PayPal Certified Developer Program - 2008 Study Guide

PayPal Certified Developer Program Study Guide

For Professional Use Only Currently only available in English.

A usage Professional Uniquement Disponible en Anglais uniquement pour l’instant.

Last updated: March 2008

PayPal Certified Developer Program Study Guide

Document Number: 100018.en_US-200803

© 2008 PayPal, Inc. All rights reserved. PayPal is a registered trademark of PayPal, Inc. The PayPal logo is a trademark of PayPal, Inc. Other trademarks and brands are the property of their respective owners. The information in this document belongs to PayPal, Inc. It may not be used, reproduced or disclosed without the written approval of PayPal, Inc. PayPal (Europe) Ltd. is authorised and regulated by the Financial Services Authority in the United Kingdom as an electronic money institution. PayPal FSA Register Number: 226056.

Notice of non-liability: PayPal, Inc. is providing the information in this document to you “AS-IS” with all faults. PayPal, Inc. makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. PayPal, Inc. assumes no liability for damages (whether direct or indirect), caused by errors or omissions, or resulting from the use of this document or the information contained in this document or resulting from the application or use of the product or service described herein. PayPal, Inc. reserves the right to make changes to any information herein without further notice.

Chapter 1 Online Payment Processing . . . . . . . . . . . . . . . . . 11

Online Selling Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

The Payment Processing Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Institutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Processes and Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

How Online Payment Processing Works. . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Payment Processing Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Payment Processing Settlement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

What to Look for in an Online Payment Processing Solution . . . . . . . . . . . . . . . . 13

PayPal’s Payment Processing Solutions. . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 2 Internet Security and Fraud Prevention . . . . . . . . . . .23

Why Every Business Should Be Concerned About Internet Fraud . . . . . . . . . . . . . 23

Liability for Internet Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Internet Fraud: What It Is and How It Happens . . . . . . . . . . . . . . . . . . . . . . . 25

Who Is at Risk for Online Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Reducing Exposure to Fraud. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud . . . . 28

What PayPal Is Doing to Protect Your Business Against Fraud . . . . . . . . . . . . . . . 29

How to Reduce Chargebacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Disclosure and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Disclosure Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

PCI Data Security Standard Compliance . . . . . . . . . . . . . . . . . . . . . . . . 31

Additional Resources About Disclosure and Compliance . . . . . . . . . . . . . . . . 33

PayPal Fraud Protection Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Detailed Service Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

PayPal Fraud Protection Services Upgrade Options . . . . . . . . . . . . . . . . . . 36

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

PayPal Certified Developer Program Study Guide March 2008 3

Contents

Chapter 3 Getting Started With Account Setup . . . . . . . . . . . . 43

Basic Steps for Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

PayPal Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Review Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Chapter 4 API Credentials . . . . . . . . . . . . . . . . . . . . . . . 47

What API Credentials Are . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Choosing an Authentication Method . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Establishing API Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

API Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

API Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Using API Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Chapter 5 Name-Value Pair (NVP) API . . . . . . . . . . . . . . . . .53

Integrating with the PayPal API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Basic Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Create a Web Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Get API Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Create and Post the Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Interpret the Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Technical Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Request-Response Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Request Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Response Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Posting Using HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Chapter 6 Express Checkout . . . . . . . . . . . . . . . . . . . . . .59

How Express Checkout Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Express Checkout API Reference Information. . . . . . . . . . . . . . . . . . . . . . . . 61

SetExpressCheckout Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

SetExpressCheckout Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

GetExpressCheckoutDetails Request . . . . . . . . . . . . . . . . . . . . . . . . . . 66

GetExpressCheckoutDetails Response . . . . . . . . . . . . . . . . . . . . . . . . . 66

DoExpressCheckoutPayment Request . . . . . . . . . . . . . . . . . . . . . . . . . 68

DoExpressCheckoutPayment Response . . . . . . . . . . . . . . . . . . . . . . . . 71

4 March 2008 PayPal Certified Developer Program Study Guide

Contents

Button and Logo Placement and Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

PayPal Button as a Checkout Choice . . . . . . . . . . . . . . . . . . . . . . . . . . 74

PayPal Button as a Payment Method . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Using PayPal-Hosted Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Redirecting to PayPal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Recommendation for Browser Redirection . . . . . . . . . . . . . . . . . . . . . . . 75

Order Review Page Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Authorization & Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 7 Direct Payment API . . . . . . . . . . . . . . . . . . . . .79

How Direct Payment Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Direct Payment API Reference Information . . . . . . . . . . . . . . . . . . . . . . . . . 80

DoDirectPayment Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

DoDirectPayment Response. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Authorization & Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Chapter 8 Transactions. . . . . . . . . . . . . . . . . . . . . . . . . 87

Authorization & Capture APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Authorization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Honor Period and Authorization Period . . . . . . . . . . . . . . . . . . . . . . . . . 88

Authorization & Capture API Reference Information . . . . . . . . . . . . . . . . . . 88

Authorization & Capture Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . 93

For More Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Refunds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

RefundTransaction Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

RefundTransaction Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Transaction Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

TransactionSearch Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

TransactionSearch Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Retrieving Transaction Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

GetTransactionDetails Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

GetTransactionDetails Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Payment Notification Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

PayPal Certified Developer Program Study Guide March 2008 5

Contents

Instant Payment Notification (IPN). . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Dispute Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Chapter 9 Sandbox Testing. . . . . . . . . . . . . . . . . . . . . . 105

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105

At a Glance: Differences between the Sandbox and Live PayPal . . . . . . . . . . . .105

Accessing the PayPal Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107

Signing Up for Sandbox Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108

Welcome to the PayPal Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Test Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .110

