Securing Your PayPal Payments Standard Buttons

Unprotected and non-encrypted buttons that are not saved in your PayPal account are in plain text in the source view of your webpages. The HTML button code for your payment buttons can be viewed by anyone. A malicious third party could copy a page, change button HTML variables such as price, and make fraudulent payments.

TipImportant: Merchants with significant payment volume are required to take precautions on securing PayPal Payment Standard buttons.

PayPal provides the following strategies for securing PayPal Payments Standard buttons. Use one or more of the following security strategies to prevent and/or detect tampering with your buttons:

Strategy for Securing Buttons See
Create protected buttons by using button creation tools on the PayPal website. Creating Protected Payment Buttons on the PayPal Website
Save payments buttons that you create on the PayPal website in your PayPal account. Saving Payment Buttons in Your PayPal Account
Manually check the item amounts in each payment through the transaction history in your PayPal account before shipping.
Note: You are required to reconcile your payments, especially if you have unprotected or non-encrypted buttons.
Reconciling Payments Manually Through Transaction History
Automatically check the item amounts in each payment through Instant Payment Notification before shipping.
Note: You are required to reconcile your payments, especially if you have unprotected or non-encrypted buttons.
Reconciling Payments Through Instant Payment Notification
Edit your PayPal account profile to enable Encrypted Website Payments, and use a script and open-source libraries from OpenSSL to encrypt your buttons dynamically when rendering your webpages.

You must be comfortable programming in scripts like PHP and ASP to use Encrypted Website Payments.

Protecting Payment Buttons by Using Encrypted Website Payments
Edit your PayPal account profile to block unprotected and non-encrypted buttons to add extra security to your protected, saved, and encrypted buttons. Blocking Unprotected and Non-encrypted Website Payments

Creating Protected Payment Buttons on the PayPal Website

How Protected Payment Buttons Help Prevent Fraudulent Payments

Protected payment buttons help secure your payments because the HTML button code that PayPal generates and that you paste onto your webpages is encrypted. HTML button code that is protected with encryption cannot be altered by malicious third parties to create fraudulent payments.

You can protect the HTML button code that PayPal generates for any kind of payment button:

  • Buy Now buttons
  • Add to Cart buttons
  • Buy Gift Certificate buttons
  • Subscribe buttons
  • Automatic Billing buttons
  • Installment Plan buttons
  • Donate buttons
Note: PayPal cannot protect HTML button code for Add to Cart buttons with JavaScript disabled in your browser. In such cases, use an alternative strategy to secure your buttons. See Reconciling Payments Manually Through Transaction History, and Reconciling Payments Through Instant Payment Notification.

Using the Button Creation Tool to Create a Protected Payment Button

  1. Log in to your PayPal account at https://www.paypal.com.
    The My Account Overview page opens.
  2. Click the Profile subtab.
    The Profile Summary page opens.
  3. Under the Selling Preferences heading, click the My Saved Buttons link.
    The My Saved Buttons page opens.
  4. In the Related Items box on the right, click the Create new button link.
    The Create PayPal payment button page opens.
  5. In the Choose a button type menu, select the kind of button you want to create and protect.
  6. Enter details about your button.
  7. Click the Step 2 bar to expand that section of the button creation tool.
  8. Clear the Save button at PayPal checkbox.
    Note: If you save your buttons at PayPal, you do not need to protect them. The code that you add to your website for buttons that you save contain no information that can be fraudulently altered by malicious third parites to submit fraudulent payments.
  9. Do one of the following:
    • Click the Create Button button to generate the protected HTML code.
    • Click the Step 3 bar to customize your button with advanced features. Then click the Create Button button.

    The You've created your button page opens.
  10. Click the text box to select the generated, protected, HTML code, and then paste it onto the pages of your website.

Update the profile settings on your PayPal account to block non-encrypted website payments, as described in Blocking Unprotected and Non-encrypted Website Payments.

