cancel
Showing results for 
Search instead for 
Did you mean: 

PayPal PayFlow Posting $0 Zero Dollar Amounts

SOLVED

PayPal PayFlow Posting $0 Zero Dollar Amounts

Hi,

 

I am using Magento 2.4.2 with PayPal PayFlow.

 

It looks like a script testing CC's in checkout.  It will run 500+ in a day.  I have added CAPTCHA and it doesn't seem to help.  Sometimes when I view the transactions in PP Manager there isn't even a billing address added.  All the data looks legitimate except the email address.  It is always the name of the person follow by a bunch of random numbers @ yahoo, gmail. etc.  The originating IP address shown in PP is just about always different so I can't block it.   Sometimes when I do a reverse lookup of the IP address it doesn't have a DNS record at all.

 

Also, there are no orders/transactions showing in Magento at all.  I only see them in PP Manager.

 

Anyone else have this issue?

 

Thanks,

Stan

1 ACCEPTED SOLUTION

Accepted Solutions

Re: PayPal PayFlow Posting $0 Zero Dollar Amounts

This issue indicates that bots are targeting your Magento site to test stolen or fake credit card numbers by exploiting the PayPal PayFlow integration. Since these transactions don’t appear in Magento but show in PayPal Manager, the attack is happening at the payment gateway level. Here’s how you can address this issue:


1. Strengthen CAPTCHA Implementation

Ensure CAPTCHA is enabled at all sensitive entry points, including:

  • Login pages
  • Checkout forms (guest and logged-in users)
  • Payment gateways
    Use Google reCAPTCHA v3, as it provides invisible, behavior-based bot detection and is more robust than v2.

2. Implement PayPal Fraud Protection

Enable PayPal’s fraud management filters (FMP) in your PayPal PayFlow account. Specific filters you should enable or configure:

  • Amount Limits: Reject $0 or extremely low-value transactions.
  • Address Verification (AVS): Block transactions missing a billing address or with mismatched address details.
  • Velocity Filters: Limit the number of transactions allowed from the same card, email, or IP within a set timeframe.
  • Email Validation: Block disposable or suspicious email domains (e.g., random strings before @gmail.com).

3. Use Magento's Built-in Fraud Protection

Enable Magento's built-in fraud protection tools:

  • Min/Max Order Amounts: Set a minimum order amount greater than $0.
  • IP Whitelisting or Blocking: Use extensions or server configurations to block access from specific IPs or suspicious ranges, even if they rotate.

4. Add Server-Side Validation

Add backend validation to block $0 transactions in your payment processing scripts. For example:

  • Reject transactions with amounts below a certain threshold.
  • Ensure billing address fields are mandatory.

5. Monitor and Block Malicious IPs

  • Use security tools like Cloudflare or a Web Application Firewall (WAF) to monitor and block suspicious traffic.
  • Enable Rate Limiting to limit requests from a single IP.

6. Review Webhook Configurations

Ensure that your PayPal webhooks are correctly set up and validate transactions at the Magento level. If transactions aren’t validated or created in Magento, it suggests bots are bypassing your site’s transaction flow entirely.


7. Email and DNS Validation

  • Implement email validation to reject addresses that don’t resolve.
  • Use a DNS blocklist to prevent requests from known bot or malicious IP ranges.

8. Contact PayPal Support

Reach out to PayPal support and report this as a card testing attack. They can assist in configuring your account with advanced fraud detection settings and additional security layers.


9. Consider Third-Party Anti-Fraud Solutions

Invest in a third-party fraud protection solution like:

  • Sift
  • Signifyd
  • NoFraud
    These integrate with Magento to provide real-time fraud detection.

When I encountered a similar issue for a client’s site, I had to configure advanced fraud prevention tools to address the problem effectively. I paid for some additional security features and implemented backend validation to stop the $0 transactions. You can see how I approach secure development practices on a site.

By combining Magento’s built-in security features, PayPal’s fraud tools, and external security measures, you can significantly reduce or prevent these attacks. Let me know if you need help configuring any of these!

