[ic] RE: PayPal working with IC (changed to whhhhyyyy won't you make a PayPal mod)?

[Jason Kohles]

On Thu, 2002-02-21 at 18:16, Julia Jacobs wrote:
> On 2/21/02 5:02 PM, "Jason Kohles" <jkohles@redhat.com> wrote:
> 
> JK>If they are willing to do that, why not just ask them for the username
> JK>and password of their banks webpage, then transfer the money directly
> JK>from their account.  The big difference here is that with their paypal
> JK>username and password, you can EASILY drain the contents of any of their
> JK>linked bank accounts, charge all their credit cards up to the limit,
> JK>compile a list of everyone they had ever sent or received money from,
> JK>get their auction site usernames and passwords, and generally wreaked
> JK>havoc. 
> 
> I really don't get this.  I can store customers credit card numbers in my
> userdb with a standard non secure catalog foundation demo install, but you
> wont implement a secure PayPal integration even when a PayPal rep has
> specifically agreed to work with a Red Hat developer.  None of your
> arguments make sense in light of this fact.  Also considering PayPal already
> works seamlessly with these commercial shopping carts:
> 
The default Interchange install will not store credit card numbers in
the userdb, you have to modify it to do that.  I didn't say that PayPal
couldn't be integrated into Interchange, I said it would take some work,
primarily because Interchange is far more powerful (and complex) than
most of the shopping cart software that already supports paypal.  I also
didn't refuse to integrate, I just pointed out that your 'easier'
integration method was fundamentally flawed.


> JK>You could always just make your payment page a simple page that says 'to
> JK>complete transaction send $amount dollars in cash to the following
> JK>address', it would be much safer for everyone.  Also keep in mind this
> JK>section of the paypal terms of use:
> 
> JK>"* Passwords. You may not reveal your account password(s) to anyone
> JK>else, nor may you use anyone else's password. PayPal is not responsible
> JK>for losses incurred by Users as the result of their misuse of
> JK>passwords."
> 
> JK>So implementing this would just lead to you losing your PayPal account.
> 
> How are you revealing your account password by entering it into the form
> which after you press the button immediately gets transferred to PayPal?
> How is that different than entering it into PayPal's form?  Again, why would
> a PayPal rep want to work with you or why would this information be
> available to developers to implement into their shopping carts or why would
> these other commercial shopping carts use this method if it was "against
> PayPal policy"
> 
I was under the impression that were suggesting that the person enter
their username and password which would then get passed to Interchange,
and have Interchange submit it as part of a transaction.  Since you seem
to instead be asking why we can't just plugin the paypal system the way
they provide it, I will appologize for misunderstanding, and explain the
real problem  =).  The main problem is that you have to leave
Interchange in order to complete the payment, which means Interchange
has to enter your order in the order database, and then send you off to
paypal, which leaves it up to the merchant to check paypal and determine
if you actually paid after you left the site before shipping your order.
The easiest idea I had to integrate this was to have Interchange enter
the order with a flag in the order table indicating that the order had
not been finalized yet, and then to toggle the flag once paypal posted
the payment information back to you and Interchange verified that the
payment was authentic.  This is the structure I have worked on
implementing, but as I mentioned, the real answer to 'whhhhyyyy won't
you make a PayPal mod' is 'if you want it free, you get it whenever it
happens to be done, if you want it now, you should hire someone to build
it for you'


> JK>It's the merchant who I would not trust with this information.  If you
> JK>were having dinner in a restaurant and gave the waiter a credit card,
> JK>and he told you the only way they take credit cards is if you give him
> JK>the card and your pin number so he can run across the street and use the
> JK>atm to withdraw the amount of your check from your account, would you
> JK>give the waiter your pin number?  Of course you wouldn't, but this is
> JK>exactly what you are suggesting here, with the difference being that
> JK>someone who has your paypal username and password may have access to
> JK>more than one credit card/bank account.
> 
> Yet you trust merchants with a system that allows them to store customer
> credit card numbers through a non secure checkout form.  Again, I do not
> follow your logic here.  Then again I am not an Interchange developer.
> Perhaps you folk have a special brand of logic that my limited imagination
> does not allow me to comprehend.
> 
I'm not sure who you mean here when you say 'you', but I emphatically do
not trust merchants with anything if their checkout form is not secure. 
If you are referring to the fact that you can setup Interchange on a
non-secure web server, there is not a lot that we can do about that, but
if you think that behavior is flawed, you should file a bug report. 
 
-- 
Jason Kohles                                 jkohles@redhat.com
Senior System Architect
Red Hat Professional Consulting              http://www.redhat.com/