3
votes

I am implementing the Express Checkout API for a web application, and everything works fine. Still, I am left with a doubt about the flow of the operation.

If I understand well, the user experience is as follows:

  1. User orders some items on the merchant sites
  2. Before paying, the user is sent to the PayPal site
  3. After authentication, the user can confirm some details about the transaction, such as the shipping order, but NOT the total amount
  4. The user is redirected to the merchant site, where he can confirm other information, and in particular the total amount of the order
  5. The payment is done and the user gets a confirmation page from the merchant.

The SetExpressCheckout call happens between 1 and 2, GetExpressCheckoutDetails between 3 and 4, and finally DoExpressCheckoutPaymentbetween 4 and 5.

The fact that the user is not given the opportunity to confirm the total amount in step 3 is because at this point the merchant may not have the information about the shipping cost. Indeed the documentation says explicitly that the amount can change between the call to SetExpressCheckout and the one to DoExpressCheckoutPayment.

So, what if the merchant lies to the user? I may say that you are confirming a payment for 20EUR and charge you 2000EUR. Now, that is a fraud and I may be prosecuted, but it should not be allowed anyway.

Note that the documentation also claims that obtaining the details about the transaction with a call to GetExpressCheckoutDetails is optional. Similarly, step 4, where the user reviews the payment details, may be skipped altogether, and in this case the user will not confirm any amount!

Am I getting something wrong, or is there a rationale behind this working?

2

2 Answers

3
votes

So, what if the merchant lies to the user? I may say that you are confirming a payment for 20EUR and charge you 2000EUR. Now, that is a fraud and I may be prosecuted, but it should not be allowed anyway.

There is no way that PayPal can tell what you are displaying to the user in step 4. The only way around it would be for PayPal to eliminate the ability for the merchant to determine tax and shipping based on the customer's address (or require this sort of thing to update it during the PayPal payment flow).

Am I getting something wrong, or is there a rationale behind [skipping step 4] working?

Sometimes a merchant has no need for step 4, so there is no point in forcing them to display a screen with the same information they just saw on PayPal in step 3. There is even an option that changes the PayPal screen in step 3 to reflect that there will be no step 4 screen.

Of course, if a merchant is changing the tax or shipping values from what was displayed on step 3 then they shouldn't be using this feature.

0
votes

An authorization enables you to capture multiple payments up to 115% of, or USD $75 more than, the amount you specify in the DoExpressCheckoutPayment request. Choose this payment action if you need to ship the goods before capturing the payment or if there is some reason not to accept the payment immediately.

Documentation | PayPal Developer