PayPal

Payments Standard PayPal: Configure → Payments Standard

It is recommended to enable Payment Data Transfer (PDT) in your PayPal account settings to ensure transactions can be verified after payments have been made.

Features

Encrypted Website Payments

Encrypted Website Payments allows the initial transaction information to be encrypted using public and private keys before it is sent to PayPal. This protects the order information from being tampered with and securely initiates the transaction with PayPal.

Requirements

Encrypted Website Payments requires the following:

  • OpenSSL; The PHP installation on your web server needs to support OpenSSL or have access to the "openssl" program file. The location of the "openssl" program file can be defined in a configuration parameter.
Instant Payment Notification

All orders processed through PayPal Payments Standard are verified by a separate call PayPal automatically performs when an order has been processed. PayPal sends an Instant Payment Notification (IPN) to your store with the order information which is then verified and logged with the order.

Payment Data Transfer (PDT)

If Payment Data Transfer has been enabled in your PayPal account settings, transactions are verified with an Identity Token when the customer returns back to the online store after a payment has been made.

As soon as Payment Data Transfer has been enabled at PayPal, it is important to copy the generated Identity Token to the configuration parameter setting.

Configuration Settings

Parameter Description Default
Status Set this to Live to use this module with the Live API Credentials, or to Sandbox for the Sandbox API Credentials. Disabled disables the module as a payment method. Live
Page Style The page style to use for the payment flow. This is defined in your PayPal account settings.
Transaction Method The transaction method to use for payments.

The Authorization method only authorizes the transaction which can be captured up to 29 days later.
The Sale method instantly transfers the funds from the customer to your PayPal account. 		Sale
Preparing Order Status The customers order is saved in the database on the checkout confirmation page before the customer is forwarded to PayPal to finalize their payment. The order is saved in the database with this defined order status.

The order status is updated again when the customer finalizes the payment at PayPal and returns back to the store. The order status is also updated when the Instant Payment Notification from PayPal is received.

If the customer does not finalize the payment at PayPal, the order remains in the database with this order status and can be removed after a period of time. 		Preparing [PayPal Standard]
Order Status The orders status will be updated to this value when the customer returns back to the store after payment has been made at PayPal or when the Instant Payment Notification is received and the order has been verified. Default Order Status
Payment Zone If set, this payment method will only be available to orders made within the defined zone.
PDT Identity Token The Payment Data Transfer (PDT) Identity Token is displayed in your PayPal account settings as soon as PDT has been enabled for your PayPal account. This is used to verify transactions with when payments have been made and the customer returns to your online store.
Encrypted Website Payments Setting this parameter to True encrypts the parameters sent to PayPal during the payment transaction. False
Your Private Key The location and filename of your private key to use for signing the payment transaction.
Your Public Certificate The location and filename of your public certificate to use for signing the payment transaction.
Your PayPal Public Certificate ID The public certificate ID that PayPal should use to decrypt the payment transaction. This is defined at your PayPal Encrypted Payment Settings Profile page.
PayPal Public Certificate The location and filename of the PayPal public certificate to use for encrypting the payment transaction.
Working Directory The working directory to create temporary files. All files created are automatically deleted when they are no longer needed.
OpenSSL Location The location and filename of the OpenSSL "openssl" program file used when PHP has not been configured with OpenSSL natively. /usr/bin/openssl
Encrypted Website Payments

The following steps are required before Encrypted Website Payments is enabled:

  1. Generate your private key.
  2. Generate your public certificate.
  3. Upload your public certificate to your PayPal account.
  4. Download the PayPal public certificate from the PayPal website.
  5. Update module configuration parameters.

and optionally:

  1. Block non-encrypted website payments.

Private keys and public certificates can be generated by using the "openssl" program file.

