PayPal

Privacy Policy

API Credentials

The PayPal App for osCommerce Online Merchant allows store owners to automatically setup and configure the App with their PayPal API credentials without the need to enter them manually. This is performed securely by granting osCommerce access to retrieve the API credentials from the store owners PayPal account.

Granting osCommerce access allows the following limited information to be retrieved from the store owners PayPal account:

  • API Username
  • API Password
  • API Signature
  • Merchant Account ID
  • PayPal E-Mail Address

No other account information is accessed (eg, PayPal account username or password, account balance, transaction history, etc.).

The API Username, API Password, API Signature, and Merchant Account ID information are used to automatically configure the PayPal modules bundled in the PayPal App, including:

  • PayPal Payments Standard
  • PayPal Express Checkout
  • PayPal Payments Pro (Direct Payment)
  • PayPal Payments Pro (Hosted Solution)
  • Log In with PayPal

The process is started by using the Retrieve Live Credentials and Retrieve Sandbox Credentials buttons displayed on the PayPal App start and credentials management pages. The store owner is securely taken to PayPal's website where they are asked to grant osCommerce access to retrieve the API credentials, and are then redirected back to their online store to continue configuration of the PayPal App. This is performed with the following steps:

  1. The store owner clicks on Retrieve Live Credentials or Retrieve Sandbox Credentials and is securely taken to an initialization page on the osCommerce website that registers the request and immediately redirects the store owner to an on-boarding page on the PayPal website. osCommerce registers the following information in the request:
    • A uniquely generated session ID.
    • A secret ID to match against the session ID.
    • The URL of the store owners PayPal App (to redirect the store owner back to).
    • The IP-Address of the store owner.
  2. PayPal asks the store owner to log into their existing PayPal account or to create a new account.
  3. PayPal asks the store owner to grant osCommerce permission to retrieve their API credentials.
  4. PayPal redirects the store owner back to the initialization page on the osCommerce website.
  5. osCommerce securely retrieves and stores the following information from PayPal:
    • API Username
    • API Password
    • API Signature
    • Merchant Account ID
  6. The store owner is automatically redirected back to their PayPal App.
  7. The PayPal App performs a secure HTTPS call to the osCommerce website to retrieve the API credentials.
  8. The osCommerce website authenticates the secure HTTPS call, sends the API credentials, and locally discards the API credentials and PayPal App URL stored in steps 1 and 5.
  9. The PayPal App configures itself with the API credentials.
The API Credentials retrieved from the store owners PayPal account are only used to configure the PayPal App. osCommerce temporarily stores the API Credentials as described in this privacy policy, and discards the API Credentials as soon as the process is over. A back-end script is also run to discard any stored information for processes that have not finalized.
osCommerce has worked closely with PayPal to ensure the PayPal App follows strict privacy and security policies.

PayPal Modules

PayPal modules send store owner, online store, and customer related information to PayPal to process API transactions. These include the following modules:

  • PayPal Payments Standard
  • PayPal Express Checkout
  • PayPal Payments Pro (Direct Payment)
  • PayPal Payments Pro (Hosted Solution)
  • Log In with PayPal

The following information is included in API calls sent to PayPal:

  • PayPal account information of the seller / store owner including e-mail address and API credentials.
  • Customer shipping and billing addresses.
  • Product information including name, price, and quantity.
  • Shipping and tax information applicable to the order.
  • The order total and currency.
  • Store URLs to process, verify, and finalize PayPal transactions, including success, cancelled, and IPN URLs.
  • E-Commerce solution identification.
The parameters of each transaction sent to and recieved from PayPal can be inspected on the PayPal App Log page.