Does PDT require SSL?

Fashon
Contributor
Contributor

 Does Payment Data Transfer with Auto Return require SSL?

 

I'm having a problem and wonder if that is the reason?

Login to Me Too
9 REPLIES 9

Misty11
Advisor
Advisor

Hello Fashon, 

 

Welcome to the Community Robot wink.

 

This is a great question, however PayPal does have a Developer Forum dedicated specifically to PDT, they will be able to better answer your questions. Here is a direct link. I hope this will help.

 

Smiley HappyMisty



 

Login to Me Too

AndreaL
Contributor
Contributor

Hello Fashon,

 

Yes, Payment Data Transfer with Auto Return requires SSL for encryption. With PHP you wouldn't have any problem using cURL, because cURL silently manages SSL transactions. You could have some problem with Perl LWP, because Perl does not support natively SSL, so LWP try to manage SSL transaction using another module, usually SSLeay.

 

I found this italian page with the working PHP code:

http://www.punto-bit.com/cgi-bin/main.pl?mART=3&la=en

 

I hope this will help.

 

Andrea

 


Login to Me Too

PayPal_RobG
PayPal Employee
PayPal Employee

Hello Fashon,

 

No, PDT does not require the return URL to be on an SSL-secured page. Normal HTTP is fine.

You do need to post to httpS://www.paypal.com/cgi-bin/webscr?cmd=_notify-synch when retrieving the data from us.

----
For technical assistance with PayPal merchant product offerings, please file a ticket at https://www.paypal.com/mts/
Login to Me Too

Misty11
Advisor
Advisor

Hello PayPal_RobG,

 

Thank you so much for posting this information in regards to PDT and helping clear up any confusion, it is really appreciated.

 

Smiley HappyMisty

Login to Me Too

AndreaL
Contributor
Contributor

Sorry, but I am trying to have some response posting to httpS://www.paypal.com/cgi-bin/webscr?cmd=_notify-synch, without SSL. But the server is sending anything. Are you sure that this URL is valid? There is any PayPal page where a user may find this info, please?

 

Thanks

 

Andrea

Login to Me Too

PayPal_RobG
PayPal Employee
PayPal Employee

Hi Andrea,

 

https://www.paypal.com/cgi-bin/webscr?cmd=_notify-synch already indicates (with the HTTPS) it uses SSL. You shouldn't use http://www.paypal.com (non-SSL).

 

This is different from the actual return URL you are using. That is, the URL within your website that the buyer is buying returned to. This can be both SSL-secured and non-SSL secured.

 

There is no specific documentation for this per sé. Some of it is mentioned in the Order Management Integration Guide, but there is no specific guide which mentions all requirements for each specific URL.

 

The rule of thumb is: If you're connecting to PayPal, use SSL. If PayPal is returning a buyer to your website within the browser, SSL is not required on your website.

 

I hope this clears it up.

----
For technical assistance with PayPal merchant product offerings, please file a ticket at https://www.paypal.com/mts/
Login to Me Too

AndreaL
Contributor
Contributor

Unfortunately ( for me ) it is not clear. I mean: the main question of this topic was: "Does Payment Data Transfer with Auto Return require SSL? I'm having a problem and wonder if that is the reason?". In your "Order Management Integration Guide", under the "Differences between Payment Data Transfer (PDT) and Instant Payment Notification (IPN)" section, I read: "Because credit card and bank information is not transmitted in Instant Payment Notification (IPN), PayPal does not require Secure Sockets Layer (SSL) to encrypt IPN transmissions." In human language, this sentence would mean: for PDT transactions, PayPal requires SSL; for IPN transactions, do not. In the real world, I am tryng to use both the raw socket Perl function and the Wget Linux function to manage a connection to your server from my server where SSL is not supported. The results, in Sandbox environment, are: 1) If I call your https server for PDT, I do not receive anything ( no errors, no headers, nothing ); 2) if I call your https server for IPN, I receive all data. And this seems to be consistent with sentences I quoted before. After your last message, I tried to call your server for PDT, adding the query string to URL: webscr?cmd=_notify-synch, but the result seems to be always the same: nothing returned.

 

When you write: "The rule of thumb is: If you're connecting to PayPal, use SSL" I suppose that PayPal requires SSL for PDT transactions. And this is my final question: may I send the cmd, at and tx string to your server without any SSL compliance? I suppose I can not.

 

I hope this definitely clears my doubts.

 

Thanks a lot for your patience.

 

Andrea

Login to Me Too

PayPal_RobG
PayPal Employee
PayPal Employee

Hello Andrea,

 

No problem at all.

 

Unfortunately ( for me ) it is not clear. I mean: the main question of this topic was: "Does Payment Data Transfer with Auto Return require SSL? I'm having a problem and wonder if that is the reason?". In your "Order Management Integration Guide", under the "Differences between Payment Data Transfer (PDT) and Instant Payment Notification (IPN)" section, I read: "Because credit card and bank information is not transmitted in Instant Payment Notification (IPN), PayPal does not require Secure Sockets Layer (SSL) to encrypt IPN transmissions." In human language, this sentence would mean: for PDT transactions, PayPal requires SSL; for IPN transactions, do not.

No, no such requirement is implied in this sentence. PDT and IPN operate differently, and as such there is no need for such a requirement with PDT.

With IPN, we send information from the PayPal server(s) to your IPN script. The information flows from PayPal => to your script. When you want to validate the IPN data, you return it to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate

With PDT, you request the information from us; that is, from paypal.com/cgi-bin/webscr?cmd=_notify-synch. You must  connect to us via SSL on https://www.paypal.com/cgi-bin/webscr?cmd=_notify-synch

 

In the real world, I am tryng to use both the raw socket Perl function and the Wget Linux function to manage a connection to your server from my server where SSL is not supported. The results, in Sandbox environment, are: 1) If I call your https server for PDT, I do not receive anything ( no errors, no headers, nothing ); 2) if I call your https server for IPN, I receive all data. And this seems to be consistent with sentences I quoted before. After your last message, I tried to call your server for PDT, adding the query string to URL: webscr?cmd=_notify-synch, but the result seems to be always the same: nothing returned.

 When you say "where SSL is not supported", you are likely referring to the fact that SSL is not supported for your own domain on this server. It would be very unlikely if you're unable to create outgoing SSL-connections on port 443 (which is what you're doing when you're connecting to https://www.paypal.com/, either via a script or via a browser).

 

When you write: "The rule of thumb is: If you're connecting to PayPal, use SSL" I suppose that PayPal requires SSL for PDT transactions. And this is my final question: may I send the cmd, at and tx string to your server without any SSL compliance? I suppose I can not.

 

The original question referred to whether the value of the "return" parameter must be SSL-secured or not. That's not the case, as <input type="hidden" name="return" value="http://www.yourdomain.com/return.html"> will work just as well as <input type="hidden" name="return" value="https://www.yourdomain.com/return.html">

To answer your question: no, you must use SSL to connect to PayPal to retrieve PDT details.

 

I hope this clears it up. Otherwise, please feel free to create a ticket for your individual issue with PDT by navigating to https://www.paypal.com/mts/

----
For technical assistance with PayPal merchant product offerings, please file a ticket at https://www.paypal.com/mts/
Login to Me Too

AndreaL
Contributor
Contributor

Thanks RobG,

 

now it is clear. When you write: "It would be very unlikely if you're unable to create outgoing SSL-connections on port 443" you are right, but I had to discover that many hosting packages do not offer any SSL support. When I had to solve a friend problem, the only solution I found was the cURL PHP function, where they probably forgot to disable the SSL internal support.

 

Thanks.

 

Andrea

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.