View solution in original post

4 REPLIES 4

Re: PayPal PayFlow Posting $0 Zero Dollar Amounts

I can’t provide specific details about your Magento setup, but I’ve occasionally heard about this issue from merchants using various payment processors, particularly on older versions of Magento. We’ve also had some merchants experience success after switching to a different payment processor. It may be worth checking out the Adobe Payment Services setup. The integration uses a different type of setup with PayPal than the Payflow integration which may help with mitigating the script, especially if it is sidestepping the Magento flow entirely. 

 

Based on your Magento version, the highest version of Payment Services available would be 1.6.0/1.6.1. 

 

Harrison 

hloveall@adobe.com 

Re: PayPal PayFlow Posting $0 Zero Dollar Amounts

This issue indicates that bots are targeting your Magento site to test stolen or fake credit card numbers by exploiting the PayPal PayFlow integration. Since these transactions don’t appear in Magento but show in PayPal Manager, the attack is happening at the payment gateway level. Here’s how you can address this issue:


1. Strengthen CAPTCHA Implementation

Ensure CAPTCHA is enabled at all sensitive entry points, including:

  • Login pages
  • Checkout forms (guest and logged-in users)
  • Payment gateways
    Use Google reCAPTCHA v3, as it provides invisible, behavior-based bot detection and is more robust than v2.

2. Implement PayPal Fraud Protection

Enable PayPal’s fraud management filters (FMP) in your PayPal PayFlow account. Specific filters you should enable or configure:

  • Amount Limits: Reject $0 or extremely low-value transactions.
  • Address Verification (AVS): Block transactions missing a billing address or with mismatched address details.
  • Velocity Filters: Limit the number of transactions allowed from the same card, email, or IP within a set timeframe.
  • Email Validation: Block disposable or suspicious email domains (e.g., random strings before @gmail.com).

3. Use Magento's Built-in Fraud Protection

Enable Magento's built-in fraud protection tools:

  • Min/Max Order Amounts: Set a minimum order amount greater than $0.
  • IP Whitelisting or Blocking: Use extensions or server configurations to block access from specific IPs or suspicious ranges, even if they rotate.

4. Add Server-Side Validation

Add backend validation to block $0 transactions in your payment processing scripts. For example:

  • Reject transactions with amounts below a certain threshold.
  • Ensure billing address fields are mandatory.

5. Monitor and Block Malicious IPs

  • Use security tools like Cloudflare or a Web Application Firewall (WAF) to monitor and block suspicious traffic.
  • Enable Rate Limiting to limit requests from a single IP.

6. Review Webhook Configurations

Ensure that your PayPal webhooks are correctly set up and validate transactions at the Magento level. If transactions aren’t validated or created in Magento, it suggests bots are bypassing your site’s transaction flow entirely.


7. Email and DNS Validation

  • Implement email validation to reject addresses that don’t resolve.
  • Use a DNS blocklist to prevent requests from known bot or malicious IP ranges.

8. Contact PayPal Support

Reach out to PayPal support and report this as a card testing attack. They can assist in configuring your account with advanced fraud detection settings and additional security layers.


9. Consider Third-Party Anti-Fraud Solutions

Invest in a third-party fraud protection solution like:

  • Sift
  • Signifyd
  • NoFraud
    These integrate with Magento to provide real-time fraud detection.

When I encountered a similar issue for a client’s site, I had to configure advanced fraud prevention tools to address the problem effectively. I paid for some additional security features and implemented backend validation to stop the $0 transactions. You can see how I approach secure development practices on a site.

By combining Magento’s built-in security features, PayPal’s fraud tools, and external security measures, you can significantly reduce or prevent these attacks. Let me know if you need help configuring any of these!

Re: PayPal PayFlow Posting $0 Zero Dollar Amounts

Thanks, I was having the same problem and the solution worked for me. You may also check this.

Re: PayPal PayFlow Posting $0 Zero Dollar Amounts

It might be worth looking into additional fraud protection measures like re CAPTCHA or PayPal’s own advanced fraud protection tools. These can help with unusual patterns like the one you're experiencing voltix.