Encrypted Website Payments allows the initial transaction information to be encrypted using public and private keys before it is sent to PayPal. This protects the order information from being tampered with and securely initiates the transaction with PayPal.
Encrypted Website Payments requires the following:
All orders processed through PayPal Payments Standard are verified by a separate call PayPal automatically performs when an order has been processed. PayPal sends an Instant Payment Notification (IPN) to your store with the order information which is then verified and logged with the order.
If Payment Data Transfer has been enabled in your PayPal account settings, transactions are verified with an Identity Token when the customer returns back to the online store after a payment has been made.
As soon as Payment Data Transfer has been enabled at PayPal, it is important to copy the generated Identity Token to the configuration parameter setting.
Parameter | Description | Default |
---|---|---|
Status | Set this to Live to use this module with the Live API Credentials, or to Sandbox for the Sandbox API Credentials. Disabled disables the module as a payment method. | Live |
Page Style |
This parameter has been deprecated. The page style to use for the payment flow. This is defined in your PayPal account settings. |
|
Transaction Method |
The transaction method to use for payments. The Authorization method only authorizes the transaction which can be captured up to 29 days later. The Sale method instantly transfers the funds from the customer to your PayPal account. |
Sale |
Preparing Order Status |
The customers order is saved in the database on the checkout confirmation page before the customer is forwarded to PayPal to finalize their payment. The order is saved in the database with this defined order status. The order status is updated again when the customer finalizes the payment at PayPal and returns back to the store. The order status is also updated when the Instant Payment Notification from PayPal is received. If the customer does not finalize the payment at PayPal, the order remains in the database with this order status and can be removed after a period of time. |
Preparing [PayPal Standard] |
Order Status | The orders status will be updated to this value when the customer returns back to the store after payment has been made at PayPal or when the Instant Payment Notification is received and the order has been verified. | Default Order Status |
Payment Zone | If set, this payment method will only be available to orders made within the defined zone. | |
PDT Identity Token | The Payment Data Transfer (PDT) Identity Token is displayed in your PayPal account settings as soon as PDT has been enabled for your PayPal account. This is used to verify transactions with when payments have been made and the customer returns to your online store. | |
Encrypted Website Payments | Setting this parameter to True encrypts the parameters sent to PayPal during the payment transaction. | False |
Your Private Key | The location and filename of your private key to use for signing the payment transaction. | |
Your Public Certificate | The location and filename of your public certificate to use for signing the payment transaction. | |
Your PayPal Public Certificate ID | The public certificate ID that PayPal should use to decrypt the payment transaction. This is defined at your PayPal Encrypted Payment Settings Profile page. | |
PayPal Public Certificate | The location and filename of the PayPal public certificate to use for encrypting the payment transaction. | |
Working Directory | The working directory to create temporary files. All files created are automatically deleted when they are no longer needed. | |
OpenSSL Location | The location and filename of the OpenSSL "openssl" program file used when PHP has not been configured with OpenSSL natively. | /usr/bin/openssl |
The following steps are required before Encrypted Website Payments is enabled:
and optionally:
Private keys and public certificates can be generated by using the "openssl" program file.
Enter the following OpenSSL command to generate your private key. The command generates a 1024-bit RSA private key that is stored in the file my-prvkey.pem:
openssl genrsa -out my-prvkey.pem 1024
Your public certificate must be in PEM format. To generate your certificate, enter the following OpenSSL command, which generates a public certificate in the file my-pubcert.pem:
openssl req -new -key my-prvkey.pem -x509 -days 365 -out my-pubcert.pem
The following questions will be prompted:
Question | Example |
---|---|
Country Name (2 letter code) | US |
State or Province Name (full name) | California |
Locality Name (eg, city) | Beverly Hills |
Organization Name (eg, company) | Your Store Name |
Organizational Unit Name (eg, section) | |
Common Name (e.g. server FQDN or YOUR name) | Your Store URL Address |
Email Address | Your E-Mail Address |
To upload your public certificate to your PayPal account:
After your public certificate uploads successfully, it appears in the Your Public Certificates section of the Website Payment Certificates page.
To download the PayPal public certificate:
Copy the following files to a secure location your web server:
Create a working directory on the web server that the web server has write access to.
Review and update the module Encrypted Website Payments parameters:
Parameter | Value |
---|---|
Encrypted Website Payments | Set to True to enable Encrypted Website Payments. |
Your Private Key | The location and filename of your private key; my-prvkey.pem generated in Step 1. |
Your Public Certificate | The location and filename of your public certificate; my-pubcert.pem generated in Step 2. |
Your PayPal Public Certificate ID | Your PayPal stored Certificate ID; noted in Step 3. |
PayPal Public Certificate | The location and filename of the PayPal public certificate; paypal_cert_pem.txt downloaded in Step 4. |
Working Directory | The working directory to create temporary files. All files created are automatically deleted when they are no longer needed. |
OpenSSL Location | The location and filename of the OpenSSL "openssl" program file used when PHP has not been configured with OpenSSL natively. |
Optionally, orders processed through non-encrypted website payments can be blocked for extra security. This is recommended only if Encrypted Website Payments has been enabled.
To block payments from unprotected and non-encrypted PayPal Payments Standard orders:
When the customer goes through the checkout procedure and lands on the checkout confirmation page, their order is saved in the database with a private order status (by default, Preparing [PayPal Standard]). The order status is updated to an acknowledged order status (by default, the default order status level) when the customer returns back to the store from PayPal after payment has been made, or when the IPN notification is received if the customer didn't return back to the store.
If the customer did not finalize the payment at PayPal and does not return back to the store, the order remains in the database with the Preparing [PayPal Standard] order status and can be safely deleted after a period of time.
Each product that is ordered is passed on to PayPal as line items to show to the customer during the payment flow. This includes extra third-party Order Total modules that manipulate the order total values (eg, discounts). In rare occassions, when the line items, shipping, and tax calculations do not match the order total value, only the order total value is passed onto PayPal without the line items.