Securing Your Website Payments Standard Buttons

Because non-encrypted buttons are in clear text in the source view of your webpages, the button code can be viewed by anyone. A malicious user could copy a page, change button variables such as price, and make a fraudulent payment.

IMPORTANT:

Merchants with significant payment volume are required by the PayPal user agreement to take precautions on securing Website Payment Standard buttons.

PayPal provides the following strategies for securing Website Payments Standard buttons. Use one or more of the following security strategies to prevent and/or detect tampering with your buttons:

Creating an Encrypted Button on the PayPal Website	Create an encrypted button by using a button creation tool on the PayPal website. Best if you sell just a few items and don’t need to change pricing often. This is also the easiest way to secure your buttons.
Verifying Each Payment Manually	Manually check the price of each payment in your PayPal account before shipping. Good if you accept donations or you sell items individually with prices thad do not change. You can review transaction history on the PayPal website, or you can download a transaction report from the PayPal website. You are required to reconcile your payments, especially if you have non-encrypted buttons.
Verifying Payments with Instant Payment Notification (IPN)	With Instant Payment Notification (IPN), PayPal posts a message to your server when someone pays you. You are required to reconcile your payments, especially if you have non-encrypted buttons. With IPN, you can automate the reconciliation process or perform it manually.
Encrypting Buttons Dynamically With Encrypted Website Payments (EWP)	Using a script and open-source libraries from OpenSSL, encrypt your buttons dynamically when rendering your webpages. Good if you have previously built a custom payment solution by using Buy Now or Donation buttons, or you are using Add to Cart buttons with the PayPal Shopping Cart. You must be comfortable programming in scripts like PHP and ASP to use EWP.
Blocking Non-encrypted Website Payments	To add extra security to your encrypted buttons, update your PayPal account to block non-encrypted payments.

Creating an Encrypted Button on the PayPal Website

A simple way to make an encrypted button is to use a button creation tool on the PayPal website. You can create encrypted Buy Now and Donation buttons by using a tool.

1.	Log in to your Business or Premier account.

2.	Click the Merchant Services tab.

3.	Click the Buy Now Button link or the Donate link, depending on the kind of encrypted button that you want to create.

4.	Enter details about your button, and choose a button image.

5.	In the Security Settings section, select the Yes radio button to encrypt your button. This is the default setting.

6.	Click the Create Button Now button to generate the encrypted HTML code.

– or –

Click the Add More Options button to enter optional details about your button.

Note:

Some settings on the Add More Options page require that you change Security Settings to No. In such cases, you will have to use an alternative strategy to secure your buttons. See “Verifying Each Payment Manually”, and “Verifying Payments with Instant Payment Notification (IPN)”.

7.	Update the profile settings on your PayPal account to block non-encrypted website payments, as described in “Blocking Non-encrypted Website Payments”.

Verifying Each Payment Manually

If you process a small number of transactions, you can verify each payment manually through your transaction history and the reporting tools provided by PayPal.

To verify payments found in your transaction history:

1.	Log in to your Business or Premier account.

2.	In the My Account tab, click the History subtab.

3.	In the Show dropdown menu, select “Payments Received”.

4.	Specify a time frame for the payments you want to verify.

5.	Click the Search button.

6.	For each payment that was found, verify that the item amounts match the amounts you charge.

For detailed instructions on using the History subtab, see the Order Management Integration Guide.

Verifying Payments with Instant Payment Notification (IPN)

With Instant Payment Notification (IPN), PayPal posts a message to your server when someone pays you. You specify the URL through which you receive IPN messages in your PayPal account. The IPN message is a text file that includes payment details, such as the name of the payer and the amount paid. Verify the IPN amount by comparing it with the price of the product in your database. You can automate this process by checking field values against your database.

To learn more about IPN, see the Order Management Integration Guide.

Encrypting Buttons Dynamically With Encrypted Website Payments (EWP)

To make online payments more secure, you can make Encrypted Website Payment (EWP) buttons that rely on standard public key encryption for protection. With public and private keys, you dynamically generate HTML code for payment buttons and encrypt the payment details before displaying the buttons on your website.

EWP works in the following way.

Table 8.1

How Encrypted Website Payments Works

Website Actions	Payer Actions	PayPal Actions
Generate a public key for the website, upload it to PayPal, and download the PayPal public certificate to the website.
Generate HTML code for a payment button.
Encrypt the generated code by using the PayPal public key and then signing the encrypted code with the website’s private key.
Publish the signed, encrypted HTML code for the payment button to the website.	Click the published PayPal payment button.	Check the authenticity of the data by using the merchant’s public key previously uploaded to PayPal.
		Decrypt the protected button code by using the PayPal private key.
		Redirect the payer’s browser to the PayPal payment page sequence, as specified in the HTML variables of the decrypted button code.

Prerequisites to Using EWP

This section describes how to generate your private and public keys for EWP, upload your public key to PayPal, and download a copy of the PayPal public key:

l	Generate a private key

l	Generate a public certificate

l	Upload your public certificate to the PayPal website at https://www.paypal.com/us/cgi-bin/webscr?cmd=_profile-website-cert

l	Download the PayPal public certificate from https://www.paypal.com/us/cgi-bin/webscr?cmd=_profile-website-cert

Public Key Encryption Background

Public key encryption (asymmetric encryption) improves security and convenience by allowing senders and receivers to have separate public and private encryption keys:

l	The public key: The public key is the portion of an asymmetric cryptographic key that receivers give senders who want to send them encrypted information. I

l

The private key: The private key is the portion of an asymmetric cryptographic key receivers keep secret and do not send to anyone. The public certificate: The public certificate consists of the public key and identity information, such as a person's name, which could be signed by a certificate authority (CA). The CA guarantees that the public key belongs to the named entity.

l

The encryption process: Sender use both their private key and the receivers’ public key to encrypt the information. Receiver use their private key and the senders’ public key to decrypt the information that was encrypted. This encryption process is also used with digital signatures to verify the origin of the information.

