PayPal Encryption

From NeuCart Documentation
Jump to: navigation, search

PayPal Encryption refers to the ability to send shopping cart information to PayPal in an encrypted format. By using encrypted transmissions, it is more difficult for potential hackers and thieves to make illegally-discounted purchases from your store. NeuCart strongly recommends that stores always use PayPal Encryption if your store sells digital products.

Padlock.svg
This article discusses methods for creating a secure system.
Binary-icon.png
This article discusses a
technical topic that may not be
intended for all readers.
Merge-arrows-3.svg
This article discusses
configuration steps related to
one or more third-party systems.

Background

When messages are sent across the internet — for example, your store sending a message to PayPal that includes the details of a customer's shopping cart — they are sent in plain text or they are encrypted. Encrypted messages are, obviously, encrypted, which means they are not easily readable by human eyes. Unencrypted messages allow anyone to see what is being sent, if they know where to look.

External Configuration

Like most of NeuCart's configuration, PayPal setup is fairly intuitive — check a box, enter text in a text box, etc. However, the steps for creating an encrypted payment environment are performed outside of your admin area and are a little more difficult than most configuration. Unfortunately, even though PayPal can receive encrypted payments, PayPal does not offer the capability to create the encryption certificates. Therefore, the steps involve another website altogether.

Steps to create encryption certificates:

  1. Visit this link to Stellar Web Solutions, fill out the form, and click "Create Certificate".
  2. From the next page, click "download" to obtain the Private Key and Public Certificate files you just created.
  3. Follow the steps on that page, under "To upload your public certificates to PayPal"
  4. While following the steps, you'll generate a "Cert ID" at PayPal. Copy this value and paste it into the "Certificate ID" field on the PayPal Prefs page.
  5. While at PayPal, after you've created the Cert ID, click the "download" button to generate a text file, which is named "paypal_cert_pem.txt".
  6. Now you have three files that you will need to upload to your server:
    • paypal_cert_pem.txt
    • your-prvkey.pem
    • your-pubcert.pem
  7. After uploading those files, enter the file names into the PayPal Prefs page in the appropriate fields.

Where do the files go?

One of the most common questions about this configuration is where do I put the certificate files? And the answer is that you may put them anywhere that they can be found.

The best answer
If your site uses a normal cPanel or other modern web hosting control panel, you should be able to place your files outside of your web root (public_html, often). This is ideal; since these files contain the keys to your encryption, you don't want people to be able to navigate to them. If you are able to upload files to this type of folder, create a folder parallel to your public_html folder, and name it something like paypal_certs. Then in PayPal Preferences, set the [Encrypted Files Location] field to "Full Path", and type the full path to your files in the appropriate fields. On common cPanel hosts, the values would be something like /home/yourUserName/paypal_certs/filename
An okay answer
If for some reason you only have access to files within your web root, the best you can do is rename the files or even add them to a subdirectory with an obscure name; the goal being to prevent potential hackers from browsing to a file and obtaining its contents. Ideally, the folder and/or the files themselves would not be browseable. In this type of configuration, the [Encrypted Files Location] would be set to "Relative to store root", and the name of your files would be typed into the appropriate fields. If your files are in a folder within your store, you would type someFolderName/filename.txt into the fields.

NeuCart Configuration

The external configuration section, above, describes how the files are generated.

Within PayPal Preferences, the Encryption Settings section of the page includes all the relevant fields for sending encrypted transmissions. When [Use Encrypted Payments] is checked, the following fields are available for configuration:

Encrypted Files Location
In an ideal scenario, this field should be set to "Full Path". See above for more information.
Certificate ID
This field represents the "Cert ID" from the Website Payment Certificates page in PayPal.
PayPal Cert PEM Filename
This field represents the filename of the PayPal Certificate PEM file.
Your Private Key Filename
This field represents the filename of the file containing the Private Key.
Your Public Certificate Filename
This field represents the filename of the file containing the Public Certificate.

See also

PayPal

API Auto-Return Encryption IPN IPN Repost PayPal
PayPal Express PayPal Payments Pro PayPal Preferences

Learning series: PayPal
Need a question answered about the PayPal Encryption article? Want to offer a suggestion or correction? Click here to discuss this page.
Retrieved from "https://neucart.com/wiki/index.php?title=PayPal_Encryption&oldid=1102"