Setting Up Test Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Planning the Types of Test Accounts You Need . . . . . . . . . . . . . . . . . . . . . 111

Managing Test Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Adding a Funding Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Signing Up for Website Payments Pro. . . . . . . . . . . . . . . . . . . . . . . . . . 117

Testing PayPal Website Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Website Payments with the “Buy Now” Button . . . . . . . . . . . . . . . . . . . . . 118

Handling Pending Transactions . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120

Instant Payment Notification (IPN). . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Verifying a Test Refund . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122

Transferring Funds to a Test Account . . . . . . . . . . . . . . . . . . . . . . . . . .122

Clearing or Failing Test eCheck Transactions . . . . . . . . . . . . . . . . . . . . . .123

Sending Funds to a Seller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

Billing A Customer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124

Testing PayPal NVP APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125

Testing Express Checkout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126

Testing Error Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129

API Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .130

Testing Using AVS Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Testing Using CVV Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138

Testing Recurring Payments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141

Appendix A Answers to Review Questions. . . . . . . . . . . . . . . 143

Chapter 1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143

Chapter 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146

Chapter 3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150

6 March 2008 PayPal Certified Developer Program Study Guide

Contents

Chapter 4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

Chapter 5. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

Chapter 6. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

Chapter 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151

Chapter 9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152

Appendix B General Reference Information . . . . . . . . . . . . . . 153

ShippingAddress Parameter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

PayPal-Supported Transactional Currencies . . . . . . . . . . . . . . . . . . . . . . . .154

AVS Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155

CVV2 Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

PayPal Certified Developer Program Study Guide March 2008 7

Contents

8 March 2008 PayPal Certified Developer Program Study Guide

List of Tables

Table 1.1 PayPal Payment Processing Solutions . . . . . . . . . . . . . . . . . . 17

Table 2.1 High Fraud Risk Quick Reference . . . . . . . . . . . . . . . . . . . . . 26

Table 2.2 PCI Data Security Standard . . . . . . . . . . . . . . . . . . . . . . . . 32

Table 2.3 Merchant Levels for PCI Compliance . . . . . . . . . . . . . . . . . . . 32

Table 2.4 PCI Compliance Validation Requirements . . . . . . . . . . . . . . . . . 33

Table 2.5 Fraud Protection Services Purchase Options . . . . . . . . . . . . . . . 34

Table 2.6 Comparison of Fraud Protection Services . . . . . . . . . . . . . . . . . 35

Table 4.1 Required Security Parameters . . . . . . . . . . . . . . . . . . . . . . . 50

Table 5.1 URL-Encoding Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Table 5.2 General Format of a Request . . . . . . . . . . . . . . . . . . . . . . . 56

Table 5.3 General Format of a Successful Response . . . . . . . . . . . . . . . . 57

Table 5.4 ACK Parameter Values . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Table 5.5 Format of an Error Response . . . . . . . . . . . . . . . . . . . . . . . 57

Table 6.1 Express Checkout Flow-of-Control and Integration Points . . . . . . . . . 60

Table 6.2 SetExpressCheckout Request Parameters . . . . . . . . . . . . . . . . 62

Table 6.3 SetExpressCheckout Response Fields . . . . . . . . . . . . . . . . . . 65

Table 6.4 GetExpressCheckoutDetails Request Parameters . . . . . . . . . . . . . 66

Table 6.5 GetExpressCheckoutDetails Response Fields . . . . . . . . . . . . . . . 66

Table 6.6 DoExpressCheckoutPayment Request Parameters . . . . . . . . . . . . 68

Table 6.7 DoExpressCheckoutPayment Response Fields . . . . . . . . . . . . . . 71

Table 7.1 DoDirectPayment Request Parameters . . . . . . . . . . . . . . . . . . 80

Table 7.2 DoDirectPayment Response Fields . . . . . . . . . . . . . . . . . . . . 84

Table 8.1 DoCapture Request Parameters . . . . . . . . . . . . . . . . . . . . . . 88

Table 8.2 DoCapture Response Fields . . . . . . . . . . . . . . . . . . . . . . . . 89

Table 8.3 DoVoid Request Parameters . . . . . . . . . . . . . . . . . . . . . . . . 91

Table 8.4 DoVoid Response Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Table 8.5 DoReauthorization Request Parameters . . . . . . . . . . . . . . . . . . 92

Table 8.6 DoReauthorization Response Fields . . . . . . . . . . . . . . . . . . . . 92

Table 8.7 RefundTransaction Request Parameters . . . . . . . . . . . . . . . . . 94

Table 8.8 RefundTransaction Response Fields . . . . . . . . . . . . . . . . . . . 94

Table 8.9 TransactionSearch Request Parameters . . . . . . . . . . . . . . . . . 95

PayPal Certified Developer Program Study Guide March 2008 9

List of Tables

Table 8.10 TransactionSearch Response Fields . . . . . . . . . . . . . . . . . . . . 98

Table 8.11 GetTransactionDetails Request Parameters . . . . . . . . . . . . . . . . 99

Table 9.1 Differences between PayPal Sandbox, and Live PayPal . . . . . . . . .105

Table 9.2 API Fields That Trigger Error Conditions . . . . . . . . . . . . . . . . . .130

Table 9.3 AVS Error Conditions and Triggers . . . . . . . . . . . . . . . . . . . . .134

Table 9.4 CVV Error Conditions and Triggers . . . . . . . . . . . . . . . . . . . .138

Table B.1 ShippingAddress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153

Table B.2 PayPal-Supported Currencies and Currency Codes for Transactions . . .154

Table B.3 AVS Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . . .155

Table B.4 CVV2 Response Codes . . . . . . . . . . . . . . . . . . . . . . . . . .156

10 March 2008 PayPal Certified Developer Program Study Guide

Online Payment Processing

Online payment processing simplifies the operation of an online store by providing a reliable, easy, secure, and seamless experience for merchants and customers.

