How Does Google Authenticate My Merchant ID

Email lists > Google Checkout API integration

Thread: How Does Google Authenticate My Merchant ID

Search this list only Search all lists
How Does Google Authenticate My Merchant ID
United States	2007-03-16 17:06:52
Hello, I am evaluating Google Checkout for potential use in our shopping cart and I have a few questions I didn't see answered. How does Google Checkout Shopping Cart Authentication work? If a customer of mine does a view source on my HTML page and sees my Merchant ID what is to prevent him or her from submitting shopping cart transactions using my Merchant ID? How does Google Checkout insure that I am the proper domain submitting a shopping cart for this Merchant ID? Does this site require two way SSL? Please let me know. Thank You --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "API Integration Basics" group. To post to this group, send email to google-checkout-api-integrationgooglegroups.com To unsubscribe from this group, send email to google-checkout-api-integration-unsubscribegooglegroups.com For more options, visit this group at http://groups.google.com/group/google-checko ut-api-integration?hl=en -~----------~----~----~----~------~----~------~--~---

Re: How Does Google Authenticate My Merchant ID
United States	2007-03-19 11:10:39
Does anybody know if Google at least checks if the form is submitted from the domain that is associated with the merchant ID? Simple "Accepted URLs" security? On Mar 17, 10:43 am, "Robin K" <r...e-junkie.com> wrote: > > I was reading about the Merchant Key but I do not see how it is > > passed. I see the Merchant ID passed and potentially visible but I do > > not see how I am to pass the Merchant Key. Is this documented > > somewhere? > > merchnt key is not passed. > > in xml it's used to sign the cart being submitted. > > in html, it's not used at all and merchant id is passed in plain text. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "API Integration Basics" group. To post to this group, send email to google-checkout-api-integrationgooglegroups.com To unsubscribe from this group, send email to google-checkout-api-integration-unsubscribegooglegroups.com For more options, visit this group at http://groups.google.com/group/google-checko ut-api-integration?hl=en -~----------~----~----~----~------~----~------~--~---

Re: How Does Google Authenticate My Merchant ID
United States	2007-03-19 11:37:59
Yes, Exactly my question. But since the shopper is doing the submission from their browser via a redirect there is no official domain. I do not see how Google Checkout can determine that the HTTP POST is legitimate. It appears that the burden of 'proof' if you will lies on the merchant to come in and review the transaction. Google Checkout does their own blackbox review-the-order process after which they open the transaction up to the merchant to be reviewed and 'charged'. The real question is what is the Google Checkout blackbox 'review-the- order' process? Knowing how they determine that the submission is not from someone pretending to the be the merchant would ease my mind. Does anyone know what steps Google Checkout uses to insure that the transaction is legitimate? Do tell!! Thank You On Mar 19, 12:10 pm, "Dungeon" <webmas...printcountry.com> wrote: > Does anybody know if Google at least checks if the form is submitted > from the domain that is associated with the merchant ID? Simple > "Accepted URLs" security? > > On Mar 17, 10:43 am, "Robin K" <r...e-junkie.com> wrote: > > > > I was reading about the Merchant Key but I do not see how it is > > > passed. I see the Merchant ID passed and potentially visible but I do > > > not see how I am to pass the Merchant Key. Is this documented > > > somewhere? > > > merchnt key is not passed. > > > in xml it's used to sign the cart being submitted. > > > in html, it's not used at all and merchant id is passed in plain text. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "API Integration Basics" group. To post to this group, send email to google-checkout-api-integrationgooglegroups.com To unsubscribe from this group, send email to google-checkout-api-integration-unsubscribegooglegroups.com For more options, visit this group at http://groups.google.com/group/google-checko ut-api-integration?hl=en -~----------~----~----~----~------~----~------~--~---

Re: How Does Google Authenticate My Merchant ID
	2007-03-19 12:22:33

Tim, as far as i know, Google Checkout state REVIEWING is not mean to legitimize that the cart comes from a certain place, instead tries to determine whether the buyer info is valid or not (credit card, buyer address, shipping address, etc) "As long as the order's status is Reviewing, you will not be able to charge the customer for the order. During this time, Google Checkout will authorize the customer's credit card for the amount of the purchase." and ";REVIEWING is the default financial state for all new orders. Upon receiving a new order, Google reviews the order to confirm that it is chargeable. After determining that the order is chargeable, Google will update the financial order state to CHARGEABLE." and i dont think google will check for domains and that stuff, because is very valid to send an email with a form inside that contain a valid cart, and any client can click the Google Checkout button from any email client, so domain could be anything, and the order still valid! hope this helps, , ropu On 3/19/07, Tim < timothyoliver1gmail.com">timothyoliver1gmail.com> wrote: Yes, ; Exactly my question.  But since the shopper is doing the submission from their browser via a redirect there is no official domain.  I do not see how Google Checkout can determine that the HTTP POST is legitimate.  It appears that the burden of 'proof' if you will lies on the merchant to come in and review the transaction.  Google Checkout does their own blackbox review-the-order process after which they open the transaction up to the merchant to be reviewed and 'charged'. The real question is what is the Google Checkout blackbox 'review-the- order' process?  Knowing how they determine that the submission is not from someone pretending to the be the merchant would ease my mind. Does anyone know what steps Google Checkout uses to insure that the transaction is legitimate?  Do tell!! Thank You On Mar 19, 12:10 pm, "Dungeon" < webmas...printcountry.com">webmas...printcountry.com> wrote: >; Does anybody know if Google at least checks if the form is submitted > from the domain that is associated with the merchant ID? Simple >; "Accepted URLs" security? > > On Mar 17, 10:43 am, "Robin K" < r...e-junkie.com">r...e-junkie.com > wrote: >; > > > I was reading about the Merchant Key but I do not see how it is > > > passed.  I see the Merchant ID passed and potentially visible but I do > > > not see how I am to pass the Merchant Key. Is this documented > > > somewhere? > > > merchnt key is not passed. > > > in xml it's used to sign the cart being submitted. > > > in html, it's not used at all and merchant id is passed in plain text. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "API Integration Basics" group. To post to this group, send email to google-checkout-api-integrationgooglegroups.com To unsubscribe from this group, send email to google-checkout-api-integration-unsubscribegooglegroups.com For more options, visit this group at http://groups.google.com/group/google-checkout-api-integration?hl=en -~----------~----~----~----~------~----~------~--~---

[1-4]

about | contact Other archives ( Real Estate discussion Medical topics )

Mailing lists