Is a webhook required to guarantee a safe payment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using the REST APIs to execute payments. I know that the documented steps are:
- Create a payment
- Redirect the user to the Payal approval URL obtained from the payment creation
- The user enters payment information and is redirected to the return URL
- Execute the payment unless it has been canceled by the user
After the payment is executed, it is possible to retrieve the payment once again and check that the payment status is 'approved' and the state of the sale now available in the payment is 'completed'.
Is this all that needs to be done for me to assume that I will get the money and update my back office? Or should I only update my back office once I receive the PAYMENT.SALE.COMPLETED (which implies more development on my side, of course)?
According to this answer on stackoverflow:
"At the moment where you (in your success URL) do $payment->execute($paymentExecution,$api); , you ask Paypal to charge the amount from user. BUT also after this, you got no Money. Paypal have first to process the charging and notify you later via WebhookEvents. The Webhook Notification (with that nasty delay) is especially important when the user pays per direct debit or Credit Card etc. Processing such Payments takes few seconds/minutes. [...] so i would recommend you to update your Database(Payment completed) only after receiving notofications via WebhookEvent Listener and not in the success RedirectUrl."
Do you approve of this recommendation? Can the payment execution take so long that it is better to wait for the event notification in a webhook?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The situation seems to me to be worse than you suggest. I'm unable to understand how _anything_ in the Client Integration flow guarantees to the merchant that payment was offered to PayPal let alone captured. To my understanding, only if you receive and verify a WebHook notification can you know payment was really offered/captured by PayPal. I hope I'm wrong, but it appears that every merchant that doesn't verify webhooks is vulnerable to simple attacks that spoof the payment flow without ever paying. PayPal has never been a merchant's friend, but if this is really as it appears it's downright irresponsible to leave this vulnerability is plain sight AND not to warn merchants about it.
Haven't Found your Answer?
It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.
- Assistance Required: Locating Existing APP ID for Adaptive Payments in PayPal Business Account in NVP/SOAP APIs
- PayPal Buttons in PayPal Payments Standard
- Paypal payment error analysis and root cause in NVP/SOAP APIs
- We couldn’t get you some features but you're all set to use PayPal in PayPal Payments Standard
- PAYMENT.SALE.COMPLETED signature verification failed in sandbox mode in REST APIs