The PayPal IPN request-response mechanism lets you get notified by the PayPal server every time something happens around a payment transaction.
You can use IPN messages to automate back-office and administrative functions, such as fulfilling orders, tracking customers, or providing status and other transaction-related information. This also helps you maintain the integrity of payment status on your server.
The IPN message authentication protocol/mechanism consists of FOUR steps (source):
- PayPal HTTPS POSTs an IPN message to your listener that notifies it of an event.
- Your listener returns an empty HTTP 200 response to PayPal.
- Your listener HTTPS POSTs the complete, unaltered message back to PayPal; the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message.
- PayPal sends a single word back – either
VERIFIED(if the message matches the original) or
INVALID(if the message does not match the original).
PayPal requires that you setup a SSL certificate on the website where you host your IPN handler.
Making a HTTPS POST requires the POST link to be called via https. This implies that the website whose link is being called has a SSL certificate setup for it.
Since in Step 1 itself it is mentioned that PayPal will always make HTTPS POST to your IPN handler URL, you will need to setup a SSL certificate for the mechanism not to fail.
If you use PayPal IPN mechanism then your website is a business/e-commerce website, and should be using a SSL certificate regardless of PayPal’s requirement.
Using https for your website gives you several benefits that far outweigh their low cost.