I just started testing my Paypal Direct Checkout process last night and I noticed that there is no verification being done for the CVV2 code, nor that the Billing Address is even correct. PayPal's APIs provide these verifications and when I go to the PayPal site to view the transactions, PayPal states that the CVV2 and the Address were wrong, however, the PayPal Direct plugin doesn't appear to do anything with this info when it's received.
This is a MAJOR concern as we can not launch the site until I have resolved this issue (I can't have nop marking something as paid when the correct info wasn't even used). Has anyone else noticed this? I'm going to take a look at the code later tonight, but if someone else has already solved the problem, then I'd love it if you could share your results. Otherwise, I'll post back here again once I've fixed it myself.
https://cms.paypal.com/uk/cgi-bin/?cmd=_render-content&content_ID=developer/UK_Website_Payments_Pro_UK_DP
Thanks!
Dan
PayPal Direct CVV2 and Address Verification (RESOLVED -- Controlled through PayPal)
- 90
- 856
- 23/05/2012
- United States
Well, I was busy all weekend, so I wasn't able to take a look at the code yet, but hopefully I'll get the chance tonight or tomorrow night.
I'm surprised that no one else chimed in with any comments about this issue. NO ONE should ever go live with this plug-in until this is resolved. This is a catastrophic security hole that could cause major issues. I can't be the first to have noticed this.
EDIT/UPDATE:
Ignore what I said above, the Plug-In is just fine, this issue can be controlled in PayPal settings. See Below...
I'm surprised that no one else chimed in with any comments about this issue. NO ONE should ever go live with this plug-in until this is resolved. This is a catastrophic security hole that could cause major issues. I can't be the first to have noticed this.
EDIT/UPDATE:
Ignore what I said above, the Plug-In is just fine, this issue can be controlled in PayPal settings. See Below...
Membre de l'équipe
- 16748
- 157530
- 22/10/2008
- Armenia
Threadrock wrote:
It would be great
Threadrock wrote:
I forgot to post here, but just to let you know the work item is here
P.S. This is not a catastrophic security hole
Well, I was busy all weekend, so I wasn't able to take a look at the code yet, but hopefully I'll get the chance tonight or tomorrow night.
It would be great
Threadrock wrote:
Well, I was busy all weekend, so I wasn't able to take a look at the code yet, but hopefully I'll get the chance tonight or tomorrow night.
I'm surprised that no one else chimed in with any comments about this issue. NO ONE should ever go live with this plug-in until this is resolved. This is a catastrophic security hole that could cause major issues. I can't be the first to have noticed this.
I'm surprised that no one else chimed in with any comments about this issue. NO ONE should ever go live with this plug-in until this is resolved. This is a catastrophic security hole that could cause major issues. I can't be the first to have noticed this.
I forgot to post here, but just to let you know the work item is here
P.S. This is not a catastrophic security hole
- 90
- 856
- 23/05/2012
- United States
a.m. wrote:
Great, thank you for the update Andrei! I finally have some free hours tonight, so I plan to spend some time working on this.
ha, catastrophic might have been a bit of an exaggeration on my part, but this is definitely a big issue and this is the last major thing I need to work on before going live with my store. I just can't have someone using a stolen credit card number they found and having the transaction approved even when they don't have the correct Security Code or Address. I don't believe that the Credit Card companies would be very happy with me if that were to happen.
I forgot to post here, but just to let you know the work item is here
P.S. This is not a catastrophic security hole
P.S. This is not a catastrophic security hole
Great, thank you for the update Andrei! I finally have some free hours tonight, so I plan to spend some time working on this.
ha, catastrophic might have been a bit of an exaggeration on my part, but this is definitely a big issue and this is the last major thing I need to work on before going live with my store. I just can't have someone using a stolen credit card number they found and having the transaction approved even when they don't have the correct Security Code or Address. I don't believe that the Credit Card companies would be very happy with me if that were to happen.
- 90
- 856
- 23/05/2012
- United States
OK, after taking a closer look at the code I realized that, yes, PayPal is reporting the Address and CVV2 code as Invalid, but it is PayPal that is Confirming the transaction anyway.
Initially I thought that nop probably did some sort of a verification, and then later confirmed the order as finalized, but that is not how it works:
All info is sent to PayPal, Authorized, and Captured in just one call to PayPal. So how do you control these transactions so that invalid Addresses and CVV2 codes are declined? Simple...
