Community @ The Turning Gate

Support community for TTG plugins and products.

NOTICE

The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.

This forum is now closed, and exists here as a read-only archive.

  • New user registrations are disabled.
  • Users cannot create new topics.
  • Users cannot reply to existing topics.

You are not logged in.

#1 2014-08-04 20:40:50

Ken
Member
Registered: 2013-03-16
Posts: 314
Website

Is PayPal Cart function secure?

I have set up a test website with CE 4 Cart, but have not enabled the PayPal function. If I enable the PayPal function, what is the order of events that occur after the buyer has completed their shopping cart and click the Proceed to Checkout button?

1. On the next screen, name address etc. is there a PayPal button or do they click the Complete Your Order button and are automatically taken to a secure PayPal site where they can enter in their credit card information?

2. Do they enter in their credit card information on my site, which is not a secure website?

I want to understand how the process works using PayPal, the sequence of steps and whether or not the buyer is on a secure (SSL) PayPal site when they enter in their credit card information.

Offline

#2 2014-08-04 22:41:37

Ben
Moderator
From: Melbourne, Australia
Registered: 2012-09-29
Posts: 4,399

Re: Is PayPal Cart function secure?

Hi Ken, the PayPal checkout is secure.  The flow is:

1. Customer clicks on PayPal button on your site
2. Customer enters payment details on paypal.com using PayPal's SSL.
3. Customer is returned to your site for final confirmation
4. Upon confirming, your site makes a final checkout call to PayPal, and the transaction proceeds.  This is simply a 'go-ahead' call on the agreed transaction in step 2.
5. PayPal redirects back to your site to show the 'thank you' page.

Steps 4 and 5 occur behind-the-scenes. The customer isn't taken to PayPal's pages for these steps.

At no point are credit card details entered or stored on your site, and at no point are details transmitted over an insecure connection.

You can try the flow out with test credentials.  The instructions are available here:

http://ce4.theturninggate.net/docs/doku … redentials

Last edited by Ben (2014-08-04 22:44:44)

Offline

#3 2014-08-04 23:14:05

Ken
Member
Registered: 2013-03-16
Posts: 314
Website

Re: Is PayPal Cart function secure?

Thanks for the information. I will try out the flow with test credentials. During step 2, is the payment amount automatically carried over to PayPal, or does the buyer have to note the amount and reenter it at the PayPal site?

Offline

#4 2014-08-04 23:48:46

Ben
Moderator
From: Melbourne, Australia
Registered: 2012-09-29
Posts: 4,399

Re: Is PayPal Cart function secure?

The payment amount is automatically carried over to PayPal.

Offline

#5 2014-08-07 10:39:54

Ken
Member
Registered: 2013-03-16
Posts: 314
Website

Re: Is PayPal Cart function secure?

Ben wrote:

The payment amount is automatically carried over to PayPal.

I have one other additional question related to security. I understand that the following information is utilized by cart so that a buyer can pay using a credit card the seller's PayPal account:

Paypal Live API Username   
Paypal Live API Password   
Paypal Live API Signature

If a person retrieved this information from the seller's website files, could they use it some how to access the seller's PayPal account?

Offline

#6 2014-08-07 14:04:32

Ben
Moderator
From: Melbourne, Australia
Registered: 2012-09-29
Posts: 4,399

Re: Is PayPal Cart function secure?

Hi Ken, I don't believe the API credentials can be used to do anything but make purchases from you.  The only transaction possible is to send you money.  The malicious user would also need a valid credit card number or PayPal account to make payments.  This isn't giving any more power than available from your shopping cart; i.e. anybody can come along and make a purchase.

Having said that, we do try to protect the credentials as much as possible.  They are never displayed on the admin page, and the database storage can only be read from the full ttg be admin, via the phpLiteAdmin page which is protected with a further password.  The weak point is when you supply the credentials in the first place.  A malicious user could eavesdrop the form submission.  The submission of PayPal API credentials during purchase is made using https, so that part is secure.

Offline

#7 2014-08-07 18:26:18

Ken
Member
Registered: 2013-03-16
Posts: 314
Website

Re: Is PayPal Cart function secure?

Ben wrote:

Hi Ken, I don't believe the API credentials can be used to do anything but make purchases from you.  The only transaction possible is to send you money.  The malicious user would also need a valid credit card number or PayPal account to make payments.  This isn't giving any more power than available from your shopping cart; i.e. anybody can come along and make a purchase.

Having said that, we do try to protect the credentials as much as possible.  They are never displayed on the admin page, and the database storage can only be read from the full ttg be admin, via the phpLiteAdmin page which is protected with a further password.  The weak point is when you supply the credentials in the first place.  A malicious user could eavesdrop the form submission.  The submission of PayPal API credentials during purchase is made using https, so that part is secure.

Thanks Ben for info. When you refer to supplying the credentials in the first place, do you mean when the web builder has logged into their ttg-be admin site and is entering in the credentials?

Offline

#8 2014-08-07 21:24:34

Ben
Moderator
From: Melbourne, Australia
Registered: 2012-09-29
Posts: 4,399

Re: Is PayPal Cart function secure?

Hi Ken, that's right.

Offline

Board footer

Powered by FluxBB