(Not sure if this is the right place to ask. Please point out other forums if that's not the case).
I'm based in Europe, and I've set up an invoicing system for a client of ours which uses a tokenization system provided by his bank, as part of the bank's secure payment services. (In other words, this is not any of the big american services like Paypal, Braintree, Stripe...).
The problem is that, in order to input a credit card into the system, this
bank needs to charge an initial amount of 0.01 € to it... and when it does that, the credit card owner gets a text message code to approve that charge, without which the card number cannot be introduced. This is not practical for my client, for a variety of reasons. We have asked the bank, and they say that this is all dependant on the card issuing bank, and they can't do anything about it.
My question is...: what do we do to avoid this? From what I remember, other tokenization system I've used also had an initial 0.01 cent charge, and yet I never received any text messages from them (this was a few years ago, admittedly, before 2FA became widespread). How do the big payment processors (Authorize.net, Stripe, etc.) manage to store credit cards without making an initial charge and triggering two-factor authentication in the process?
Thanks.
The reason behind performing an authorisation (not a charge) is to ensure the card is valid before it is stored.
However, the $0.01 authorisation is now considered 'the old way' of doing this. Most card acquirers now allow an authorisation value of $0.00 to be used solely to check the card is valid. This shouldn't trigger any 2FA where it is supported.
Obviously though, this is payment processor dependant on whether they support this 'new' functionality. A small number are still stuck in their ways
The other alternative is just to process the full transaction value. It shouldn't be necessary to submit the card for tokenisation before using it, though admittedly this depends on your business use case.
Related
How shall I integrate custom shopping cart app with PayPal to accept indirect credit card payments without forcing buyers to register at PayPal?
There's a custom shopping cart web application and the task has been set to replace current credit/dept card payment with PayPal. The goal is to let the customers pay with their cards via PayPal. However, there are some constrains:
customers should enter their credit cards details (number, expiry date, secure code) not in shopping cart's page, but PayPal's page,
every payment must consists of authorization (blocking total sum) and subsequent capture if the ordered items are available and can be delivered,
customers aren't forced to create / login to PayPal account if they wish to pay via card.
The trouble is I'm really confused with the number of possible options at PayPal. The choice between REST API and Classic API isn't that problematic, but choosing the proper product from the whole list (like Classic API products or REST API products) isn't that obvious for PayPal newbie. Some other similar questions point to DoDirectPayment (but I don't know if it's the best choice) or suggest Website Payments Standard (I'm not sure if they're still available).
I was also considering Express Checkout, but the demo seems to force to create PayPal account.
ExpressCheckout is designed to be used in concert with a direct credit card acceptance method (such as PayPal's DoDirectPayment, or a non-PayPal credit card acceptance method), although it can be configured to also do guest payments. This is why the demos of the normal configuration handle only PayPal account creation; that's the normal usage.
One key question you need to ask yourself is whether you want to have access to the credit card information & be the "merchant of record" yourself or not.
YES: Doing this gives you the most flexibility, but will require you to go through some merchant vetting and carries some security obligations (PCI) even if you are using some solution which tries to distance you from the actual raw card numbers (e.g. collecting them via PayPal or Braintree code and immediatly encrypting & tokenizing them). In short: if you want full access to the card, then you have legal obligations re: handling that account access which technology can reduce but not eliminate.
NO: If you are content to always treat your customer's card information at arms length through PayPal, via the legal structure of a PayPal account (whether the user actually has a PayPal account or is just doing a "guest" payment on PayPal where they give PayPal their credit card for one-time use) then you can reduce your vetting & security constraints (no PCI requirements at all).
If you want (or need) access to the customer's card [YES above] then the "classic" API solutions are either DoDirectPayment (for when you collect the card info) or Hosted Sole Solution (for when PayPal collects the card info on their page). HSS meets all 3 of your requiremens above; DDP fails requirement #1.
If you can live with access to the customer & the payment but NOT the card account itself [NO above] then you can use Website Payments Standard, or EC with Guest Checkout option; both meet all three of your requirements.
All of the above solutions are not only still supported, but have tens or hundreds of thousands of integrated merchants and are the biggest/mainstream ways in which PayPal payments are handled.
If you prefer the newer products & are in the first category above (real card access, not guest payments) then you can also use Braintree or the RESTful APIs. These newer products don't yet have as much flexibility & coverage as the older products, but hey, less complexity can be a good thing as long as they have what you need. These products are generally designed around plugins for your web pages rather than entering card information on PayPal's site, however, so they don't meet your first requirement.
You can also do PayFlow (several variants) or Adaptive Payments or or or.... but in general I would advise picking either the most well-established or the new-and-growing options as being better supported & more future-proof.
Now that PayPal has acquired Braintree, the preferred integration method is v.zero. It is designed to be very easy to accept PayPal, Credit Cards and other options. (Venmo, Bitcoin, etc.)
I am required to create an application which collects transaction details of bank accounts, there are APIs like
Plaid
Yodlee
Geezeo
But these APIs make use of the clients username and password for retrieving the transaction data, but in my case I need to do so using only the credit card number.
Can it even be done?
Is there any other APIs that provide this functionality?
I have researched about this issue a lot but still can't seem to find any APIs that suits the requirement. Any help is appreciated, Thank you.
I just answered essentially this question for another user (Serizawa Sanjay), here is my response below:
"
I have worked for Credit Unions that have experience with all these types of APIs. The Geezeo and the Yodlee API will not allow you to do what you want since that would violate the privacy on the card and the card issuers will not allow someone outside of the flow of approvals to get to that data. There are a few APIs that you can get by working with partners like FirstData to look for a certain type of transaction or vendor that comes across their system if it matches a certain card number, but you have to be a key partner with FirstData, not an easy task.
