petekuhn wrote: Here's the first paypal merchant tech support response to my question about why use item name match checking for fraud prevention:
"Are you saying that Joomla is implementing some sort of fraud protection on their end which checks the item name? And what are they checking it against?
"Any fraud system they are implementing is on their end. I am not sure why they would be doing an item name check from PayPal's point of view.
"Sincerely,
"Colin
"Global Technical Support
"PayPal"
I guess Paypal should check their own instructions: Checking destination, price, currency, and item bought are standard paypal guidelines since over 10 years, e.g.:
developer.paypal.com/docs/classic/ipn/ht_ipn/
"Verify the item description and transaction costs with those listed on your website and catalog."
www.paypal.com/en/cgi-bin/webscr?cmd=p/acc/ipn-info-outside
"Check other transaction details such as the item number and price to confirm that the price has not been changed"
If a cart does not verify item description, a rogue user could tamper it and then accuse you to have given cheaper plan instead of the one they bought showing their paypal description. In your case, without checking the description, a rogue user could select to buy your cheapest plan, then tamper description to most expensive premium plan, pay at paypal and then come back and say "i bought premium plan", see my paypal invoice, and get you into administrative or legal troubles.
Also for your accounting and auditing, it's important that in your paypal reports the items bought appear instead of "Shopping cart" to be able to more easily audit your accounts and reconciliate your records.
So it's still a severe Paypal bug.
I'm still looking to add a safe enough workaround to this paypal.com bug, and it should be in next nightly.
beat
