2

I'm working on a payment processing website that will function like PayPal does on many e-commerce websites. The idea is for the customer to fill their shopping cart and click checkout, then be directed to the payment page on a secure site. After the payment page processes the payment, it directs the customer back to the original website. So far, I think I'm ok up to the point of receiving the payment, but what mechanism do sites like PayPal use to allow the original website to verify whether the payment was successfully received?

My Current Process:

  • Customer click's checkout
  • Store cart items as a pending order in database
  • Post merchant ID, payment amount, the return URL, etc. to secure payment page. This uses SSL and I have also posted a hash of the other posted values to ensure they are not tampered with in transit.
  • Customer enters card info and clicks "Pay"
  • Secure site redirects to the specified return URL with a query string of relevant transaction information including a flag indicating success or failure.

For the last step, the original site needs to be sure the request came from the payment site so that a user can't just navigate to that URL, providing the query string themselves, to complete an order. I currently have the same hashing mechanism in place to make sure the query string variables are not tampered with. It is very crude. I append the variables into one long string and then append a shared secret key to the end, hash that whole string, send it. The receiving end does the same thing and compares the hashes.

Community
  • 1
xr280xr
  • 189
  • 10

1 Answers1

3

Sign the query string along with a timestamp and a transactions ID that you randomly generate on your backend with the SSL certificate of your website.

You should also think about the case where a payment gets through but the users computer loses it's internet connection directly afterwards.

For that case you should send the server of the website directly a signed message about the fact that the transaction went through.

I would also provide a way for the website to query for information about a transaction.

Christian
  • 415
  • 1
  • 3
  • 13
  • Thanks Christian! Good points. Can you provide any resources on signing a query string w/ a cert? Why the timestamp? Regarding failures after receiving payment, yes, we have used a polling mechanism for that very concern before. I was trying to avoid the payment app from having to know anything about the site that uses it. So maybe the payment server can just send a regular web request with said signed message, and then redirect the browser to a page that polls the e-commerce site for the result of that message? – xr280xr Dec 12 '13 at 20:24
  • I was just hoping for something simpler since PayPal makes their solution seem so out-of-the-box ready. Are you required to provide a service for their server to call and to implement polling with their solution? – xr280xr Dec 12 '13 at 20:25
  • I would provide a timestamp because a website might have a rabate for items brought at a given day. As far as crypto-libararies go, that depends on the programming language that you use. – Christian Dec 12 '13 at 21:21
  • I'm using .NET. So the best solution I see to make absolutely sure an order on the original server is processed after a payment succeeds is for the payment sever to store the order ID, flagged as succeeded. On my server have a service running that is polling the payment server for the status of pending orders. Once the payment server indicates success, it will fulfill the order. Meanwhile the user will be on a polling or ansync page awaiting the order to be flagged as completed. I can't think of a way to simplify it further. Still trying to determine how to delete abandoned, pending orders too – xr280xr Dec 13 '13 at 15:30