Setting Up The Certificates

EWP requires that you upload your public certificate to the PayPal website so that the authenticity of the encrypted code can be verified.

PayPal accepts only X.509 public certificates, not public keys. The difference between a key and a certificate is that a certificate includes the public key along with information about the key, such as when the key expires and who the key belongs to. PayPal accepts public certificates in OpenSSL PEM format from any established certificate authority, such as VeriSign.

You can also generate your own private key and public certificate using open source software such as OpenSSL (http://www.openssl.org), which is detailed in the following section.

Creating Your Private Key Using OpenSSL

Using the openssl program, enter the following command to generate your private key. The command generates a 1024-bit RSA private key that is stored in the file my-prvkey.pem:

openssl genrsa -out my-prvkey.pem 1024

Creating Your Public Certificate Using OpenSSL

The public certificate must be in PEM format. To generate your certificate, enter the following openssl command, which generates a public certificate in the file my-pubcert.pem:

openssl req -new -key my-prvkey.pem -x509 -days 365 -out my‑pubcert.pem

Uploading Your Public Certificate

To upload your public certificates to the PayPal website:

1.	Log in to your Business or Premier PayPal account.

2.	Click the Profile subtab.

3.	In the Seller Preferences column, click the Encrypted Payment Settings link.

The Website Payment Certificates page appears.

4.	Scroll down the page to the Your Public Certificates section, and click the Add button.

The Add Certificate page appears.

5.	Click the Browse button, and select the public certificate that you want to upload to PayPal from your local computer.

Note:

The file you upload must be in PEM format.

6.	Click the Add button.

After your public certificate is uploaded successfully, it appears in the Your Public Certificates section of the Website Payment Certificates page.

7.	Store the certificate ID that PayPal assigned to your public certificate in a secure place.

You need the certificate ID that PayPal assigned to encrypt your payment buttons by using the Encrypted Website Payments program provided by PayPal.

Downloading the PayPal Public Certificate

To download the PayPal public certificate:

1.	Log in to your Business or Premier PayPal account.

2.	Click the Profile subtab.

3.	In the Seller Preferences column, click the Encrypted Payment Settings link.

4.	Scroll down the page to the PayPal Public Certificate section.

5.	Click the Download button, and save the file in a secure location on your local computer.

Removing Your Public Certificate

IMPORTANT:

If you remove your public certificate, its associated certificate ID is no longer valid for encrypting buttons, and any buttons made by your website that use the ID will not function correctly.

To remove one or more of your public certificates:

1.	Log in to your Business or Premier account.

2.	Click the Profile subtab.

3.	In the Seller Preferences column, click the Encrypted Payment Settings link.

4.	Scroll down the page to the Your Public Certificates section.

5.	Select the radio button next to the certificate you want to remove, and click the Remove button.

The Remove Certificate page appears.

6.	Click the Remove button to confirm the removal of the public certificate that you selected.

Encrypting Your HTML Code

PayPal provides Java and Microsoft Windows software to encrypt your Website Payments Standard HTML Form variables. Download a program from the following location:

https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/ewp-code

After you download and extract the software, copy your private key, public certificate, p12 file and the PayPal public certificate to the folder where the software is located.

1.	Prepare an input file of Website Payments Standard variables and values for each encrypted button you want to generate. Each variable and value must be on its own separate line, as in the following example.

Note:

The cert_id variable identifies the public certificate you uploaded to PayPal website.

cert_id=Z24MFU6DSHBXQ

cmd=_xclick

business=sales@company.com

item_name=Handheld Computer

item_number=1234

custom=sc-id-789

amount=500.00

currency_code=USD

tax=41.25

shipping=20.00

address_override=1

address1=123 Main St

city=Austin

state=TX

zip=94085

country=US

no_note=1

cancel_return=http://www.company.com/cancel.htm

2.	Run the encryption program. with the appropriate syntax shown in Table 8.2 , “Command Line Syntax for PayPal Encrypted Website Payments Software.”

3.	Copy the encrypted code to your website.

Table 8.2

Command Line Syntax for PayPal Encrypted Website Payments Software

Software	Command Line
Java	java ButtonEncryption CertFile PKCS12File PPCertFile Password InputFile OutputFile [Sandbox]
Microsoft Windows	PPEncrypt CertFile PrivKeyFile PPCertFile InputFile OutputFile [Sandbox]

where:

Table 8.3

Description of Arguments for EWP Commands

Argument	Description
CertFile	The pathname to your own public certificate
PKCS12File	The pathname to the PKCS12-format of your own public certificate
PPCertFile	The pathname to a copy of the PayPal public certificate
Password	The passphrase to the PKCS12-format of your own public certificate
InputFile	The pathname to file containing the non-encrypted Website Payments HTML Form variables
OutputFile	A file name for the encrypted output
[Sandbox]	The optional word Sandbox to test EWP code in the PayPal Sandbox

Blocking Non-encrypted Website Payments

For extra security of your encrypted buttons, update your PayPal account profile to block non-encrypted payments.

To block payments from non-encrypted Website Payments Standard buttons:

1.	Log in to your Business or Premier account.

2.	Click the Profile subtab.

3.	In the Selling Preferences column, click the Website Payment Preferences link.

4.	Scroll down to the Encrypted Website Payments section.

5.	Next to the Block Non-encrypted Website Payment label, select the On radio button.

6.	Scroll to the bottom of the page, and click the Save button.