Jump to content
mattsc

PayPal HS - no seller protection w/PayPal App v4.039

Recommended Posts

Running a customesed OSC install of 2.3.4 BS, and I'm having a problem with PayPal transactions not being covered with Seller Protection. I'm  using the Hosted Solution module in the PayPal App v4.039 so that I can accept both PayPal and Credit Cards. Trying to find a resolution to this, the Business Development agent assigned to my account has informed me with the following:
"I reviewed your account and see you are unfortunately not getting seller protection on the PayPal orders as PayPal is hosted via the PayPal pro hosted iFrame. This is not caused by anything you are doing wrong, it’s an issue when PayPal is hosted via the iFrame."

I did a grep through all of the source, and I'm not seeing any frames or frame tags. Perhaps I'm not understanding what the issue is however and that the PayPal 4.039 version of the app/plugin is using frames in a means I'm not seeing here. His recommended solution is that I switch over to Express Checkout. I've looked into this in the past, but when I did this the shipping module was being bypassed. My shipping calculations are rather complex as the business is based out of Thailand and I have 4 different shipping methods and ship world wide. I've attached a screenshot of my PayPal configuration pages for the Hosted Solution and Express Checkout tabs, as well as my checkout screen where it shows the PayPal app loaded and offering both checkout via PayPal, or a provided Credit Card.

I am getting Seller Protection when I use the Payments Standard module, so this seems to be solely related to Hosted Solution. I don't know how to use PayPal Express which won't also bypass the shipping methods. I've been experiencing some fraud lately and this problem with Seller Protection not being covered is no longer acceptable. I have no idea what to do at this point to get Seller Protection, and switching to Standard only isn't a viable option either as I have too many customers who want to pay by credit card and don't want to (knowingly) use PayPal for their transaction.

I'm not really sure what path to take to go forward and could really use some advise or help here!

Screenshot from 2018-06-01 08-47-59.png

checkout.png

Screenshot from 2018-06-01 09-03-04.png

Edited by mattsc
Forgot to include OSC version

Share this post


Link to post
Share on other sites

Digging through the HTML, it turns out that the site is getting an iframe from PayPal in the Hosted Solution checkout app. I'm guessing this is coming in from the sourced javascript and is why I wasn't seeing it when I searched through all of my OSC sourcecode. So, looks like I can't tell PayPal to disable iframe support for my account. I don't know if updating to the PayPal 5.018 app would be safe with my 2.3.4BS install and would be the way to go with trying to get Seller Protection enabled, while still forcing customers through the shipping method selection so that shipping charged wouldn't be bypassed by Express Checkout in the cart. This is so frustrating! :(

PayPal-iframe.png

Share this post


Link to post
Share on other sites

Updating to the latest version of the app is a good idea in general but it doesn't sound like it'll fix your issue.

Paypal express checkout does not bypass your shipping methods. When the customer is first transferred to paypal, shipping shows as zero because they have not yet provided address information. Once logged into paypal, your shipping methods are invoked to get the cost. However, for all this to happen properly you must have an SSL certificate and to be running the right level of TLS.

I have not used the hosted solution in an implementation and I have seen it declared on here several times that the app doesn't work properly with it - though from what you're saying it sounds like the issue is more at the paypal end than in the app.

If you're keen to get the hosted solution working, it would be worth asking the question - "is there a non-iframe way of using the hosted solution?"

Then we could have a look at what code changes might be required for it.


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Howdy John,

The marketing / business development droid I've been having to deal with at PayPal has finally put me in touch with one of their Merchant Integrations team members. His initial suggestion was to enable "Payments Standard" which I've done, so checkouts via that method will indeed be covered by Seller Protection now.

They just made a change on the backend for our PayPal account, such that the PayPal account info is no longer showing inside of the iFrame. The frame that PayPal returns now only offers the credit card payment method. So on the payment elections page I now can have a paypal payment election, and a separate credit card payment election. Previously, the Hosted Solution payment method returned both, which was confusing customers... which is why we initially moved away from Payment Standard, not aware that doing so meant that even payments made through a PayPal account were STILL not being covered by Seller Protection. The change to Hosted Solution not showing in the paypal account method any more should resolve this finally.

Any means of payment not contained inside of an iFrame, would mean that we would have access to the credit card info. That would push a much higher level of PCI compliance onto us, which isn't desired.

