If that doesn't qualify as outright fraud, it's at least someone purposefully trying to rip you off. I'm not sure what you mean by protection since I can't see anyone actually *filling* that type of order, unless one were dealing with an entirely automated system like a software download.

We manually check each order since we make our products to order so I'd just refund immediately then ban the IP (if possible) for good measure. That's not the type of customer I'd want to deal with ever again since they might come up with a more successful way of stealing from me next time.

It just occurred to me that explaining how I prevent such attempts might be useful to someone, even though I don't know how to carry the concept over to PayPal's cart. Sometimes I do pass a price in the URL for basic calculations and notifications. However, when it comes time to actually charge the customer, the final prices are always grabbed direct from the database.

If the order goes through Paypal, no matter how you dynamicly grab the data from your DB, anyone can still change the details of the order through form post. Posting through querystring just make it even easier for anyone to edit the price and such.

I don't think there is any way around this because it is really out of anyone's control when a user is passed to the Paypal site. As a merchant you have to spend the extra effort in verifying the correctness of each order from Paypal.

You need to look at using PayPal's IPN (Instant Payment Notification).

It is a callback from the PayPal server to your server when a sale takes place (so nothing that your "customer" can do to intercept it), and you can then compare the price paid by the customer to the price you were expecting.

IPN serves only as a notification to your server. Regardless of the IPN, the edited payment is already made with a legitimate Paypal transaction completed email being sent to the merchant.

Of course, one can write a script to compare the results from the IPN and the default order details, but still, it does not change the fact that any users can freely alter the string that is being passed to Paypal at their will. Most home-based paypal business do not have such system setup and they need to take precaution for senario like this.

You should definitely review all of your orders to confirm that the correct amount has been paid. If it hasn't, you can refund.

Sunshyn-

Yes, I am referring to an automated process regarding software downloads, so no order verification can be done.

PayPalPB-

So PayPal doesn't provide any fraud protection for the seller, and cannot provide any resolution to this well-known issue? I understand the IPN option, but it is not always a choice for everyone.

I should state that I currently don't have this in place, just doing my homework first.

Thanks for all the replies. Any more insight is greatly appreciated.

-Matt

Send out the software on the IPN. Compare against the price the customer was supposed to pay.

It'd be nice to be able script a refund, but alas, you'll need to do that manually.

you can use a paypal intermidiate like payloadz.com

Yes, payment amount checking can be done programmatically using IPN.

Also, you can crete encrypted payment buttons at the PayPAl web site.

Finally, PayPal's new Web Services provide an API call for refunding.

WebServices - Very very cool!

> cannot provide any resolution to this well-known issue

Well-known isue? Let's get real - it rarely happens. I can only think of two instances where this has occurred. Once it was intentional and the other time it was due to a cached page from Google.