zvikicoRegarding VAT: I couldn't find the option to block it in my PayPal account. Can somebody point me in the right direction?
Inquire with PayPal help pages or support staff directly and let them know you are using a third-party cart that already adds VAT before going to a PayPal checkout. A search for VAT in their help pages didn't return any results, but I am thinking this may be related to their Sales Tax settings, so if you disable adding Sales Tax, that may disable VAT as well? Any information we have regarding PayPal would be secondhand, so better to get the final word straight from the source.
If there's a mismatch, I will not get an IPN and have to process it manually? Is there a way to send the IPN later? (my system is automated, so I have no way of entering payments manually)
BTW, from my experience, PayPal IPNs are sometimes fail to verify on legitimate transactions. What happens in such cases?
Honestly, the case of a mismatch is so rare that we only ever hear about it in a "what if" context like this, and in fact I cannot even recall ever handling any support inquiry regarding an actual mismatch in any real transaction context.
In the highly unlikely event of a mismatch, you can choose to block such transactions in your PayPal account, so checkout cannot complete in the first place, or if you choose to allow PayPal to process mismatched transactions, then we will not process the sale (including no IPN forwarding to your integration URL) but will only send you notification of the problem. You may wish to contact the buyer directly to explain the problem, perhaps refund their payment and have them try again.
Regarding the verification: How can I confirm the IPNs are coming from your server?
The MD5 handshake is constant as long as I don't change my username/password. This means that if somebody sniffed an IPN from your server to mine, he can easily spoof a message. Having a handshake which is an MD5 of other, not constant properties, public and obscure, (e.g. my password and the payer email) will greatly improve the security in this case.
Hm, you raise some interesting points there, ones which Development would be in a better position to consider and address, so I'll assign this to our Lead Developer's attention. I do like the idea in theory of having a "disposable single-use" MD5 handshake derived from one secret component (e.g. your password) and one dynamic component transmitted with the order data (e.g. buyer's email, or transaction ID, etc.)