One of the factors that has led to PayPal’s growth and ubiquity is their well-built API for payment processor integration. The API enables online stores to directly process credit card transactions on their websites, using PayPal as the back-end gateway for the transactions. Throughout the process, the users themselves are kept isolated from the fact that PayPal is used as the payment gateway through an intelligent and transparent API.
Although PayPal integration can be a great way to save on payment processing costs, there are a few caveats to the development. The primary challenge is adherence to the PCI security standard. The PCI standard is a set of security and privacy regulations for merchants and payment processors. Merchants that do not follow the PCI standard may be both subject to fines by the governing body and liable for damages in case of data breech by hackers. If a company stores their customer credit card numbers, the PCI standard requires significant IT infrastructure. At the very least, a company implementing PCI will need a full-time network administrator, extensive hardware and infrastructure, and a comprehensive set of policies and procedures for managing servers and network devices that are part of the credit card processing. Since the cost of PCI compliance, including hardware, and auditing, is often $300,000+, most small online stores cannot afford a full PCI implementation. As a result, it is vitally important that the payment processing is built to make sure that the store will not fall under the umbrella of PCI and be liable to potential fines and lawsuits.
PayPal’s gateway provides an API integration method whereby credit card information can be sent directly to PayPal without local storage on the server, thus bypassing PCI requirements. After PayPal concludes processing, the client is sent back to a page on the originating site. All of this is done through redirects, so that process is transparent to the user and takes a fraction of a second. The user never actually sees that they have left the originating site.
There is an additional challenge, however, with the redirect method. Upon returning from PayPal, the web application or online store needs to confirm that the transaction went through successfully. Only upon successful completion should the store ship product, otherwise a hacker could take advantage of the redirect method to obtain free products. PayPal has a solution for this through a back-end notification system with two-factor authentication. Once a payment has been received, PayPal will notify a back-end page on the site with a confirmation of payment, and the website should then update the database with the transaction ID and new status.
Through correct implementation of the PayPal payment API, websites can take advantage of PayPal’s low payment processing rates and seamless integration into their sites. It is vital, however, to program these components diligently and securely, since an error in programming could lead to fines or lawsuits. In order to be sure that a system is well-built and secure, it is recommended to perform regular yearly audits on both the site and hosting infrastructure. The audits can alert webmasters to possible new problems or vulnerabilities, as well as provide peace-of-mind for both the online stores and their customers. PayPal Payment Processor.
Written by Andrew Palczewski
About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.