Search code examples
javascriptphppaypalbraintree

In Paypal, what protects the buyer that the correct amount will be charged to their account during checkout?

I am testing my code in PayPal sandbox using Braintree SDK. I can set an amount in the client side e.g. 10 USD and the client can proceed with the checkout process.

But on the server side, after receiving the "nonce" code, I can charge the client 200 USD and there is no error or validation.

What protects the buyer from overpayment if the developer decides to charge more than what was said during checkout?

In the client side, I sent the intent option to "authorize", but I still can overcharge the buyer if I want to.

Client-side code

 paypal.Button.render({
     braintree: braintree,
                  client: {

                    sandbox: '{{$btClientToken}}'
                  },
                  env: 'sandbox',
                  commit: true, 

                  payment: function (data, actions) {
                    return actions.braintree.create({
                      flow: 'checkout', // Required
                      intent:'authorize',
                      amount: '10', // Required
                      currency: 'USD', // Required
                      displayName: 'test dispaly name',
                      description: 'test description',
                      lineItems:[
                        {
                            quantity:'1',
                            unitAmount:'10',
                            totalAmount: '10',
                            name:'line item test',
                            description:'test description',
                            kind:'debit'
                        }

                      ]
                    });

                  },
                   onAuthorize: function (payload) {

                    console.log(payload);

                    $.ajax({
                        method:'POST',
                        data:{
                            _token: '{{ csrf_token() }}',
                            payment_method_nonce: payload.nonce,
                            uid: '{{$uid}}',
                            order_id:payload.orderID,
                            payer_id:payload.payerID,
                            payment_token: payload.paymentToken
                        },
                        url:'{{url("cart/order/nonce")}}'

                    }).done((reply)=>{

                        console.log(reply);
                    });
                  },

                }, '#paypal-pay');

Server-side code

$result = $gateway->transaction()->sale([
   'amount' => '200.00',
   'paymentMethodNonce' => $nonce,
       'descriptor' => [
          'name' => 'company name*myurl.com'
      ],
      'options' => [
        'submitForSettlement' => True,
        "paypal" => [
            "description" => $order->title
        ],
      ],
      'lineItems' => [
            [
                  'description' => 'TEST DESCRIPTION',
                  'name'        => 'TEST NAME',
                  'quantity'    => '1',
                  'unitAmount'  => '200.00',
                  'totalAmount' => '200.00',
                  'kind'        => 'debit'
            ]

      ]
    ]);

I get a successful transaction with 200 USD amount received in my seller dashboard.

Solution

  • Most consumer protection laws would allow the consumers to seek their money back from you if you incorrectly charged them, and if you did it systematically, a trading standards authority could take action against you.

    PayPal themselves would also offer protection with the Buyer Protection guarantee, which would mean that the consumer could retrieve their money back directly from PayPal if the merchant didn’t give a refund themselves.

    Edit

    @Grumpy makes a good point that PayPal would most likely either block or ban your account after a few transactions.