Support community for TTG plugins and products.
NOTICE
The Turning Gate's Community has moved to a new home, at https://discourse.theturninggate.net.
This forum is now closed, and exists here as a read-only archive.
You are not logged in.
Pages: 1
I have set up a test website with CE 4 Cart, but have not enabled the PayPal function. If I enable the PayPal function, what is the order of events that occur after the buyer has completed their shopping cart and click the Proceed to Checkout button?
1. On the next screen, name address etc. is there a PayPal button or do they click the Complete Your Order button and are automatically taken to a secure PayPal site where they can enter in their credit card information?
2. Do they enter in their credit card information on my site, which is not a secure website?
I want to understand how the process works using PayPal, the sequence of steps and whether or not the buyer is on a secure (SSL) PayPal site when they enter in their credit card information.
Offline
Hi Ken, the PayPal checkout is secure. The flow is:
1. Customer clicks on PayPal button on your site
2. Customer enters payment details on paypal.com using PayPal's SSL.
3. Customer is returned to your site for final confirmation
4. Upon confirming, your site makes a final checkout call to PayPal, and the transaction proceeds. This is simply a 'go-ahead' call on the agreed transaction in step 2.
5. PayPal redirects back to your site to show the 'thank you' page.
Steps 4 and 5 occur behind-the-scenes. The customer isn't taken to PayPal's pages for these steps.
At no point are credit card details entered or stored on your site, and at no point are details transmitted over an insecure connection.
You can try the flow out with test credentials. The instructions are available here:
http://ce4.theturninggate.net/docs/doku … redentials
Last edited by Ben (2014-08-04 22:44:44)
Offline
Thanks for the information. I will try out the flow with test credentials. During step 2, is the payment amount automatically carried over to PayPal, or does the buyer have to note the amount and reenter it at the PayPal site?
Offline
The payment amount is automatically carried over to PayPal.
Offline
The payment amount is automatically carried over to PayPal.
I have one other additional question related to security. I understand that the following information is utilized by cart so that a buyer can pay using a credit card the seller's PayPal account:
Paypal Live API Username
Paypal Live API Password
Paypal Live API Signature
If a person retrieved this information from the seller's website files, could they use it some how to access the seller's PayPal account?
Offline
Hi Ken, I don't believe the API credentials can be used to do anything but make purchases from you. The only transaction possible is to send you money. The malicious user would also need a valid credit card number or PayPal account to make payments. This isn't giving any more power than available from your shopping cart; i.e. anybody can come along and make a purchase.
Having said that, we do try to protect the credentials as much as possible. They are never displayed on the admin page, and the database storage can only be read from the full ttg be admin, via the phpLiteAdmin page which is protected with a further password. The weak point is when you supply the credentials in the first place. A malicious user could eavesdrop the form submission. The submission of PayPal API credentials during purchase is made using https, so that part is secure.
Offline
Hi Ken, I don't believe the API credentials can be used to do anything but make purchases from you. The only transaction possible is to send you money. The malicious user would also need a valid credit card number or PayPal account to make payments. This isn't giving any more power than available from your shopping cart; i.e. anybody can come along and make a purchase.
Having said that, we do try to protect the credentials as much as possible. They are never displayed on the admin page, and the database storage can only be read from the full ttg be admin, via the phpLiteAdmin page which is protected with a further password. The weak point is when you supply the credentials in the first place. A malicious user could eavesdrop the form submission. The submission of PayPal API credentials during purchase is made using https, so that part is secure.
Thanks Ben for info. When you refer to supplying the credentials in the first place, do you mean when the web builder has logged into their ttg-be admin site and is entering in the credentials?
Offline
Offline
Pages: 1