In this chapter, you will learn:

z Online payment processing basics

z How the payment processing network operates

z How payment processing works

z What to look for in an online payment processing solution

z PayPal’s payment processing solutions

Online Selling Basics

With the right payment processing services, online merchants can get paid quickly and easily while protecting themselves against fraud. The most critical step in establishing an online store is ensuring that you can accept customer payments for single or repeated transactions. Online payment processing tools offer customers the convenience of paying by credit card, PayPal®, or other electronic payment sources like debit cards, purchase cards, and eChecks.

Additionally, successful online merchants must make sure their stores are secure. Online fraud rates are climbing, but smart merchants can protect themselves with security and fraud prevention systems from a company they trust. According to CyberSource Corp., businesses lost nearly $2.8 billion USD to online fraud in 2005, up from $2.6 billion USD in 2004. PayPal’s Fraud Protection Services provide secure and reliable tools that offer peace of mind.

The Payment Processing Network

The payment processing network connects sellers, buyers, and banks to enable the secure and reliable execution of online transactions. Sellers need an internet merchant account with an acquiring bank that allows them to accept customer credit cards electronically. Customers need a bank that issues credit cards and verifies the customer’s credit limit and available cash balance for proposed purchases. The elements and participants include individuals, institutions, and processes and services.

PayPal Certified Developer Program Study Guide March 2008 11

Online Payment Processing

How Online Payment Processing Works

Individuals

z Merchant: Someone who sells goods or services.

z Customer: The holder of the payment instrument.

Institutions

z Customer issuing bank: The institution providing the customer’s credit card.

z Acquiring bank: Provides internet merchant accounts required to enable online card

authorization and payment processing.

z Credit card associations: Financial institutions that provide credit card services in concert

with credit card associations such as Visa and MasterCard.

z Processor: A large data center that processes credit card transactions and settles funds for

merchants. A processor can be either a bank or a company dedicated to providing these services. Ceridian is an example of a payment processor.

Processes and Services

z Authorizations: The process of verifying that customer credit cards are active and have

sufficient available credit limits.

z Settlements: Processing authorized transactions to settle funds into a merchant’s account.

z Payment processing service: A service that connects merchants, customers, and banks

involved in online transactions. A third party, such as PayPal with its secure payment gateway, usually offers this service.

How Online Payment Processing Works

Online payment processing consists of two principal steps: authorization and settlement. Authorization verifies that the card is active and the customer has sufficient credit to make the transaction. Settlement is the process of charging the customer’s card account and transferring money from the customer’s account to the merchant’s account.

Payment Processing Authorization

During authorization, a bank verifies that holders of a payment instrument, like a credit card, have sufficient credit or funds to make a purchase. The payment authorization process engages multiple institutions and services to verify that sufficient credit is available to complete the transaction as follows:

1. Customer decides to purchase online and inputs credit card information.

12 March 2008 PayPal Certified Developer Program Study Guide

2. Merchant’s website receives customer information and sends it to payment processing service.

3. Processing service routes information to processor.

4. Processor routes information to bank that issued customer’s credit card.

5. Issuing bank sends authorization (or declination) to processor.

6. Processor routes transaction results to payment processing service.

7. Processing service sends results to merchant.

8. Merchant decides to accept or reject purchase. (Here, the merchant should take additional

precautions to ensure the credit card is not stolen and that the customer actually owns this card.)

Payment Processing Settlement

Once the merchant has shipped the product or authorized the download of merchandise, the merchant may request that the payment processing service settle the transaction. During settlement, funds are transferred from the customer’s account to the merchant’s bank account.

Online Payment Processing

What to Look for in an Online Payment Processing Solution

1. Merchant informs the payment processing service to settle transactions.

2. Payment processing service sends transactions to processor.

3. Processor checks the information, and forwards settled transaction information to the card

association and card-issuing bank.

4. Transactions are settled to the card issuers and funds move between the acquiring bank and issuing bank. Funds received for these transactions are sent to the merchant’s bank account.

5. Acquiring bank credits merchant’s bank account.

6. Issuing bank includes merchant’s charge on customer’s credit card account.

What to Look for in an Online Payment Processing Solution

Finding a reliable, secure, and flexible payment processing solution is critical. A payment processing solution should be:

Secure

z Backed by an established, trustworthy company

z Comply with the Payment Card Industry (PCI) Data Security Standard

z Provide comprehensive and standard antifraud features

z Store customer financial information with state-of-the-art encryption

z Supply password-protected account management

PayPal Certified Developer Program Study Guide March 2008 13

Online Payment Processing

PayPal’s Payment Processing Solutions

Reliable

z Provide reliable and cost-effective acceptance and processing of a variety of payment types

z Authorize credit cards in real time

z Scale to thousands of transactions to meet peak demand

z Based on a fault-tolerant network of redundant servers to ensure uninterrupted operations

Easy to Use

z Provide easy, flexible integration with merchant’s website

z Scale rapidly and seamlessly as transaction volume increases

z Work with leading internet merchant account providers

z Provide easy-to-use tracking and reporting system

z Store transaction records securely

z Process offline transactions through a virtual terminal

z Provide recurring billing payment for services

z Offer upgrade options to accommodate future growth

PayPal’s Payment Processing Solutions

PayPal’s payment processing solutions are designed to meet the demanding and diverse needs of a variety of online merchants. By providing affordable payment connections among merchants, customers, and financial networks, PayPal’s solutions take advantage of the latest technical resources to streamline transactions, while helping to prevent fraud. Products including Payflow Link, Payflow Pro, Website Payments Standard, and Website Payments Pro allow everyone from mom-and-pop online retail stores to enterprise-level businesses to process transactions easily, reliably, and securely.

