Hello Andrea,
No problem at all.
Unfortunately ( for me ) it is not clear. I mean: the main question of this topic was: "Does Payment Data Transfer with Auto Return require SSL? I'm having a problem and wonder if that is the reason?". In your "Order Management Integration Guide", under the "Differences between Payment Data Transfer (PDT) and Instant Payment Notification (IPN)" section, I read: "Because credit card and bank information is not transmitted in Instant Payment Notification (IPN), PayPal does not require Secure Sockets Layer (SSL) to encrypt IPN transmissions." In human language, this sentence would mean: for PDT transactions, PayPal requires SSL; for IPN transactions, do not.
No, no such requirement is implied in this sentence. PDT and IPN operate differently, and as such there is no need for such a requirement with PDT.
With IPN, we send information from the PayPal server(s) to your IPN script. The information flows from PayPal => to your script. When you want to validate the IPN data, you return it to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate
With PDT, you request the information from us; that is, from paypal.com/cgi-bin/webscr?cmd=_notify-synch. You must connect to us via SSL on https://www.paypal.com/cgi-bin/webscr?cmd=_notify-synch
In the real world, I am tryng to use both the raw socket Perl function and the Wget Linux function to manage a connection to your server from my server where SSL is not supported. The results, in Sandbox environment, are: 1) If I call your https server for PDT, I do not receive anything ( no errors, no headers, nothing ); 2) if I call your https server for IPN, I receive all data. And this seems to be consistent with sentences I quoted before. After your last message, I tried to call your server for PDT, adding the query string to URL: webscr?cmd=_notify-synch, but the result seems to be always the same: nothing returned.
When you say "where SSL is not supported", you are likely referring to the fact that SSL is not supported for your own domain on this server. It would be very unlikely if you're unable to create outgoing SSL-connections on port 443 (which is what you're doing when you're connecting to https://www.paypal.com/, either via a script or via a browser).
When you write: "The rule of thumb is: If you're connecting to PayPal, use SSL" I suppose that PayPal requires SSL for PDT transactions. And this is my final question: may I send the cmd, at and tx string to your server without any SSL compliance? I suppose I can not.
The original question referred to whether the value of the "return" parameter must be SSL-secured or not. That's not the case, as <input type="hidden" name="return" value="http://www.yourdomain.com/return.html"> will work just as well as <input type="hidden" name="return" value="https://www.yourdomain.com/return.html">
To answer your question: no, you must use SSL to connect to PayPal to retrieve PDT details.
I hope this clears it up. Otherwise, please feel free to create a ticket for your individual issue with PDT by navigating to https://www.paypal.com/mts/
... View more