Ignoring the amount customers confirm is no security bug according to PayPal

I&#x27;ve implemented express checkout on a few carts I&#x27;ve written. It isn&#x27;t possible to calculate the shipping cost&#x2F;method until the user gives at at minimum their zip code and country. So basically the flow of Express Checkout doesn&#x27;t allow this since that information is sent back once they authorize a charge and return to your site. At that point the customer is prompted with an order confirmation, final total and to select their shipping information. When they click confirm the charge is actually made. Express Checkout is extremely popular on all of the sites I&#x27;ve worked with and is probably quickest payment method people can use. In the 6+ years we&#x27;ve been using it we have not had one single complaint about charging the wrong amount shown on the PayPal confirmation page. Customers understand they must select their shipping method and I would rather not have them enter duplicate information.<p>I am confused how this &quot;bug&quot; is any different that using something like the payments pro API. Sure your cart page says you&#x27;ll charge X amount, there is NOTHING keeping you from charging some other arbitrary amount when they press pay.

This is how it has always been; it&#x27;s written in the documentation. I don&#x27;t personally consider this a bug, since a retailer could feasibly accept a credit card and charge whatever they want to it. The fact the PayPal allows the amount to be changed is not dangerous, because PayPal holds the liability and any charges can be reversed. Furthermore, the business who charges consumers without consent will be committing fraud.

I recently integrated paypal. I did a test to see how much extra we could charge if the customer chose an obscure shipping address and there didn&#x27;t appear to be any limits like I was expecting(I was expecting a percentage +- of the &quot;confirmed&quot; amount).<p>I asked paypal and they confirmed that there&#x27;s no limit.<p>It is a little weird, but since paypal always sides with customers in disputes, it&#x27;s probably not so bad if you get hit with this.

I spotted this earlier this week when ordering a t-shirt through TeeSpring using PayPal. I authorized a payment of 22.95 USD. Here’s a screenshot from the payment confirmation email I received: <a href="http://i.imgur.com/BGjKcsW.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;BGjKcsW.png</a> The math doesn’t quite add up.

This confuses the heck out of me every time I have to work with the Paypal API. I never understood why they implemented it this way. It makes absolutely no sense IMHO but has always been this way. I&#x27;m surprised that this isn&#x27;t used much more often for fraud.

Seems like the sort of trust system that is common in restaurants.<p>1) You get the check with a total of food and drink.<p>2) The waiter&#x2F;waitress takes your card to the register for authorization.<p>3) You get your card back.<p>4) You hand-write the tip amount and total, then walk away. You trust the merchant to charge the amount you wrote.<p>5) The restaurant charges the amount you wrote, but you don&#x27;t know this for sure until you check your statement.

This is the magic if market dynamics. If a business fraudulently takes advantage of this they will not build up a customer base, paypal will shut down their account, and money will be refunded. PayPal is taking most of the risk so that businesses can be flexible and provide a better experience.<p>It&#x27;s not a bug, it&#x27;s the way things should work with more services. PayPal&#x27;s product may be outdated in many ways, but this is not one of them.

This is hardly an issue with a system that by design allows payment reversals. If you get defrauded, just chargeback.

They don&#x27;t have David Marcus anymore to respond in these forums. Poor PayPal.