Creating a Protected Payment Button with JavaScript Disabled

  1. Log in to your PayPal account at https://www.paypal.com.
    The My Account Overview page opens.
  2. Click the Profile subtab.
    The Profile Summary page opens.
  3. Under the Selling Preferences heading, click the My Saved Buttons link.
    The My Saved Buttons page opens.
  4. In the Related Items box on the right, click the Create new button link.
    A message box opens.
  5. Under the Create button without JavaScript enabled heading, click an appropriate link:
    • Buy Now
    • Add to Cart
    • Donate
    • Subscribe
    • Gift Certificate
    Note: You cannot create Automatic Billing or Installment Plan buttons with JavaScript disabled in your browser.
  6. Enter details about your button, and then choose a button image.
  7. In the Security Settings section, select the Yes radio button to protect your button with encryption. This is the default setting.
  8. Do one of the following:
    • Click the Create Button Now button to generate the encrypted HTML code.
    • Click the Add More Options button to enter optional details about your button, and then click the Create Button Now button.
    Note: Some settings on the Add More Options page require that you change Security Settings to No. In such cases, you must use an alternative strategy to secure your buttons. See Reconciling Payments Manually Through Transaction History, and Reconciling Payments Through Instant Payment Notification.
  9. Click the HTML code for Websites text box to select all of the generated, protected, HTML code, then paste it onto the pages of your website.

Update the profile settings on your PayPal account to block unprotected website payments, as described in Blocking Unprotected and Non-encrypted Website Payments.

Saving Payment Buttons in Your PayPal Account

Saving your buttons in your PayPal account helps secure against fraudulent payments because the HTML button code that PayPal generates and that you paste onto your webpages does not contain pricing information. PayPal holds pricing information in your PayPal account, so malicious third parties cannot alter it and submit fraudulent payments.

You can save any kind of payment button in your PayPal Premiere or Business account:

  • Buy Now buttons
  • Add to Cart buttons
  • Buy Gift Certificate buttons
  • Subscribe buttons
  • Automatic Billing buttons
  • Installment Plan buttons
  • Donate buttons
Note: You cannot save payment buttons in your PayPal account with JavaScript disabled in your browser or if you have a PayPal Personal account. In such cases, use an alternative strategy to secure your buttons. See Reconciling Payments Manually Through Transaction History, and Reconciling Payments Through Instant Payment Notification.
  1. Log in to your PayPal account at https://www.paypal.com.
    The My Account Overview page opens.
  2. Click the Profile subtab.
    The Profile Summary page opens.
  3. Under the Selling Preferences heading, click the My Saved Buttons link.
    The My Saved Buttons page opens.
  4. In the Related Items box on the right, click the Create new button link.
    The Create PayPal payment button page opens.
  5. In the Choose a button type menu, select the kind of button you want to create and protect.
  6. Enter the details for your button, using the Step 1, Step 2, and Step 3 sections of the tool.
    Make sure you select the Save button at PayPal checkbox at the top of the Step 2 section. It is selected by default.
  7. Click the Create Button button to save the details of your payment button in your PayPal account and to generate the small portion of code that you copy and paste onto your webpages.

Update the profile settings on your PayPal account to block non-encrypted website payments, as described in Blocking Unprotected and Non-encrypted Website Payments.

Reconciling Payments Manually Through Transaction History

If you process a small number of transactions, reconcile your payments manually through your transaction history and the reporting tools provided by PayPal. You are required to reconcile your payments, especially if you have unprotected or non-encrypted buttons.

To reconcile payments manually through your transaction history:

  1. Log in to your PayPal Premier account or Business account.
  2. In the My Account tab, click the History subtab.
  3. In the Show dropdown menu, select "Payments Received".
  4. Specify a time frame for the payments you want to verify.
  5. Click the Search button.
  6. For each payment that was found, verify that the item amounts match the amounts that you charge.

For detailed instructions on using the History subtab, see the Merchant Setup and Administration Guide.

Reconciling Payments Through Instant Payment Notification

If you process a large number of transactions, reconcile your payments automatically through Instant Payment Notification by verifying that the item amounts match the amounts that you charge. You are required to reconcile your payments, especially if you have unprotected or non-encrypted buttons.

With Instant Payment Notification, PayPal posts a message to your server when someone pays you. You specify the URL through which you receive Instant Payment Notification messages in your PayPal account. Instant Payment Notification messages are text files that include payment details, such as the name of the payer and the amounts charged for each item.

To learn more about Instant Payment Notification, see the Instant Payment Notification Guide.

