Local VAT verification and IPN verification

paypal

product

website

user

address

vat

purposes

ipns

verification

define

zvikico 2008-12-30 07:41:07 UTC #1

Hi,

I'm selling my product using PayPal Website Payments Standard. I need to charge VAT from certain countries. I can define the VAT either in e-junkie or in PayPal.

I can see it is more user friendly to define the VAT in e-junkie, so the user will know the total sum before heading over to do the payment. I saw in earlier discussions that I need to remove the VAT from PayPal - is that correct?

My main question: I require PayPal to get an address from my customers (for VAT purposes, I don't do any shipping). Do you verify that the PayPal address information matches the country/zip entered in the shopping cart screen?

I was also concerned about the lack of IPN verification - my server dispenses license keys according to inbound IPNs. No verification means someone can easily spoof those IPNs. What do you do to avoid that?

Thanks,

Zviki

E-junkie_Guru 2008-12-30 16:26:49 UTC #2

If you enable neither Shipping nor Sales Tax/VAT for any products in your E-junkie Admin, then our cart will not ask for any buyer destination/location at all and will not trigger obtaining any address during Checkout. However, if you do enable VAT on E-junkie's end, then we will apply the correct VAT for the buyer's destination in the cart before the order goes to Checkout. If you also require collecting a physical address, you can enable Shipping to trigger that but leave all shipping-related rates/weights/costs at 0.00 to disable adding any actual Shipping fees to the order.

The case of a mismatch in destination country provided in our cart vs. during Checkout varies according to payment processor; see each case described here:

http://www.e-junkie.com/ej/faq.shipping-destination-mismatch.htm

I think I already answered your IPN concern via email earlier, but for the benefit of others reading along, I will paste my answer again here:

We already validate the IPNs we receive from PayPal before forwarding the order data to your integration URL, so there is no chance our system would transmit data to your URL without having received a valid IPN (or equivalent payment confirmation from non-PayPal processors), and of course your integration URL would never be exposed to the public. If you suspect someone could guess your integration-submission URL and try to spoof our transmissions, you could do some verification of your own to confirm any POSTs to your URL are actually coming from our server, perhaps use the MD5-hashed handshake method suggested on our Integration help page (see Additional Variables section):

http://www.e-junkie.com/ej/help.integration.htm

zvikico 2008-12-30 23:33:02 UTC #3

Hi Tyson,

(I thought it would be better for you to answer in the forum so I took it here)

Regarding VAT: I couldn't find the option to block it in my PayPal account. Can somebody point me in the right direction?

If there's a mismatch, I will not get an IPN and have to process it manually? Is there a way to send the IPN later? (my system is automated, so I have no way of entering payments manually)

BTW, from my experience, PayPal IPNs are sometimes fail to verify on legitimate transactions. What happens in such cases?

Regarding the verification: How can I confirm the IPNs are coming from your server?

The MD5 handshake is constant as long as I don't change my username/password. This means that if somebody sniffed an IPN from your server to mine, he can easily spoof a message. Having a handshake which is an MD5 of other, not constant properties, public and obscure, (e.g. my password and the payer email) will greatly improve the security in this case.

Zviki

E-junkie_Guru 2008-12-31 13:54:19 UTC #4

zvikicoRegarding VAT: I couldn't find the option to block it in my PayPal account. Can somebody point me in the right direction?

Inquire with PayPal help pages or support staff directly and let them know you are using a third-party cart that already adds VAT before going to a PayPal checkout. A search for VAT in their help pages didn't return any results, but I am thinking this may be related to their Sales Tax settings, so if you disable adding Sales Tax, that may disable VAT as well? Any information we have regarding PayPal would be secondhand, so better to get the final word straight from the source.

If there's a mismatch, I will not get an IPN and have to process it manually? Is there a way to send the IPN later? (my system is automated, so I have no way of entering payments manually)

BTW, from my experience, PayPal IPNs are sometimes fail to verify on legitimate transactions. What happens in such cases?

Honestly, the case of a mismatch is so rare that we only ever hear about it in a "what if" context like this, and in fact I cannot even recall ever handling any support inquiry regarding an actual mismatch in any real transaction context.

In the highly unlikely event of a mismatch, you can choose to block such transactions in your PayPal account, so checkout cannot complete in the first place, or if you choose to allow PayPal to process mismatched transactions, then we will not process the sale (including no IPN forwarding to your integration URL) but will only send you notification of the problem. You may wish to contact the buyer directly to explain the problem, perhaps refund their payment and have them try again.

Regarding the verification: How can I confirm the IPNs are coming from your server?

The MD5 handshake is constant as long as I don't change my username/password. This means that if somebody sniffed an IPN from your server to mine, he can easily spoof a message. Having a handshake which is an MD5 of other, not constant properties, public and obscure, (e.g. my password and the payer email) will greatly improve the security in this case.

Hm, you raise some interesting points there, ones which Development would be in a better position to consider and address, so I'll assign this to our Lead Developer's attention. I do like the idea in theory of having a "disposable single-use" MD5 handshake derived from one secret component (e.g. your password) and one dynamic component transmitted with the order data (e.g. buyer's email, or transaction ID, etc.)

instantxboxgold_com 2009-07-19 06:48:14 UTC #5

Did anything ever come of the above? I'd really like a handshake that isn't a constant for every transaction.

Also, it would be a nice idea to md5 the key code that gets sent. In some cases, if this gets sniffed it can be redeemed before the purchaser actually gets to redeem it themself!

1 further question.... PHP is not my strong point, so can you clarify for me please:

($POST['handshake']!==md5("your@login.email".md5("youre-junkie_password")))

Am I expecting:

email DOT password or

emailpassword

?

Thanks

SOLUTIONS FEATURES PRICING DISCOVER PRODUCTS CONTACT HELP DOCS DASHBOARD

Forum

E-junkie Community Forum

Share and learn in the E-junkie community.