Integrating with PayPal

When I looked at payment processors for online signup, I quickly became surprised how easy it was to integrate with PayPal. This ease, combined with very competitive rates, made it the obvious choice. For a company that is for all appearences run by suits, PayPal has a wonderfully simple and well-documented API, as well as multiple methods of accepting payments.

A good overview of the methods available can be found here. The method I ended up using, Instant Payment Notification (IPN), allows you to be notified whenever a client makes a payment. The basic flow of checkout goes something like this: the customer select the service or item they want on your website. Once they are ready to check out, then click a button to go to PayPal to make the actual payment. This button click posts information to PayPal, including who you (the seller) are, how much the customer is to be charged, and a url where you want to be notified when the customer pays. As soon as the customer pays, PayPal pings your server, letting you know that you should active the customer’s service account (or ship the item, or whatever.) To prevent forgery (i.e. the customer looking at the form data to figure out the notification url and pinging that manually), when PayPal pings your server (in technical terms, an HTTP GET with post data), you must take all of the data that it sends you and post it back to PayPal via HTTPS. If the data is valid (i.e. the customer paid), PayPal confirms the data, and you can be assured that the payment is legit. If your server is not available, or returns anything other than HTTP 200 OK, PayPal continues to ping your server until you respond correctly.

To be sure, having the customer leave your website, even for a little bit, to go through PayPal is not ideal. However, the alternative is becoming PCI compliant, and trust me, if you’re doing less than several hundred thousand dollars per month, it’s not worth it.