Encrypted Website Payments
|Visual C# Tutorials|
Encrypted Website Payments
|© 2007 Damon Williams|
|This tutorial—Encrypted Website Payments—is from Pro PayPal E-Commerce, by Damon Williams. Copyright © 2007 Damon Williams. All rights reserved. This article is reproduced by permission. This tutorial has been edited especially for C# Online.NET. Read the book review!|
Encrypted Website Payments (EWB)
As you learned in Chapter 3, creating a standard PayPal payment button is relatively fast and easy to do. Just copy and paste some basic HTML and change a couple of variables, and you’re ready to go. You can put the code on your web server and start accepting online payments in a matter of minutes. However, this technique also comes with a certain amount of risk. Put simply, your HTML is out there in plain text for the whole world to see—and believe me, people (and spiders) are looking. A fraudster could examine your button code and find out things such as
- The email address of your PayPal account
- The URL a buyer is returned to after making a purchase
- Any custom fields you have defined
The fraudster could then utilize or alter this data to attack your business. For example, say your website sells digital content via a Buy Now button that offers a $25 package of downloadable training materials. You also have a script at your return_url that makes the file available for download after completion of a successful PayPal transaction. If your button is unencrypted, a fraudster could copy the code and modify the price from $25 to $.01. The fraudster could then complete a 1-cent transaction to your PayPal account, and if your script is not savvy enough to double-check the purchase price of a transaction, the fraudster has just easily bought your $25 product for a penny.
That is just one example of how leaving unencrypted button code on your website makes your site vulnerable to attack. In this chapter, we will discuss how you can prevent this type of attack by using a feature that PayPal has created to counteract this type of activity: Encrypted Website Payments, or EWP. When customers click a payment button that has been encrypted with EWP, they have the exact same checkout experience as if they had clicked an unencrypted button. The difference is in the added security that you provide your business when using encrypted buttons.
This chapter covers the various technologies and processes that make up EWP and discusses the following topics:
- Understanding how EWP works
- Generating the necessary public certificates and private keys
- Uploading certificate information to PayPal
- Performing the button encryption
- Blocking unencrypted website payments
After reading this chapter, you will have a good understanding of how to create encrypted payment buttons for your application.