PayPal’s Fraud Protection Services and Recurring Billing Service for Payflow, along with other customer service packages, include professional integration support. Most importantly, Payflow offers one of the industry’s few payment processing services with immediate connectivity to all major processors and most shopping carts. Note, however, that you do not need a PayPal account to process credit cards on your website.

Once you have your own website, ask a few simple questions to determine which product is right for you:

1. Do you need an all-in-one solution that includes an internet merchant account and allows you to process credit cards online?

If you don’t have your own internet merchant or business bank account, PayPal can provide a total solution with its Website Payments Standard and Website Payments Pro solutions:

– Website Payments Pro: Website Payments Pro is an all-in-one payment solution that

allows customers to shop and pay on your site. You can accept credit cards directly on

14 March 2008 PayPal Certified Developer Program Study Guide

Online Payment Processing

PayPal’s Payment Processing Solutions

your site and get the features of a merchant account and gateway through a single provider at a lower cost. Website Payments Pro allows you to control your checkout from start to finish.

For more information on Website Payments Pro, go to: https://www.paypal.com/cgi-

bin/webscr?cmd=_wp-pro-overview-outside.

– Website Payments Standard: Website Payments Standard lets customers shop on your

website and pay on PayPal. It offers a pay-peruse model with no set-up or monthly fees. Like Website Payments Pro, it includes shipping and tax calculators, reporting tools to measure your business, and support for international currencies.

For more information on Website Payments Standard, go to:

https://www.paypal.com/cgi-bin/webscr?cmd=_wp-standard-overview-outside

2. Do you have your own internet merchant account or business bank account that allows you to process credit cards online?

If you do, consider PayPal Payflow Gateway products. A gateway provides a secure connection between your online store and your internet merchant account.

– Payflow Pro: Scalable and fully customizable, the Payflow Pro solution is

recommended for merchants who require peak site performance and direct control over payment functionality on their site. Merchants using this service can enhance the customer experience by allowing shoppers to complete the checkout process without ever leaving your site.

For more information on Payflow Pro, go to: https://www.paypal.com/cgi-

bin/webscr?cmd=_payflow-pro-overview-outside.

– Payflow Link: This service is designed for merchants who require a simple solution to

selling on the web. In order to use this service, you need to add only a small piece of HTML code that will link your customers to order forms hosted by PayPal. This simple package allows you to process payments by credit cards, debit cards, and checks, online and offline. It also works with most major shopping carts.

For more information on Payflow Link, go to: https://www.paypal.com/cgi-

bin/webscr?cmd=_payflow-link-overview-outside.

3. Do you need a basic payment processing service?

Look first to a basic PayPal service for processing credit cards payments. These include: – PayPal Email Payments: Email Payments lets you send customers email invoices that

they can pay on PayPal. This simple solution does not require you to have a shopping cart or an internet merchant account.

For more information on PayPal Email Payments, go to: https://www.paypal.com/cgi-

bin/webscr?cmd=_email-payments-overview-outside.

– PayPal Virtual Terminal: Virtual Terminal provides your business with the same

functionality as a stand-alone credit card-processing terminal, but allows you to accept credit card payments by phone, fax, and email. You can use Virtual Terminal on any computer with an internet connection.

For more information on PayPal Virtual Terminal, go to: https://www.paypal.com/cgi-

bin/webscr?cmd=_vt_hub-outside.

PayPal Certified Developer Program Study Guide March 2008 15

Online Payment Processing

PayPal’s Payment Processing Solutions

– PayPal as an Additional Payment Option: This option allows merchants to put the

PayPal logo on their own website to accept PayPal as an alternative payment source, in addition to credit cards such as MasterCard® or Visa®.

For more information on PayPal as an Additional Payment Option, go to:

https://www.paypal.com/cgi-bin/webscr?cmd=_additional-payment-overview-outside

16 March 2008 PayPal Certified Developer Program Study Guide

TABLE 1.1 PayPal Payment Processing Solutions

I need an all-in-one solution

I have an internet merchant account

Online Payment Processing

PayPal’s Payment Processing Solutions

Additional I need basic payment processing

payment

option

Website Payments Pro

Customer Experience

Where customers shop:

Where customers check out:

Customers

Shop on merchant website

Merchant website or on PayPal

No No No No No No No need a PayPal account:

Integration

Internet

Included Not needed Required Required Not needed Included Required merchant account:

Shopping

Yes Yes Yes Yes Not cart support:

Website Payments Standard

Shop on merchant website

Payflow Pro

Shop on merchant website

PayPal Merchant

website or on PayPal

Payflow Link

Shop on merchant website

Email Payments

Varies with merchant business

Virtual Terminal PayPal

Varies with merchant business

PayPal PayPal Phone, fax,

or mail

Not

required

Shop on merchant website

PayPal

Ye s

Technical skills:

Ability to

APIs HTML APIs or

HTML

APIs or HTML

Not required

APIs or HTML

Included Upgrade Included Included Upgrade Included Upgrade accept phone, fax, or mail orders

N OTE: This Study Guide and the PayPal Developer Certification cover the Website Payments

Pro solution with Express Checkout.

