I'm using nopcommerce 3.0 with the Nop.Plugin.Payments.PayPalDirect plugin. I've notices that I can enter an invalid card type (ie visa when then card number is really mastercard) or an invalid 3-4 digit verification code, but the payment is still accepted.
I don't have anything weird setup on the paypal end, so I assume these transactions should be declined.
Is this working for everyone else? Do you have any suggestions?
Thanks,
Chris
Paypal Direct card type and verification code
- 1
- 2
MVP
- 2128
- 19233
- 11/6/2009
- Malaysia
chrismcbride76 wrote:
When you say the payment is accepted, that means you can complete the order? :)
I'm using nopcommerce 3.0 with the Nop.Plugin.Payments.PayPalDirect plugin. I've notices that I can enter an invalid card type (ie visa when then card number is really mastercard) or an invalid 3-4 digit verification code, but the payment is still accepted.
I don't have anything weird setup on the paypal end, so I assume these transactions should be declined.
Is this working for everyone else? Do you have any suggestions?
Thanks,
Chris
I don't have anything weird setup on the paypal end, so I assume these transactions should be declined.
Is this working for everyone else? Do you have any suggestions?
Thanks,
Chris
When you say the payment is accepted, that means you can complete the order? :)
- 46
- 460
- 1/18/2013
- United States
Yes, the order is placed and the credit card is charged. The transaction succeeds as if the code was correct. I've noticed that the card expiration date isn't checked either (ie, as long as the date is in the future, it will work).
On my paypal account, the CSC says "N" meaning "No match". I thought paypal is setup to automatically check these things (expiry date, verification code, card type, etc) but it looks like they don't reject payment if it doesn't match.
I'm looking into it more on the paypal side. Is this functionality working for others? Did you have to do anything special in your paypal account?
Thanks,
Chris
On my paypal account, the CSC says "N" meaning "No match". I thought paypal is setup to automatically check these things (expiry date, verification code, card type, etc) but it looks like they don't reject payment if it doesn't match.
I'm looking into it more on the paypal side. Is this functionality working for others? Did you have to do anything special in your paypal account?
Thanks,
Chris
MVP
- 2128
- 19233
- 11/6/2009
- Malaysia
chrismcbride76 wrote:
Is it in Sandbox mode or not? :)
Yes, the order is placed and the credit card is charged. The transaction succeeds as if the code was correct. I've noticed that the card expiration date isn't checked either (ie, as long as the date is in the future, it will work).
On my paypal account, the CSC says "N" meaning "No match". I thought paypal is setup to automatically check these things (expiry date, verification code, card type, etc) but it looks like they don't reject payment if it doesn't match.
I'm looking into it more on the paypal side. Is this functionality working for others? Did you have to do anything special in your paypal account?
Thanks,
Chris
On my paypal account, the CSC says "N" meaning "No match". I thought paypal is setup to automatically check these things (expiry date, verification code, card type, etc) but it looks like they don't reject payment if it doesn't match.
I'm looking into it more on the paypal side. Is this functionality working for others? Did you have to do anything special in your paypal account?
Thanks,
Chris
Is it in Sandbox mode or not? :)
- 46
- 460
- 1/18/2013
- United States
Thanks for the warning, but I'm pretty sure it's the legit paypal site that I'm working with. Unless someone hacked the source code, how could that happen? Also, the transactions show up in paypal.
These links look correct.
/// <summary>
/// Gets Paypal URL
/// </summary>
/// <returns></returns>
private string GetPaypalUrl()
{
return _paypalDirectPaymentSettings.UseSandbox ? "https://www.sandbox.paypal.com/us/cgi-bin/webscr" :
"https://www.paypal.com/us/cgi-bin/webscr";
}
Thanks,
Chris
These links look correct.
/// <summary>
/// Gets Paypal URL
/// </summary>
/// <returns></returns>
private string GetPaypalUrl()
{
return _paypalDirectPaymentSettings.UseSandbox ? "https://www.sandbox.paypal.com/us/cgi-bin/webscr" :
"https://www.paypal.com/us/cgi-bin/webscr";
}
Thanks,
Chris
- 46
- 460
- 1/18/2013
- United States
I found that there are a lot of options available in the "Risk Management" portion of the paypal website. By default, none of these checks were turned on for my new account. Once I configured these settings, everything started working.
I also removed the need for the "card type" dropdown box and instead use a regular expression to determine the card type based on the credit card number. Is this something that would be useful to the community? If so, I can create a pull request.
Thanks,
Chris
I also removed the need for the "card type" dropdown box and instead use a regular expression to determine the card type based on the credit card number. Is this something that would be useful to the community? If so, I can create a pull request.
Thanks,
Chris
- 15
- 133
- 9/6/2013
- Canada
chrismcbride76 wrote:
I enabled all the risk settings you are referring too. I was not able to enter a card with incorrect CSC, number/type , or expiry date.
However what does concern me is that It doesn't seem to care about the cardholder name or the AVS return code, you can enter just about any address or card holder name and it will go through as long as the rest is correct, even though I turned on the risk management filters in PayPal.
The only indication you get that something is up, is by checking the AVS & CSC return code in the PayPal transaction details yourself, but you'd expect it to decline or at least flag these transactions.
I'm almost wondering if the nop PayPal plugin is compatible with the risk management filters in PayPal. It'd be ideal if it is, and even better if it was compatible with the advanced fraud management filters which I have not explored.
I found that there are a lot of options available in the "Risk Management" portion of the paypal website. By default, none of these checks were turned on for my new account. Once I configured these settings, everything started working.
I also removed the need for the "card type" dropdown box and instead use a regular expression to determine the card type based on the credit card number. Is this something that would be useful to the community? If so, I can create a pull request.
Thanks,
Chris
I also removed the need for the "card type" dropdown box and instead use a regular expression to determine the card type based on the credit card number. Is this something that would be useful to the community? If so, I can create a pull request.
Thanks,
Chris
I enabled all the risk settings you are referring too. I was not able to enter a card with incorrect CSC, number/type , or expiry date.
However what does concern me is that It doesn't seem to care about the cardholder name or the AVS return code, you can enter just about any address or card holder name and it will go through as long as the rest is correct, even though I turned on the risk management filters in PayPal.
The only indication you get that something is up, is by checking the AVS & CSC return code in the PayPal transaction details yourself, but you'd expect it to decline or at least flag these transactions.
I'm almost wondering if the nop PayPal plugin is compatible with the risk management filters in PayPal. It'd be ideal if it is, and even better if it was compatible with the advanced fraud management filters which I have not explored.
- 1
- 2