ensure that your provider practices proper security of your data.
NOTE: Your notification URL should check the validity of the returned shared secret and flag
for investigation any transaction that does not have the correct shared secret.
Your HTTPS Postback to PayPal
The second method for validating your receipt of an IPN is to post back to PayPal the exact
variables and values you received in the IPN.
Constructing the POST
Here are the guidelines for constructing the IPN HTTPS POST to PayPal for notification
validation.
NOTE: You can implement IPN without SSL, but PayPal recommends against doing so.
1. Your POST must be sent to
https://www.paypal.com/cgi-bin/webscr.
2. You must include the variable cmd with the value _notify-validate:
cmd=_notify-validate
3. You must post all the form variables you received exactly as you received them.
PayPal Response to Postback
PayPal responds to the postback with a single word in the body of the response: VERIFIED or
INVALID.
When you receive a VERIFIED response, perform the following checks: