New to the community? Welcome! Please read our Community Rules and Guidelines
Coming soon: We are giving your Community a new look.
I have the following, pretty standard, flow from product selection through to payment:
1. Customer adds a product to cart
2. Customer views cart
3. Customer selects ‘Checkout’
4. Customer enters shipping address
5. Shipping fee is calculated
6. Customer views full costs selects ‘pay now’
7. Cart item, and shipping details are sent to PayPal
8. Customer logs into Paypal, views purchase details and authorises payment
9. Customer returns to site
I’m wondering what security issues I should be considering, the payment is PayPal’s responsibility, and I’m not storing any customer details apart from sale tokens/details, but:
Is there anything should I be double checking?
What if a customer enters a shipping address that is different to the one they have stored at Paypal, are there any issues regarding Paypal seller guarentees, should I only send to the Paypal stored address?
Hello @icicic,
Thank you for posting to the PayPal Community.
You can use the shipping_preferences setting to assist you with passing the shipping address from your shopping cart into the PayPal transaction, and not allowing the shipping address to be changed.
Here are the possible values:
https://developer.paypal.com/docs/api/orders/v2/#orders_create
shipping_preference
enum
The location from which the shipping address is derived.
The possible values are:
GET_FROM_FILE
. Get the customer-provided shipping address on the PayPal site.NO_SHIPPING
. Redacts the shipping address from the PayPal site. Recommended for digital goods.SET_PROVIDED_ADDRESS
. Get the merchant-provided address. The customer cannot change this address on the PayPal site. If merchant does not pass an address, customer can choose the address on PayPal pages.If you use use SET_PROVIDED_ADDRESS and pass in the shipping address in the payment request the buyer cannot change the address when they are in their PayPal Account
Thank you,
Jennifer
MTS
PayPal
Thank you @MTS_Jennifer
has the create order request changed recently? I've been using application_context rather than experience_context
Hi @icicic ,
Good catch! According to the documentation it looks like the fields in application_context are now available in experience_context, according to the documentation.
https://developer.paypal.com/docs/api/orders/v2/#definition-application_context
experience_context
Customizes the payer experience during the approval process for the payment.
I did test in sandbox if you change application_context to experience_context, although you will not receive an error message when creating the order, any details you normally have in application_context are completely ignored. This causes the buyer to be unable to complete the payment, since the return url is being ignored. As far as I can see experience_context has to do with experience profiles. If you are not using experience profiles, do not use the experience_context.
Thank you,
Jennifer
MTS
PayPal
In fact the sample request in the API documentation seems to have changed and displays an example that uses experience context, can application context still be used!?
curl -v -X POST https://api-m.sandbox.paypal.com/v2/checkout/orders \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <Access-Token>" \
-H "PayPal-Request-Id: 7b92603e-77ed-4896-8e78-5dea2050476a" \
-d '{
"intent": "CAPTURE",
"purchase_units": [
{
"reference_id": "d9f80740-38f0-11e8-b467-0ed5f89f718b",
"amount": {
"currency_code": "USD",
"value": "100.00"
}
}
],
"payment_source": {
"paypal": {
"experience_context": {
"payment_method_preference": "IMMEDIATE_PAYMENT_REQUIRED",
"payment_method_selected": "PAYPAL",
"brand_name": "EXAMPLE INC",
"locale": "en-US",
"landing_page": "LOGIN",
"shipping_preference": "SET_PROVIDED_ADDRESS",
"user_action": "PAY_NOW",
"return_url": "https://example.com/returnUrl",
"cancel_url": "https://example.com/cancelUrl"
}
}
}
}'
©1999-2023 PayPal, Inc. All rights reserved.