Since the rise of fraud coming from PayPal buyers is getting critical... you need to start supplying more information in the GET orders details after a Buyer approves the payment through the PayPal terminal. So Merchants can decide the risk factor if that so-called-buyer is the real owner of the PayPal account, or some hacker. Your current process: Merchant site presents cart and button to pay using PayPal. User clicks PayPal button to pay. User is directed to PayPal (now entirely out of Merchants hands). User falsely logs into someone else's paypal account (to commit fraud). User 'confirms' the payment and is directed back to merchant site. At this point Merchant gets order details via API, and only receives a buyer name/email.... very little to go on for score detection. After merchant captures funds, later down the line the REAL owner of the paypal account files a chargeback dispute and costs the merchant time and money. This cycle then goes on and on because so many paypal accounts are being hacked in on a daily basis because most paypal accounts do not have 2-factor enabled to protect them from such intrusions and false payment authorizations. So, as a helpful bit of information, it would be nice if the API returned in the payer(object) wether or not that user had successfully gone through 2-factor or not to authorize the payment. A simple API return field of: valid_2factor (bool) true/false
... View more