Since the rise of fraud coming from PayPal buyers is getting critical... you need to start supplying more information in the GET orders details after a Buyer approves the payment through the PayPal terminal. So Merchants can decide the risk factor if that so-called-buyer is the real owner of the PayPal account, or some hacker.
Your current process:
- Merchant site presents cart and button to pay using PayPal.
- User clicks PayPal button to pay.
- User is directed to PayPal (now entirely out of Merchants hands).
- User falsely logs into someone else's paypal account (to commit fraud).
- User 'confirms' the payment and is directed back to merchant site.
- At this point Merchant gets order details via API, and only receives a buyer name/email.... very little to go on for score detection.
- After merchant captures funds, later down the line the REAL owner of the paypal account files a chargeback dispute and costs the merchant time and money.
This cycle then goes on and on because so many paypal accounts are being hacked in on a daily basis because most paypal accounts do not have 2-factor enabled to protect them from such intrusions and false payment authorizations.
So, as a helpful bit of information, it would be nice if the API returned in the payer(object) wether or not that user had successfully gone through 2-factor or not to authorize the payment. A simple API return field of:
valid_2factor (bool)
true/false