Protecting Payment Buttons by Using Encrypted Website Payments

How Encrypted Website Payments Helps Prevent Fraudulent Payments

Using Encrypted Website Payments helps secure payment buttons that you generate or write manually. Encrypted Website Payments protects the HTML button code that contains pricing information by encrypting it. HTML button code that you protect by using Encrypted Website Payments cannot be altered by malicious third parties to create fraudulent payments.

Encrypted Website Payments relies on standard public key encryption for protection. With public and private keys, you can dynamically generate HTML code for payment buttons and encrypt the payment details before displaying the buttons on your website. The below table illustrates the sequence of actions that occur with payment buttons protected by using Encrypted Website Payments.

Table 1. How Encrypted Website Payments Works
Website Actions Payer Actions PayPal Actions
Generate a public key for the website, upload it to PayPal, and download the PayPal public certificate to the website.
Note: Do this action only once, when you first integrate PayPal Payments Standard with your website.

Generate HTML code for a payment button.

Encrypt the generated code by using the PayPal public key and then signing the encrypted code with the website's private key.

Publish the signed, encrypted HTML code for the payment button to the website. Click the published PayPal payment button. Check the authenticity of the data by using the website's public key, which was previously uploaded to PayPal.

Decrypt the protected button code by using the PayPal private key.

Redirect the payer's browser to the appropriate PayPal checkout experience, as specified in the HTML variables of the decrypted button code.

Public Key Encryption Used by Encrypted Website Payments

Encrypted Website Payments uses public key encryption, or asymmetric cryptography, which provides security and convenience by allowing senders and receivers of encrypted communication to exchange public keys to unlock each others messages. The fundamental aspects of public key encryption are:

  • Public keys – Public keys are created by receivers and are given to senders before they encrypt and send information. Public certificates comprise a public key and identity information, such as the originator of the key and an expiry date. Public certificates can be signed by certificate authorities, who guarantee that public certificates and their public keys belong to the named entities.

    You and PayPal exchange each others' public certificates.

  • Private keys – Private keys are created by receivers are kept to themselves.

    You create a private key and keep it in your system. PayPal keeps its private key on its system.

  • The encryption process – Senders use their private keys and receivers' public keys to encrypt information before sending it. Receivers use their private keys and senders' public keys to decrypt information after receiving it. This encryption process also uses digital signatures in public certificates to verify the sender of the information.

    You use your private key and PayPal's public key to encrypt your HTML button code. PayPal uses its private key and your public key to decrypt button code after people click your payment buttons.

Setting Up Certificates Before Using Encrypted Website Payments

Do the following before you use Encrypted Website Payments to protect your payment buttons:

  • Generate your private key.
  • Generate your public certificate.
  • Upload your public certificate to your PayPal account.
  • Download the PayPal public certificate from the PayPal website.

PayPal uses only X.509 public certificates, not public keys. A public key can be used for decryption but contains no information identifying who provided the key. A public certificate includes a public key along with information about the key, such as when the key expires and who owns the key. PayPal accepts public certificates in OpenSSL PEM format from any established certificate authority, such as VeriSign.

You can generate your own private key and public certificate using open source software such as OpenSSL (https://www.openssl.org), which is detailed in the following section.

Generating Your Private Key Using OpenSSL

Using the openssl program, enter the following command to generate your private key. The command generates a 1024-bit RSA private key that is stored in the file my-prvkey.pem:

openssl genrsa -out my-prvkey.pem 1024

Generating Your Public Certificate Using OpenSSL

The public certificate must be in PEM format. To generate your certificate, enter the following openssl command, which generates a public certificate in the file my-pubcert.pem:

openssl req -new -key my-prvkey.pem -x509 -days 365 -out my?pubcert.pem

Uploading Your Public Certificate to Your PayPal Account

To upload your public certificate to your PayPal account:


  1. Log in to your PayPal Business or Premier account.
  2. Click the Profile subtab.
  3. In the Selling Preferences column, click the Encrypted Payment Settings link.
    The Website Payment Certificates page appears.
  4. Scroll down the page to the Your Public Certificates section, and click the Add button.
    The Add Certificate page appears.
  5. Click the Browse button, and select the public certificate that you want to upload to PayPal from your local computer.
    Note: The file you upload must be in PEM format.
  6. Click the Add button.
    After your public certificate uploads successfully, it appears in the Your Public Certificates section of the Website Payment Certificates page.