1. Generate your private key

Enter the following OpenSSL command to generate your private key. The command generates a 1024-bit RSA private key that is stored in the file my-prvkey.pem:

openssl genrsa -out my-prvkey.pem 1024
2. Generate your public certificate

Your public certificate must be in PEM format. To generate your certificate, enter the following OpenSSL command, which generates a public certificate in the file my-pubcert.pem:

openssl req -new -key my-prvkey.pem -x509 -days 365 -out my-pubcert.pem

The following questions will be prompted:

Question Example
Country Name (2 letter code) US
State or Province Name (full name) California
Locality Name (eg, city) Beverly Hills
Organization Name (eg, company) Your Store Name
Organizational Unit Name (eg, section)
Common Name (e.g. server FQDN or YOUR name) Your Store URL Address
Email Address Your E-Mail Address
3. Upload your public certificate to your PayPal account

To upload your public certificate to your PayPal account:

  1. Log in to your PayPal Business or Premier account.
  2. Click the Profile subtab.
  3. In the Hosted Payment Settings column, click the Website Payment Certificates link.
  4. Scroll down the page to the Your Public Certificates section, and click the Add button.
  5. Click the Browse button, and select the public certificate that you want to upload to PayPal (my-pubcert.pem).
  6. Click the Add button.

After your public certificate uploads successfully, it appears in the Your Public Certificates section of the Website Payment Certificates page.

  1. Note the certificate ID that PayPal assigned to your public certificate.
4. Download the PayPal public certificate from the PayPal website

To download the PayPal public certificate:

  1. Log in to your PayPal Business or Premier account.
  2. Click the Profile subtab.
  3. In the Hosted Payment Settings column, click the Website Payment Certificates link.
  4. Scroll down the page to the PayPal Public Certificate section.

  1. Click the Download button, and save the file in a secure location.

5. Update module configuration parameters.

Copy the following files to a secure location your web server:

  • my-prvkey.pem; Your private key generated in step 1.
  • my-pubcert.pem; Your public certificate generated in step 2.
  • paypal_cert_pem.txt; The PayPal public certificate downloaded in step 4.

Create a working directory on the web server that the web server has write access to.

Review and update the module Encrypted Website Payments parameters:

Parameter Value
Encrypted Website Payments Set to True to enable Encrypted Website Payments.
Your Private Key The location and filename of your private key; my-prvkey.pem generated in Step 1.
Your Public Certificate The location and filename of your public certificate; my-pubcert.pem generated in Step 2.
Your PayPal Public Certificate ID Your PayPal stored Certificate ID; noted in Step 3.
PayPal Public Certificate The location and filename of the PayPal public certificate; paypal_cert_pem.txt downloaded in Step 4.
Working Directory The working directory to create temporary files. All files created are automatically deleted when they are no longer needed.
OpenSSL Location The location and filename of the OpenSSL "openssl" program file used when PHP has not been configured with OpenSSL natively.
6. Block non-encrypted website payments.

Optionally, orders processed through non-encrypted website payments can be blocked for extra security. This is recommended only if Encrypted Website Payments has been enabled.

To block payments from unprotected and non-encrypted PayPal Payments Standard orders:

  1. Log in to your PayPal Premier account or Business account.
  2. Click the Profile subtab.
  3. In the Hosted Payment Settings column, click the Website Payments Preferences link.
  4. Scroll down to the Encrypted Website Payments section.

  1. Next to the Block Non-encrypted Website Payment label, select the On radio button.
  2. Scroll to the bottom of the page, and click the Save button.

Notes

Order Processing

When the customer goes through the checkout procedure and lands on the checkout confirmation page, their order is saved in the database with a private order status (by default, Preparing [PayPal Standard]). The order status is updated to an acknowledged order status (by default, the default order status level) when the customer returns back to the store from PayPal after payment has been made, or when the IPN notification is received if the customer didn't return back to the store.

If the customer did not finalize the payment at PayPal and does not return back to the store, the order remains in the database with the Preparing [PayPal Standard] order status and can be safely deleted after a period of time.

Line Items

Each product that is ordered is passed on to PayPal as line items to show to the customer during the payment flow. This includes extra third-party Order Total modules that manipulate the order total values (eg, discounts). In rare occassions, when the line items, shipping, and tax calculations do not match the order total value, only the order total value is passed onto PayPal without the line items.