There is also the "Direct Payment" module for the PayPal v4.039, but installing and configuring it, doesn't seem to have any impact. No additional payment election is showing on the checkout payment page, and I'm not seeing any errors in any of the log files, so I'm confused as to what it's doing.

 

As to Express, when I enabled this early on in our implementation testing, we were getting a checkout button in the cart, and it jumped straight from the Cart to the Order Confirmation page, bypassing the payment method elections (makes sense) but also bypassed our Shipping Method election page, and allowed checkout without having elected (or had added to your payment) the charges for shipping. Could be we have something misconfiguration here, but for whatever reason, we were not getting Shipping Method election.

Share this post


Link to post
Share on other sites
7 minutes ago, mattsc said:

Any means of payment not contained inside of an iFrame, would mean that we would have access to the credit card info. That would push a much higher level of PCI compliance onto us, which isn't desired.

I was thinking of forwarding to a hosted page, but I guess that's what Standard does!

9 minutes ago, mattsc said:

There is also the "Direct Payment" module for the PayPal v4.039, but installing and configuring it, doesn't seem to have any impact. No additional payment election is showing on the checkout payment page, and I'm not seeing any errors in any of the log files, so I'm confused as to what it's doing.

I have no experience of PP Direct Payment, I'm afraid, but the app documentation says it's a layer on top of PP Express to keep the customer in your store checkout flow:

Quote

Payments Pro (Direct Payment) PayPal: Configure → Direct Payment

PayPal Payments Pro (Direct Payment) allows credit and debit cards to be accepted directly on your online store's checkout flow without the customer having to leave the store.

This module can use both PayPal and Payflow to process transactions with and can be configured on the ConfigureGeneral page.

Requirements

PayPal Express Checkout

PayPal Payments Pro (Direct Payment) requires the additional PayPal Express Checkout payment module to be installed and enabled on your online store. This module will not function until PayPal Express Checkout has been enabled.

For PP Express to work properly with shipping you need instant update to be configured and to be working. From the PP app documentation:

Quote
Instant Update

As soon as the customer has logged in at PayPal or has provided their shipping address during the Express Checkout flow, PayPal contacts your online store to retrieve a list of applicable shipping rates and taxes for the shipping destination. The customer is able to choose their preferred shipping rate which is passed back to the store to use for the order.

As of osCommerce Online Merchant v2.3.4, orders can be blocked when no shipping rate for the destination is available. If this is enabled and Instant Update detects that no shipping rates are available, it requests the customer to select or enter a new shipping address during the Express Checkout flow and prevents them to continue with the order until a valid shipping destination has been selected.

Requirements

Instant Update requires the following for the shipping rates to be retrieved:

  • Your store installation must be configured for and have SSL enabled.

 


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

OK so, a bit of a *********** but I've got things mostly sorted out on the site now.

Pro Hosted Solution will never be covered by Seller Protection. Don't ask me why, but that's their policy.

So, I had them disable the PayPal account payment method in the hosted solution, and that now only has the hosted credit card payment method. I spun up "Payments Standard" to accept payment via a PayPal account, and that is (as expected) being covered by Seller Protection. The screwy thing being, we can still accept a credit card payment via that payment method even if the person doesn't have a PayPal account, but PP doesn't seem to recognize a distinction there... Plus, paying via that method is a PITA and tends to end up with the funds locked up in escrow for a few weeks. Bleagh!

It seems that you can also not have Pro Hosted enabled and Direct Payment both enabled at the same time. Also, Direct Payment then gives the site direct access to the customers credit card information, and pushes all of the PCI compliance onto us, and is ALSO not covered by Seller Protection. So, Pro Hosted it is, and we just have to manage our fraud settings and fraud exposure level ourselves. That ******* sucks, and totally baffles me, as it SEEMS like the payment processor and the credit card agency would have fraud prevention services there. There are 3D Secure settings, but that seems to be about as much control as we have over potential fraud, and our exposure is 100%... so a lot that the 3% payment processing charge gets us there! {rolls eyes}

I also understand how and why the hosted connection is done inside of an iFrame. This is so we never have access to the credit card information as it's all encapsulated in the iFrame... and it just hands us the result code of the transaction. Makes perfect sense after I thought about it a bit.

So, at least the PayPal account checkout flow is covered by Seller Protection. Thinking I might try to wrap some sort of "PayPal Buyer Protected" language around the PayPal checkout path to try and direct people over to it, but that's a business decision above my paygrade. :) LOL

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×