-Login to your PayPal account
-Click on the Profile link
-Click 'My Selling Tools' in the link on the left
-Click the 'Managing risk and fraud' link
-From there, you can configure PayPal to reject transactions with Mismatched CVV2 codes and addresses.
Andrei, I apologize for the false alarm, but luckily this was an issue with an easy solution. The only thing I do plan to change in the code is the error message that is shown for these mistakes.
Thanks!
Dan
Initially I thought that nop probably did some sort of a verification, and then later confirmed the order as finalized, but that is not how it works:
All info is sent to PayPal, Authorized, and Captured in just one call to PayPal. So how do you control these transactions so that invalid Addresses and CVV2 codes are declined? Simple...
-Login to your PayPal account
-Click on the Profile link
-Click 'My Selling Tools' in the link on the left
-Click the 'Managing risk and fraud' link
-From there, you can configure PayPal to reject transactions with Mismatched CVV2 codes and addresses.
Andrei, I apologize for the false alarm, but luckily this was an issue with an easy solution. The only thing I do plan to change in the code is the error message that is shown for these mistakes.
Thanks!
Dan
- 132
- 850
- 17/12/2013
- United States
Sorry, I realize this is 3 years old, but having a similar issue. You state this is related to PayPal Direct correct? So this is when you don't leave the nopcommerce site during checkout, but it contacts paypal behind the scenes to validate the payment. In my case, and maybe this changed, you have to use PayPal Manager (manager.paypal.com), which is somehow different than PayPal.com.
I am having issues of people trying to use stolen credit cards. So I want to ensure that the address and CVV/CSC match, but when I look in paypal or manager.paypal.com, it only shows the shipping address, not the billing. When I called them, they are stating that my site is not sending them the billing address or CVV/CSC...only the shipping address. Is this correct? Does the PayPal Direct plugin only send the shipping address? Is this configurable? Is there a way to put this in TEST mode and see what it is sending to paypal?
Threadrock wrote:
I am having issues of people trying to use stolen credit cards. So I want to ensure that the address and CVV/CSC match, but when I look in paypal or manager.paypal.com, it only shows the shipping address, not the billing. When I called them, they are stating that my site is not sending them the billing address or CVV/CSC...only the shipping address. Is this correct? Does the PayPal Direct plugin only send the shipping address? Is this configurable? Is there a way to put this in TEST mode and see what it is sending to paypal?
Threadrock wrote:
OK, after taking a closer look at the code I realized that, yes, PayPal is reporting the Address and CVV2 code as Invalid, but it is PayPal that is Confirming the transaction anyway.
Initially I thought that nop probably did some sort of a verification, and then later confirmed the order as finalized, but that is not how it works:
All info is sent to PayPal, Authorized, and Captured in just one call to PayPal. So how do you control these transactions so that invalid Addresses and CVV2 codes are declined? Simple...
-Login to your PayPal account
-Click on the Profile link
-Click 'My Selling Tools' in the link on the left
-Click the 'Managing risk and fraud' link
-From there, you can configure PayPal to reject transactions with Mismatched CVV2 codes and addresses.
Andrei, I apologize for the false alarm, but luckily this was an issue with an easy solution. The only thing I do plan to change in the code is the error message that is shown for these mistakes.
Thanks!
Dan
Initially I thought that nop probably did some sort of a verification, and then later confirmed the order as finalized, but that is not how it works:
All info is sent to PayPal, Authorized, and Captured in just one call to PayPal. So how do you control these transactions so that invalid Addresses and CVV2 codes are declined? Simple...
-Login to your PayPal account
-Click on the Profile link
-Click 'My Selling Tools' in the link on the left
-Click the 'Managing risk and fraud' link
-From there, you can configure PayPal to reject transactions with Mismatched CVV2 codes and addresses.
Andrei, I apologize for the false alarm, but luckily this was an issue with an easy solution. The only thing I do plan to change in the code is the error message that is shown for these mistakes.
Thanks!
Dan
- 132
- 850
- 17/12/2013
- United States
Nevermind, figured this out. The PayPal Direct plugin integrates with PayPal and PayPal is receiving the Billing Address and CVV information even though you can't see that info, they support people can. To have direct credit card payments you have to pay the $30 for website payments pro and with that, they automatically throw in PayPal Manager which gives you some extra perks (setting up recurring payment profiles, a better Virtual Terminal interface), but you don't need to use it for anything directly if you don't want to. Now they mirror the transactions in PayPal through to PayPal Manager, BUT they for some reason aren't carrying over the Billing address and CVV info to PayPal Manager, so it was a bit confusing.