• Lesson Index:
• Overview
• PayPal
• Signing Up for PayPal
• Donate Button
• Sending Money Request
• Buying on eBay
• Signing Up for eBay
• eBay Messages
• Finding Items on eBay
• Bidding on Auctions
• Bidding Endgame
• Selling
• Auction
• Review Revise
• Checking Status
• Item Sold
• Money Request
• Done Deal
• Advanced Topic
• Encrypting PayPal Buttons

Encrypting PayPal Buttons

When you generate PayPal "Buy Now" or "Add to Cart" buttons, they are are not encrypted. That means that the price is visible in hidden fields when a "view-source" is performed on the browser. As described in this article, there are some drawbacks to this. There are three solutions to this problem.

1. Merchants should manual review each transaction.

2. Write custom code and use Instant Payment Notification (IPN)to dynamically validate the transaction before passing it to PayPal for review.

3. Or encrypt the button.

Here is a breif overview of how to use Encrptyed Website Payment (EWP). But the full instructions are in the Website Payment Standard Integration Manual starting on page 101 chapter 7.

1. Create your private key using ...

openssl genrsa -out my-prvkey.pem 1024

OpenSSL is a free tool you can get from http://www.openssl.org/ However, you need to compile this tool yourself. As an faster alternative, you can OpenSSL Windows Installer.

2. From your private key, derive your public key.

openssl req -new -key my-prvkey.pem -x509 -days 365 -out my-pubcert.pem

3. Upload your public certificate to your PayPal Profile. Make note of the Certificate ID assigned.

4. Download PayPal public certificate from Profile -> Encrypted Payment setting.

5. Run PPEncrypt on Windows ...

PPEncrypt CertFile PrivKeyFile PPCertFile InputFile OutputFile

where you can get PPEncrypt.exe in the attachment found in this forum thread. The CertFile is your public certificate file.PrivKeyFile is your private key file. PPCertFile is the PayPal public Certificate file that you had downloaded. The inputfile is a quote string of comma separated name value pairs as in ...

"cert_id=Z24MFU6DSHBXQ, cmd=_xclick, [email protected],item_name=Handheld Computer
item_number=1234, custom=sc-id-789 ... "

where cert_id is the id noted in step 3.

Sometime following the integration manual's instruction of using an input file gives the error of "The email address for the business is not present in the encrypted blob".

The workaround is to use the quoted comma separated string instead (as described in the bottom of this thread).

6. Set your PayPal profile to not accept any non-encrypted transaction.

You can also write PHP to dynamically encrypt buttons as in the code by StellarWebSolutions.

If you need furthur assistance, you can ask the people in the PayPal Developer Community Forum.