  7. Store the certificate ID that PayPal assigned to your public certificate in a secure place.

    You need the certificate ID that PayPal assigned to encrypt your payment buttons by using the Encrypted Website Payments software provided by PayPal.

Downloading the PayPal Public Certificate From the PayPal Website

To download the PayPal public certificate:

  1. Log in to your PayPal Premier account or Business account.
  2. Click the Profile subtab.
  3. In the Seller Preferences column, click the Encrypted Payment Settings link.
  4. Scroll down the page to the PayPal Public Certificate section.


  5. Click the Download button, and save the file in a secure location on your local computer.

Removing Your Public Certificate

TipImportant: If you remove your public certificate, its associated certificate ID is no longer valid for encrypting buttons, and any buttons that you generated or wrote manually for your website that use the ID will not function correctly.

To remove one or more of your public certificates:

  1. Log in to your PayPal Premier account or Business account.
  2. Click the Profile subtab.
  3. In the Seller Preferences column, click the Encrypted Payment Settings link.
  4. Scroll down the page to the Your Public Certificates section.
  5. Select the radio button next to the certificate you want to remove, and click the Remove button.

    The Remove Certificate page appears.

  6. Click the Remove button to confirm the removal of the public certificate that you selected.

Using Encrypted Website Payments to Protect Your Payment Buttons

Encrypted Website Payments includes Java and Microsoft Windows software to protect the payment buttons that you generate or write manually. Download the software from the following location after logging in to PayPal: https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/ewp-code

After you download and extract the software, copy your private key, public certificate, p12 file and the PayPal public certificate to the folder where the software is located.

  1. Prepare an input file of PayPal Payments Standard variables and values for each encrypted button that you want to generate. Each variable and value must be on a separate line, as in the following example.
    Note: The cert_id variable identifies the public certificate you uploaded to PayPal website.
    cert_id=Z24MFU6DSHBXQ
    cmd=_xclick
    business=sales@company.com
    item_name=Handheld Computer
    item_number=1234
    custom=sc-id-789
    amount=500.00
    currency_code=USD
    tax=41.25
    shipping=20.00
    address_override=1
    address1=123 Main St
    city=Austin
    state=TX
    zip=94085
    country=US
    no_note=1
    cancel_return=http://www.company.com/cancel.htm
    
  2. Run the encryption software using the appropriate syntax, as shown in the Command Line Syntax for PayPal Encrypted Website Payments Software table.
    Table 2. Command Line Syntax for PayPal Encrypted Website Payments Software
    Software Command Line
    Java
    
    java ButtonEncryption CertFile PKCS12File PPCertFile Password InputFile OutputFile [Sandbox]
    
    
    Microsoft Windows
    
    PPEncrypt CertFile PrivKeyFile PPCertFile InputFile OutputFile [Sandbox]
    
    

    where:

    Table 3. Arguments for Running Encrypted Website Payments Software
    Argument Description
    CertFile The pathname to your own public certificate
    PKCS12File The pathname to the PKCS12-format of your own public certificate
    PPCertFile The pathname to a copy of the PayPal public certificate
    Password The passphrase to the PKCS12-format of your own public certificate
    InputFile The pathname to file containing the non-encrypted Website Payments HTML Form variables
    OutputFile A file name for the encrypted output
    [Sandbox] The optional word Sandbox that lets you test payment buttons in the PayPal Sandbox that you protected with Encrypted Website Payments
  3. Copy the encrypted code to your website.

Blocking Unprotected and Non-encrypted Website Payments

For extra security of your protected and encrypted buttons, update your PayPal account profile to block unprotected and non-encrypted payments.

To block payments from unprotected and non-encrypted PayPal Payments Standard buttons:

  1. Log in to your PayPal Premier account or Business account.
  2. Click the Profile subtab.
  3. In the Selling Preferences column, click the Website Payment Preferences link.
  4. Scroll down to the Encrypted Website Payments section.


  5. Next to the Block Non-encrypted Website Payment label, select the On radio button.
  6. Scroll to the bottom of the page, and click the Save button.