Securing Your Payment Buttons by Encryption

If you sell digital (non tangible) products / service / subscriptions / paid membership etc, then, it is more practical to deliver the product instantly (electronically) as soon as the customer made the payment. In order to automate the delivery process, you can use the IPN_Notified event of your PayPal button. But you need to protect the fraud attempts. Although using Encrypted Payment Button for protecting fraud is not highly necessary yet it is better. Before you decide to use Encrypted Payment option, please check the available options for protecting fraud attempts. If you use Encrypted Payment button and block Non-Encrypted Website Payments then, you can treat a Verified IPN message without any worry. Please note : I said, 'Verified IPN message'; that means, you must verify the IPN before you proceed to product delivery logic. There is no alternative to using following pattern no matter either you use Encrypted Payment button or not.

protecting FRaud_step 1

Anyway, there are 4 credentials needed in order to generate an Encrypted button using this control.

  1. PayPal public certificate file (paypal_cert_pem.txt).
  2. Your PKCS12 certificate (*.p12).
  3. Your PKCS12 certificate Password.
  4. A certificate ID received from PayPal when you uploaded your public certificate (*.pem) to your PayPal profile.

Don't have those credentials ? Don't worry at all. When you setup this product, a stand alone portable GUI tool is made available for you for Certificate generation. When you are using Web Form framework, you can generate your PKCS12 Certificate right from the control's design time smart tag GUI Wizard. Furthermore, the wizard will generate your public certificate file (*. pem) which you should upload to your PayPal profile in order to get your Certificate ID. Now, Lets get started.Step 1 : Download your public certificate file from PayPal.Step 2 : Generate your PKCS12 Certificate file and your public certificate file (*.pem).Step 3: Upload the generated public certificate file (*.pem) that you got in Step 2 to your profile in PayPal. Please place the 'paypal_cert_pem.txt' and your PKCS12 (*.p12) file in App_Data folder (the files you found in Step 2). App_Data folder is a secured place to store your confidential files which cannot be downloaded from the browser.The following steps are appropriate for the usage within ASP.NET Web Form framework. If you want to learn about the usage within ASP.NET MVC framework, please keep following up to the end of this page.

  1. Drag and Drop an instance of a BuyNow Button control.
  2. From the Smart tag, please check the check box for "Generate Encrypted Button", then a link for popping up the Wizard for EWP will be shown up as shown in the following screen shot.generate EWPQWizard Link
  3. Click the link "Settings and Automation Wizard for EWP". The wizard will pop up as shown here:ew PWizard
  4. Provide the credentials as shown in the screen shot and Click OK and you are done. Really you are done. Now, the BuyNow button will render encrypted data in HTML form.
  5. It is the best practice to block Non-Encrypted Website Payments in your PayPal profile after you generated Encrypted Payment Button.

** If you are on shared hosting with tight security, you may get a Security Exception. Although it is a very rare case and we hope, nowadays, this problem is not there anymore. But in case if you face this problem, please ask your hosting provider to obtain and install a hot-fix from Microsoft, as described in this Microsoft KB article, or have them move your site to a machine that runs under Full Trust.

Where are these information saved ?

Of course, your Encrypted Payment Button generation credentials are sensitive and you should never expose those credentials to public. Neither does this control. If you are using Web Form framework, please note, this control does not store the credentials in View State, rather these information is saved in the ASPX markup. So, you should set these credentials only in Design Mode. You can set in Run Mode from the Page_Load event, but do not set in a Post back event (Click event).

OK, what about generating the Encrypted button programmatically !

If you want to use this component in your ASP.NET MVC project, then, you may follow the following snippet.

use In MVC

Last updated on Nov 1, 2014