PayPal Certified Developer Program Study Guide March 2008 17

Online Payment Processing

Review Questions

Answers to review questions are in Appendix A, “Answers to Review Questions.”

1. Indicate if each statement is True (T) or False (F).

_____ The most critical step in establishing an online store is ensuring that you can accept

_____ According to Cybersource Corp., businesses lost nearly $2.8 billion USD to online

_____ The payment processing network connects buyers, sellers, and banks to enable the

_____ By providing affordable payment connections among merchants, customers, and

2. Match each participant in the payment processing network to the role they perform.

customer payments for single or repeated transactions.

fraud in 2005, down from $3.0 billion USD in 2004.

secure and reliable execution of online transactions.

financial networks, PayPal’s solutions take advantage of the latest technical resources to streamline transactions, while helping to prevent fraud.

Response Participant Role Performed

Merchant 1. The holder of the payment instrument.

Customer 2. A financial institution that provides credit card

services in concert with credit card associations such as Visa and MasterCard.

Customer Issuing Bank 3. Someone who sells goods or services.

Acquiring Bank 4. A large data center that processes credit card

transactions and settles funds for merchants.

Credit Card Association 5. An institution that provides merchant accounts

required to enable online card authorization and payment processing.

Processor 6. The institution providing the customer’s credit card.

18 March 2008 PayPal Certified Developer Program Study Guide

Online Payment Processing

Review Questions

3. The following steps describe the payment authorization process. Indicate the correct order of the steps by placing the step number to the left of each description.

_____ Processor routes information to bank that issued customer’s credit card.

_____ Merchant’s website receives customer information and sends it to payment

processing service.

_____ Processing service sends results to merchant.

_____ Merchant decides to accept or reject purchase.

_____ Customer decides to purchase online and inputs credit card information.

_____ Processor routes transaction results to payment processing service.

_____ Processing service routes information to processor.

_____ Issuing bank sends authorization (or declination) to processor.

4. The following steps describe the payment processing settlement process. Indicate the correct order of the steps by placing the step number to the left of each description.

_____ Acquiring bank credits merchant’s bank account.

_____ Merchant informs the payment processing service to settle transactions.

_____ Processor checks the information, and forwards settled transaction information to

the card association and card-issuing bank.

_____ Issuing bank includes merchant’s charge on customer’s credit card account.

_____ Transactions are settled to the card issuers and funds move between the acquiring

bank and issuing bank. Funds received for these transactions are sent to the merchant’s bank account.

_____ Payment processing service sends transactions to processor.

5. Finding a reliable, secure, and flexible payment processing solution is critical. What features should a payment processing solution offer? (Select all that apply.)

_____ Backed by an established, trustworthy company

_____ Comply with Payment Card Industry (PCI) Data Security Standard

_____ Store customer financial information in plain sight

_____ Authorize credit cards in real time

_____ Based on a network that provides near real-time credit card transactions

_____ Scale rapidly and seamlessly as transaction volume increases

_____ Offer upgrade options to accommodate future growth

_____ Provide recurrent billing payment for service

PayPal Certified Developer Program Study Guide March 2008 19

Online Payment Processing

Review Questions

6. Match each PayPal solution to the service it offers.

Response PayPal Product Service Description

Website Payments Pro 1. Lets you send customers email invoices that they

can pay on PayPal. This simple solution does not require you to have a shopping cart or an internet merchant account.

Website Payments Standard 2. A gateway that provides a secure connection

between your online store and your internet merchant account. Scalable and fully customizable, this solution is recommended for merchants who require peak site performance and direct control over payment functionality on their site. Merchants using this service can enhance the customer experience by allowing shoppers to complete the checkout process without ever leaving your site.

Payflow Pro 3. Allows merchants to put the PayPal logo on their

own website to accept PayPal as an alternative payment source, in addition to credit cards such as MasterCard® or Visa®.

Payflow Link 4. An all-in-one payment solution that allows

customers to shop and pay on your site. You can accept credit cards directly on your site and get the features of a merchant account and gateway through a single provider at a lower cost.

PayPal Email Payments 5. A gateway that provides a secure connection

between your online store and your internet merchant account. This service is designed for merchants who require a simple solution to selling on the web. In order to use this service, you need to add only a small piece of HTML code that will link your customers to order forms hosted by PayPal.

PayPal Virtual Terminal 6. Provides your business with the same functionality

as a stand-alone credit card-processing terminal, but allows you to accept credit card payments by phone, fax, and email.

PayPal as an Additional Payment Option

7. Lets customers shop on your website and pay on PayPal. It offers a pay-peruse model with no set-up or monthly fees. It includes shipping and tax calculators, reporting tools to measure your business, and support for international currencies.

20 March 2008 PayPal Certified Developer Program Study Guide

Online Payment Processing

Review Questions

7. Select the PayPal payment processing solutions that enable a customer to checkout on the merchant’s website.

_____ Website Payments Pro

_____ Website Payments Standard

_____ Payflo Pro

_____ Payflow Link

_____ Email Payments

_____ Virtual Terminal

_____ PayPal as an Additional Payment Option

8. Select the PayPal payment processing solutions that require API or HTML technical skills to develop payment processing applications.

