PayPal IPN Overview

Using PayPal IPN requires a SSL Certificate

The PayPal IPN request-response mechanism lets you get notified by the PayPal server every time something happens around a payment transaction.

You can use IPN messages to automate back-office and administrative functions, such as fulfilling orders, tracking customers, or providing status and other transaction-related information. This also helps you maintain the integrity of payment status on your server.

The IPN message authentication protocol/mechanism consists of FOUR steps (source):

  1. PayPal HTTPS POSTs an IPN message to your listener that notifies it of an event.
  2. Your listener returns an empty HTTP 200 response to PayPal.
  3. Your listener HTTPS POSTs the complete, unaltered message back to PayPal; the message must contain the same fields (in the same order) as the original message and be encoded in the same way as the original message.
  4. PayPal sends a single word back – either VERIFIED (if the message matches the original) or INVALID (if the message does not match the original).

PayPal requires that you setup a SSL certificate on the website where you host your IPN handler.

Making a HTTPS POST requires the POST link to be called via https. This implies that the website whose link is being called has a SSL certificate setup for it.

Since in Step 1 itself it is mentioned that PayPal will always make HTTPS POST to your IPN handler URL, you will need to setup a SSL certificate for the mechanism not to fail.

If you use PayPal IPN mechanism then your website is a business/e-commerce website, and should be using a SSL certificate regardless of PayPal’s requirement.

Using https for your website gives you several benefits that far outweigh their low cost.

Tagged , , , , , , .