Securing Your Payment Buttons by Encryption
If you sell digital (non tangible) products / service / subscriptions / paid membership etc, then, it is more practical to deliver the product instantly (electronically) as soon as the customer made the payment. In order to automate the delivery process, you can use the IPN_Notified event of your PayPal button. But you need to protect the fraud attempts. Although using Encrypted Payment Button for protecting fraud is not highly necessary yet it is better. Before you decide to use Encrypted Payment option, please check the available options for protecting fraud attempts. If you use Encrypted Payment button and block Non-Encrypted Website Payments then, you can treat a Verified IPN message without any worry. Please note : I said, 'Verified IPN message'; that means, you must verify the IPN before you proceed to product delivery logic. There is no alternative to using following pattern no matter either you use Encrypted Payment button or not.
Now, Lets get started.
Step 1 : Download your public certificate file from PayPal.
Step 2 : Generate your PKCS12 Certificate file and your public certificate file (*.pem).
Step 3: Upload the generated public certificate file (*.pem) that you got in Step 2 to your profile in PayPal.
Please place the 'paypal_cert_pem.txt' and your PKCS12 (*.p12) file in App_Data folder (the files you found in Step 2). App_Data folder is a secured place to store your confidential files which cannot be downloaded from the browser.
The following steps are appropriate for the usage within ASP.NET Web Form framework. If you want to learn about the usage within ASP.NET MVC framework, please keep following up to the end of this page.
** If you are on shared hosting with tight security, you may get a Security Exception. Although it is a very rare case and we hope, nowadays, this problem is not there anymore. But in case if you face this problem, please ask your hosting provider to obtain and install a hot-fix from Microsoft, as described in this Microsoft KB article, or have them move your site to a machine that runs under Full Trust.
Where are these information saved ?
Of course, your Encrypted Payment Button generation credentials are sensitive and you should never expose those credentials to public. Neither does this control. If you are using Web Form framework, please note, this control does not store the credentials in View State, rather these information is saved in the ASPX markup. So, you should set these credentials only in Design Mode. You can set in Run Mode from the Page_Load event, but do not set in a Post back event (Click event).
OK, what about generating the Encrypted button programmatically !
If you want to use this component in your ASP.NET MVC project, then, you may follow the following snippet.
Last updated on 4 July 2012, Wednesday, 11:55:38 PM