_____ Website Payments Pro

_____ Website Payments Standard

_____ Payflo Pro

_____ Payflow Link

_____ Email Payments

_____ Virtual Terminal

_____ PayPal as an Additional Payment Option

PayPal Certified Developer Program Study Guide March 2008 21

Online Payment Processing

Review Questions

22 March 2008 PayPal Certified Developer Program Study Guide

Internet Security and Fraud Prevention

E-commerce has become an essential sales channel for businesses both domestically and internationally. Unfortunately, e-commerce has also become an attractive revenue source for criminals who perpetrate internet fraud. You need to be aware and informed so that you can take steps to protect your business. Security for online payments is everyone’s responsibility.

In this chapter, you will learn about:

z Why every merchant should be concerned about internet fraud

z Liability for internet fraud

z Internet fraud: What it is and how it happens

z Who is at risk for online fraud

z How to reduce your exposure to fraud

z What banks and credit card associations are doing to prevent online credit card fraud

z What PayPal is doing to protect your business against fraud

z Providing disclosure to your customers and compliance with the Payment Card Industry

(PCI) standard

z PayPal® Fraud Protection Services

Why Every Business Should Be Concerned About Internet Fraud

Every merchant is at risk for fraud. When doing business online, you should be particularly aware of fraud.

Offline merchants can see who they are doing business with, look at their customers’ credit cards, and watch them sign the receipt. In the online world, however, customers never sign a paper receipt, so authentication becomes a challenge. Moreover, in the online world, hackers can break into your network without your knowledge and steal money, products, and sensitive information. They can also steal customer identities and commit crimes against other merchants, using your business as a launch pad for further crimes.

Internet fraud is also more difficult to detect than in the brick-and-mortar world. Criminals who break into a physical store are much more visible than criminals who break in through the web and erase their footprints. Additionally, in the online world, criminals have multiple access points for break-ins, because the merchant store is networked internally and to other businesses.

Because of these vulnerabilities, total losses from online payment fraud have steadily increased. According to CyberSource’s 2006 Online Fraud Report, an estimated $2.8 billion USD was lost to online fraud in the U.S. and Canada in 2005. The Nilson Report, a payment

PayPal Certified Developer Program Study Guide March 2008 23

Internet Security and Fraud Prevention

Liability for Internet Fraud

trade publication, estimates the rate of credit card fraud to be 18 cents to 24 cents per $100 USD of online sales – three to four times higher than the overall fraud rate.

The threat of online fraud is so pervasive that the U.S. government now mandates security requirements for businesses that handle financial information online. Today these regulations apply mainly to the banking community, but as an internet merchant you access the financial networks for each transaction made on your site. As a result, security at the point of sale is becoming an increasing concern for both credit card associations and the government.

Credit card associations, for their part, hold merchants liable for fraudulent transactions because the credit card isn’t physically present during online purchases. So merchants must take additional steps against online fraud. Credit card associations can impose stiff penalties for fraud – expenses on top of stolen goods and related shipping costs.

Moreover, American Express, Diners Club, Discover Card, JCB, MasterCard International and Visa U.S.A. have adopted the Payment Card Industry (PCI) Data Security Standard developed to protect account and transaction information of cardholders. The PCI standard requires merchants to adhere to a set of information security requirements or risk substantial fines. Security must therefore be a key concern.

Liability for Internet Fraud

In the offline world, you can take steps to safeguard your transactions by getting a signature and authorization, thereby shifting the liability of the transaction to the card issuer. In the online world, the liability for a fraudulent transaction always rests squarely with the merchant. Online transactions are considered card-not-present transactions and are inherently riskier. The financial consequences for a merchant who processes a fraudulent online transaction can be significant:

z Inventory loss and shipping costs for physical goods that are fraudulently purchased and

then delivered

z Chargeback penalties assessed by the acquiring bank of $15-$30 USD per fraudulent

transaction

According to Gartner Group estimates, merchants reject an estimated 5% of all transactions out of suspicion of fraud, while only 2% of transactions are actually fraudulent. The result is a significant amount of lost sales (up to 3% of sales volume) in an attempt to reduce fraud risk.

In addition to losing product and paying chargeback penalties, your business also faces costs due to fraud:

z Higher discount rates assessed as a result of processing fraudulent payments

z Labor cost for the merchant to investigate and resolve the chargeback

z Five- to six-figure card association fines or cancellation of a merchant’s account when card

fraud rates are consistently high

Implementing better tools and raising awareness can help you reduce lost revenue by turning away fewer legitimate customers who seem suspicious. You can also resolve chargebacks

24 March 2008 PayPal Certified Developer Program Study Guide

Internet Security and Fraud Prevention

Internet Fraud: What It Is and How It Happens

more quickly, thus saving time and money. In some cases, online merchants have reduced their chargeback rate from 7% to 2%.

Internet Fraud: What It Is and How It Happens

All internet payment fraud is based on stolen consumer or merchant identities. It also requires access to payment networks to complete the fraud. The result is product theft, identity theft, and cash theft.

z Product Theft: Occurs when a criminal uses stolen credit card information to purchase

goods and services.

z Identity Theft: Occurs when stolen credit card information is combined with readily

available social security numbers and address information to open new credit cards under the victim’s name and address.

z Cash Theft: Occurs when criminals break into a virtual cash register by stealing merchant

account access information and impersonating you in order to issue credits or payments to themselves.

Fortunately, there are ways to protect against fraud. The most important thing you can do is choose a reliable and secure payment solution that includes basic and advanced antifraud features. Here are some of the most common fraud-related risks facing online merchants:

Consumer Identity Theft

Criminals steal consumer credit card information through a variety of methods, including dumpster diving for paper receipts, hacking into e-commerce networks, or using handheld “skimmers” to digitally scan numbers from credit cards of unsuspecting people at restaurants or cash registers. Phishers, meanwhile, will send fraudulent emails to consumers warning, for instance, of a problem with a credit card account in an attempt to trick the person to provide personal information. Once they’ve obtained the credit card information, these criminals can use it to steal products outright or open other accounts by impersonating the victim.