As far as aggregating transaction data from accounts like credit cards, bank accounts, auto loans, mortgages, investment accounts and the like, you really want to be using an API like MoneyDesktop. Yodlee is good as well, it just does not have the coverage, uptime, or quality of data that MoneyDesktop has. Geezeo's API just does not have the critical features that a MoneyDesktop or Yodlee API has. First Geezeo does not do its own aggregation and it only has one partner to do their agg for them. Yodlee is only one source, but if there is a broken connection, at least they can control fixing it. If a connection goes down with Geezeo, there is nothing that Geezeo can do to fix it but wait for their aggregation provider to fix it. If your business, bank or credit union can't afford for aggregation to go down (reputation risk), you need someone like Yodlee that controls their own aggregation, or someone like MoneyDesktop that has many aggregation providers and can route between them the second that one of their connections has problems. Also, Yodlee and MoneyDesktop both do their own data cleansing and aggregation, where Geezeo does not and has to rely on their aggregation provider. This is extremely problematic because as users editing and input to the system as to the transaction being data cleansed incorrectly or categorized incorrectly is not taken into account properly or optimally.
I have also heard that Intuit Data Services has a good API as well, but I have never had any experience with it.
Good luck!
"
I am so confused about the services and over here the paypal website also seems to be serving up 400's and 404s.
This is how the webpage looks for customers on my site when they are ready to pay:
As far as I know, I don't have Express Checkout, but I'm not sure if I have Website Payments Pro (my company created this account).
Now I have two questions:
1- This is just the sandbox. But on the real site, does this solution that give users the opportunity to pay by credit card? I've actually successfully done a credit card transaction in the sandbox, I'm just worried because I've heard that customers can only do direct credit card transactions in PayPal Website Payments Pro. The PayPal website is overloaded with information and I can't find my way around it to answer simple questions like this.
2- Is it possible to do negative testing for transactions on this page? Such as simulating the events that the user's credit card or Paypal account doesn't have enough balance? If it is possible, and I am using the ButtonManagerAPI, then is the technique below the correct way to go about it?
I put an error code in the amount variable that is passed on to IPN via via an NVP api call, like this (lots of value pairs in the middle excluded as irrelevant):
$nvpReq = "BUTTONCODE=HOSTED&..............&L_BUTTONVAR1=amount=".$err_code
EDIT
So it appears I have PayPal Website Payments Standard, which means I cannot incorporate cannot have credit card payment forms directly on my website, but customers have to be directed to PayPal. I'm fine with that, as long as customers have the option to pay with credit cards.
The screenshot looks like PayPal Standard, which is an HTML-only (non-API) integration.
Any regular business account that can receive money can make use of the Express Checkout API.. typically by authenticating with an API USER/PWD/SIGNATURE. For businesses with programming/development resources, EC is by far the recommended way to accept PayPal payments.
If you pass SOLUTIONTYPE=Sole in the initial SetExpressCheckout call, it will accept credit cards from "guest" customers who don't have a PayPal account, similar to the Standard screenshot you're displaying above.
The main reason to choose EC over Standard is that it's a much tighter handshake between your checkout software and PayPal's servers. With Standard's HTML-only, the customer is redirected away from your site and might not return to your site after a successful transaction is committed (they may stay on paypal.com and not click to return or their browser might crash before return --- whereas with EC the return to your site is built-in before anything touches the financial system)
With the recent beta of developer.paypal.com, all new sandbox Business accounts are full Pro accounts by default. Signing up for a live Pro account would be useful if, in addition to accepting PayPal payments, you wished to create a credit card entry form directly on your own site.
Here are some EC links for programmers:
https://tryit.paypal.com/guide/ec
https://paypal-labs.com/integrationwizard/ecpaypal/main.php
The button manager API is unlikely to be useful to you. And there are ways to do negative testing with the sandbox, but it's really not an important concern when you're still deciding on a product/API.
I am in the midst of trying to find an e-commerce solution for my employer, and it is necessary that we go with a hosted payment page to minimize our PCI compliance woes. After researching several companies' solutions, it seems that they all expect you to submit the total price of the transaction to them via a hidden field or GET variables in order to generate the payment form. This seems like a sizable concern for the merchant, since a user with Firebug (or eyes, in the case of GET variables) could easily modify the transaction total, get a new hosted payment form, and continue with the checkout, thus giving themselves whatever discount they desire.
Has anyone set up a hosted payment page before and dealt with this issue? Any suggestions for a better way to do things?
There usually is a hash submitted with those forms that are generated with secret values that the user won't know (e.g. password, transaction key, etc). So if they tamper with the amount, which is also used in calculating the hash's value, then the payment gateway will reject the transaction. The user cannot bypass this by changing the hash because they do not have all of the information required to calculate it.
So using these hosted forms are safe from abuse. If they weren't they wouldn't be viable products and the gateways couldn't offer them for use.
If I am setting up a site how would I go about ensuring that the person who gives me a credit card number (for instance) is the person who is authorized to use it? Maybe more generally how would I go about reducing the opportunity for fraud and stolen ID usage whether it be for a purchase or system access.
I don't work in this field (online purchases) but I would think that authentication of a user has to be a very hard/tricky endeavor.
I would say just stick with the industry standard methods.
Someone is assumed to have posession of the card if they can supply information which verifies with the card payment gateway. As part of that, for example is the Mastercard/VISA 3D auth scheme which adds a passphrase to online payments.
You could try and go further than this 2-factor authentication with fraud prevention, but the credit card companies have more of a vested interest in it so just follow their lead.
Another common method is the address verification system, used by lots of online vendors.