Instant Payment Notification (IPN)
How It Works
When a customer makes a payment to you or a payment is reversed or refunded, PayPal will post a notification to your server at the URL you specified. Included in this notification will be all of your customer’s payment information (e.g. customer name, payment amount) as well as a piece of encrypted code. When your server receives a notification, it will then post the information, including the encrypted code, back to a secure PayPal URL. PayPal will authenticate the transaction and send confirmation of its validity back to your server.
Note: To activate Instant Payment Notification, you will need to enter the URL at which you would like to receive the notification posts from your Profile.
After you have activated Instant Payment Notification, your server will be sent a notification every time you receive a payment, this notification will be sent as a hidden "FORM POST" to the URL you specified, and will include all of the payment information. The FORM variables for the notification can be found in the Instant Payment Notification (IPN) Manual.
Each time you receive an IPN from PayPal, you must complete the Notification Validation process described below before fulfilling the order. Verifying the information listed will ensure that the transaction is legitimate.
To ensure that a payment has been made into your PayPal account, you must verify that the email address used as your "receiver_email" has been registered and confirmed in your PayPal account.
Once your server has received the Instant Payment Notification, you will need to confirm it by constructing an HTTP POST to PayPal. Your POST should be sent to https://www.paypal.com/cgi-bin/webscr
as you received them. You will also need to append a variable named "cmd" with the value "_notify-validate" (e.g. cmd=_notify-validate) to the POST string.
PayPal will respond to the post with a single word, "VERIFIED" or "INVALID", in the body of the response. When you receive a VERIFIED response, you need to perform several checks before fulfilling the order:
- Confirm that the "payment_status" is "Completed," since IPNs are also sent for other results such as "Pending" or "Failed"
- Check that the "txn_id" is not a duplicate to prevent a fraudster from using reusing an old, completed transaction
- Validate that the "receiver_email" is an email address registered in your PayPal account, to prevent the payment from being sent to a fraudster's account
- Check other transaction details such as the item number and price to confirm that the price has not been changed
Once you have completed the above checks, you may update your database with the IPN data and process the purchase.
If you receive an "INVALID" notification, it should be treated as suspicious and be investigated.
For a complete list of all IPN variables and detailed instructions on how to use Instant Payment Notification, please refer to the Website Payments Standard Integration Guide
Adobe Acrobat is required to read PayPal's manuals.