Merchant Identity Theft

Just as offline criminals can break into a cash register, online criminals can hack into the accounts of web merchants and funnel money to themselves. These criminals might be employees or visitors to a building who copy unprotected login information. They then can use the information to hack into a back-end system to hijack a merchant’s payment gateway account, which provides the secure connection between your online store and your internet merchant account. Through this move, they can steal cash directly from the business by issuing themselves credit cards and payments.

Accessing Payment Networks

Once criminals have stolen an identity, they may access a payment network to complete the fraud. Most do this through two primary channels: a web merchant’s checkout page or a payment gateway account. Although a checkout page provides convenience for both buyer and seller, it can raise some security concerns. For example, some criminals use the page to test

PayPal Certified Developer Program Study Guide March 2008 25

Internet Security and Fraud Prevention

Who Is at Risk for Online Fraud

stolen credit cards. For the merchant, it is crucial to use products with built-in fraud protection to prevent this sort of digital theft.

Chargebacks

Chargebacks occur when a cardholder disputes a credit card purchase. During such disputes, the card-issuing bank initiates a chargeback against the merchant, retrieving the funds for the sale from the merchant’s bank account. The bank initiating the chargeback is not required to notify the merchant or the merchant bank. Proving that the disputed transaction was legitimate can cost merchants significant time and resources, so keeping chargebacks to a minimum is essential. Chargebacks can hurt a merchant’s bottom line by lowering its credit rating, diverting resources to resolve the dispute, and siphoning revenue from lost goods and shipping costs. The most common type of chargeback occurs when the customer:

z Did not receive the item ordered

z Did not receive the item believed to be ordered

z Had his or her credit card stolen and used by the thief

z Stole merchandise or services through the fraudulent use of a chargeback

Who Is at Risk for Online Fraud

Fraud can happen to any merchant at any time, and a single fraud incident can be enough to put a merchant out of business. That said, some merchants are at greater risk for certain types of fraud than others. PayPal has put together the following quick reference to identify some of the higher-than-average risk categories.

TABLE 2.1 High Fraud Risk Quick Reference

Merchant Type Potential Risk

Merchants with vulnerable security defenses Criminals take advantage of sophisticated spidering techniques to

identify merchants with network vulnerabilities, and can then break into your network to steal account access information for hijacking or merchant takeovers.

High-visibility merchants Fraud attempts are higher for merchants who advertise heavily or

are in the news because criminals know that merchants who experience high transaction volumes have less time to defend against fraud.

Products/Services Sold Potential Risk

High-ticket physical goods that are easily resold

These items, including luxury goods, computers, and other electronic equipment, are most attractive to criminals.

Goods that can be downloaded from the internet

26 March 2008 PayPal Certified Developer Program Study Guide

The purchase of these goods doesn’t require physical address information, making it easier for criminals to disguise a fraudulent transaction.

Internet Security and Fraud Prevention

Reducing Exposure to Fraud

ABLE 2.1 High Fraud Risk Quick Reference

Customer Base Potential Risk

International It is difficult to validate the address or identity of foreign buyers,

and it is more difficult to investigate and prosecute fraudulent activity from an overseas source.

Sales Season Potential Risk

Heavy proportion of fourth quarter sales Criminals know that you have limited time for fraud protection

when sales volumes are high. That’s why internet fraud triples in the fourth quarter.

Special promotions Criminals watch for special offers. They know that you have

limited time for fraud protection measures when sales volumes are high.

Reducing Exposure to Fraud

It is possible to significantly reduce your exposure to fraud. There are essentially three levels of exposure to fraud on the internet: the individual transactions, the payment gateway account, and the merchant network. Protecting your business from fraud requires that you address each of these levels in an integrated manner.

Transaction Level

Ensure that each transaction you accept and process is valid. You should also be careful not to deny suspicious transactions that are actually valid.

Authenticate buyers when possible. This includes understanding who your repeat

customers are and keeping lists of repeat customers who have legitimately transacted on your site. Make sure all customer information is encrypted and stored safely. Also, take advantage of MasterCard® and Visa® buyer authentication programs to authenticate customers and reduce your liability.

Screen orders for fraud patterns. There is a wealth of information associated with each

transaction that can help you understand the risk level. To effectively manage all the risk information associated with a transaction, it is important to use a rules engine. A rules engine automates the process of transaction screening so that you quickly fulfill orders for good customers and proactively block risky orders. PayPal Fraud Protection Services allows you to cost-effectively deploy a rules engine as well as benefit from PayPal’s continuously updated lists of high-risk indicators.

Review suspicious transactions. Finally, review each transaction that is suspicious to make

sure you are doing business with a legitimate customer. Online merchants today reject 5% of all transactions because they do not have the time or information to determine whether a suspicious transaction is actually a good one. PayPal Fraud Protection Services allows you to

PayPal Certified Developer Program Study Guide March 2008 27

Internet Security and Fraud Prevention

What Banks and Card Associations Are Doing to Prevent Online Credit Card Fraud

automatically and continuously review only the suspicious orders, before you process them, allowing time to make an informed decision.

Account Level

Make sure that only authorized users have access to your payment gateway account, and be alert for suspicious account access patterns.

Lock down administrative access. With PayPal Fraud Protection Services, you can limit

access to high-risk administrative transactions, such as issuing credits. You should also change your account password on a regular basis.

