PREFACE
PayPal REST API 的 /v1/payments/payment 资源,可以创建 payment。
具体见如下链接:
https://developer.paypal.com/docs/api/payments/
Depending on the payment_method and the funding_instrument, you can use the payment resource for direct credit card payments, stored credit card payments, or PayPal account payments.
其中可以使用
direct credit card payments: 信用卡支付
stored credit card payments: 绑定在paypal账号上的信用卡支付
PayPal account payments: PayPal余额支付
看一下direct credit card payments 的请求体:
curl -v https://api.sandbox.paypal.com/v1/payments/payment \
-H "Content-Type:application/json" \
-H "Authorization: Bearer Access-Token" \
-d '{
"intent":"sale",
"payer":{
"payment_method":"credit_card",
"funding_instruments":[
{
"credit_card":{
"number":"4417119669820331",
"type":"visa",
"expire_month":11,
"expire_year":2018,
"cvv2":"874",
"first_name":"Betsy",
"last_name":"Buyer",
"billing_address":{
"line1":"111 First Street",
"city":"Saratoga",
"state":"CA",
"postal_code":"95070",
"country_code":"US"
}
}
}
]
},
"transactions":[
{
"amount":{
"total":"7.47",
"currency":"USD",
"details":{
"subtotal":"7.41",
"tax":"0.03",
"shipping":"0.03"
}
},
"description":"This is the payment transaction description."
}
]
}
请求体中,包含了信用卡的相关信息。这些信息是我们通过表单从客户那里收集到的;那么这个是非常有风险的。我们必须遵守 PCI。(Payment Card Industry 支付卡行业标准)
PCI
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
PCI compliance
All merchants who accept, store, transmit or process any cardholder data, regardless of size or number of transactions, must comply with the Payment Card Industry Data Security Standards (PCI DSS).
所有商家涉及到处理 持卡人 的数据时,必须遵守 PCI DSS。
PCI compliance handled by PayPal
With PayPal’s JavaScript buttons or the PayPal iOS SDK, PayPal handles the payment card information on your behalf and so greatly eases the burden of PCI compliance.
使用PayPal的 js buttons 获取 IOS SDK, PayPal 来处理 卡信息, 这样,我们就不需要和PCI打交道了。
PCI compliance handled by you
If you use the PayPal REST APIs for accepting credit card payments, you handle card data directly and will need to ensure you are PCI compliant.
如果使用 PALPAL REST APIs 中的 credit card payments 接口,商家就需要处理卡信息,商家就必须遵守PCI标准。
SUMMARY
小商家接入PAYPAL 就不要使用 PAYPAL REST API /v1/payments/payment 接口,创建 信用卡直接付款。因为使用该接口,需要提供 cardholder data。很麻烦。
最好使用PAYPAL提供的前端JS- SDK 去支付;让PAYLPAL来处理客户的卡信息。