Monitor account level activity for suspicious patterns. Watch your account for signs of

unauthorized access, which could indicate merchant account takeover. Account Monitoring from PayPal offers affordable, customized, live account monitoring staffed by experienced fraud professionals. The service can help you catch account takeover before it does any damage, whether the takeover is due to a hacker or fraudulent employee usage of your service.

Network Level

Ensure your network or “perimeter” is defended against unauthorized access.

Lock down network access. With PayPal Manager, you can ensure that only IP addresses

you select have access to your network.

Update all patches on servers and operating systems. Invest in regularly scheduled

security audits or port scans to identify network vulnerabilities. PayPal Fraud Protection Services offers a free network scan from Qualys, included with every Basic or Advanced PayPal Fraud Protection Service.

Monitor firewall activity. Enterprise e-commerce companies should also monitor their

network’s perimeter security on a 24-hour basis.

What Banks and Card Associations Are Doing to Prevent Online

Credit Card Fraud

Consumers shop online for convenience and speed, but historical authentication requirements have often proved to be cumbersome, time-consuming, and ineffective.

New buyer authentication programs, such as MasterCard® SecureCode, and Verified by Visa®, provide more streamlined and customer-friendly authentication through passwords. These programs enable you to gain liability protection by prompting consumers to provide a password with their card issuers at checkout, similar to providing a PIN number for ATM transactions. Transactions in which consumers authenticate themselves to issuers effectively shift liability from the merchant to the issuer. Merchants are not held liable for fraudulent transactions processed using buyer authentication.

PayPal’s suite of Fraud Protection Services makes it easy for you to take advantage of this powerful system. (Check with your internet merchant account provider directly to determine if

28 March 2008 PayPal Certified Developer Program Study Guide

Internet Security and Fraud Prevention

What PayPal Is Doing to Protect Your Business Against Fraud

they have deployed buyer authentication.) Through Fraud Protection Services, one seamless integration gives you access to both Verified by Visa and MasterCard SecureCode with your PayPal gateway service.

What PayPal Is Doing to Protect Your Business Against Fraud

The security of your information, transactions, and money is the core of our business and our top priority at PayPal. We help you protect against fraud, so you can grow your business and minimize losses.

PayPal leverages the Secure Sockets Layer (SSL) protocol, which provides crucial online identity and security to help establish trust between parties involved in e-commerce transactions. Customers can be assured that the website they’re communicating with is genuine and that the information they send through web browsers stays private and confidential.

Moreover, using SSL with an encryption key length of 128 bits (the highest level commercially available), PayPal automatically encrypts your confidential information in transit from your computer to ours. Once your information reaches us, it resides on a server that is heavily guarded both physically and electronically. Our servers sit behind a monitored electronic firewall and are not connected directly to the internet, so your private information is available only to authorized computers.

How to Reduce Chargebacks

Dealing effectively with customer issues is a great way to minimize risk and reduce chargebacks. By communicating clearly and keeping good records, you can avoid many potential problems today, which are much easier than trying to resolve them with a credit card company tomorrow. PayPal has developed these helpful tips for avoiding customer complaints that can lead to chargebacks:

z Provide realistic delivery time estimates and use tracking that shows proof that the items

were received

z Describe the sale item in as much detail as possible. Include clear images and

measurements so that customers have a good understanding of what they’re getting.

z Make sure you clearly disclose the total cost to customers up front: the price, taxes,

shipping costs, etc.

z Provide customers with a way to contact you should they have a problem. Often a simple

email exchange or phone call clears up a misunderstanding instantly.

z Respond promptly and courteously to customer inquiries.

PayPal Certified Developer Program Study Guide March 2008 29

Internet Security and Fraud Prevention

Disclosure and Compliance

Disclosure Policy

Your disclosure policy tells your customers that you’re honest and dependable and that you care about them and protecting their information. It shows your customers that you believe in transparency and accountability. It provides a framework and standards for your business policies, how you deal with your customer information, and how you communicate with your customers.

Your disclosure policy typically includes five things: a business description, privacy policy, shipping policy, return policy, and contact information. The more your customers know about you, the more comfortable they’ll be giving you their business. So be honest, open, direct, and precise. Here are more details about the five areas you should cover:

1. Business description. Write a clear description of what your company does, including what products and services it provides. Post it in a prominent place on your website, often the “About Us” section.

2. Privacy policy. Your privacy policy should clearly state how you treat and protect your customers’ information. It’s essential that your policy is easy to find on your website, usually linked from your homepage. Typical elements of a privacy policy include:

– What personally identifiable customer information you collect – How the information is used – With whom you share and do not share this information – What choices are available to your customers regarding collection, use, and distribution

of the information

– What choices are available to your customers regarding communications from you –

email, direct mail, etc.

– The kind of security procedures in place to protect the loss, misuse, or alteration of

information under your control

– How your customers can correct any inaccuracies in the information

3. Shipping policy. You’ve made the sale. Your customers are anxious to get their purchases. So keep that excitement and positive momentum going with a shipping policy that’s simple and straightforward:

– Spell out your shipping terms in detail, disclosing if costs are determined by weight or

the amount of the purchase – Indicate the classes of shipping you offer - ground, express, overnight, etc. – Indicate if you ship to APO, FPO, and international addresses – Tell your customers in what timeframe they can expect their purchase – Show your customers how they can track their shipment. (Your shippers should be able

to provide most of this information for you.)

30 March 2008 PayPal Certified Developer Program Study Guide

+ 132 hidden pages