How To Set Up Paypal Payflow In Rails

After long time of automation testing on rspec, recently I have started doing development. The initial task itself an interesting task – Paypal Payflow setup as a payment gateway for my rails application. Even though it took me three days to complete it :),  I finally I did it and this gave me feeling that I learnt something new.

Let’s see how we can setup Payflow payment gateway for a rails application. It is a four step process:

  1. Setup test payflow account with paypal.
  2. Add Paypal API credentials in your application.
  3. Fetch secure token before making payment.
  4. Redirect to paypal hosted pages for payment and handling the callback.

Setup test payflow account with Paypal

This is pretty straight forward and here is a good article which explains with screen shots how can we setup for test payflow merchant account.

Add Paypal API credentials in your application

The login credentials can be used as API credentials to call Paypal API. Save the credentials on config/initializers/paypal.rb.

# config/initializers/paypal.rb

unless Rails.env.production?
PAYPAL_CONFIG = { :mode => 'test',
:partner => 'Paypal',
:currency => 'USD',
:payflow_url => '',
:gateway => ""    }
else  # only production
PAYPAL_CONFIG = { :partner => 'Paypal',
:currency => 'USD',
:payflow_url => '',
:gateway => ""}

Fetch secure token before making payment

This is the most important step. Using a secure token we can make secure transaction with paypal server. This token is valid only for five minutes. After five minutes you can’t complete the transaction.  In my application I have used ‘curb’ (a curl ruby wrapper) to generate HTTP post request. You can alternatively use http/net or HttParty or Faraday.

module Paypal
class Configuration
def self.gen_secure_token(amount, order)
curl =
curl.ssl_version = Curl::CURL_SSLVERSION_SSLv3
curl.url = PAYPAL_CONFIG[:payflow_url]
success = curl.http_post(Curl::PostField.content('TRXTYPE', 'A'),
Curl::PostField.content('TENDER', 'C'),
Curl::PostField.content('AMT', amount.round),
Curl::PostField.content('CURRENCY', PAYPAL_CONFIG[:currency]),
Curl::PostField.content('CREATESECURETOKEN', 'Y'),
Curl::PostField.content('SECURETOKENID', SecureRandom.hex(18)),
Curl::PostField.content('PARTNER', PAYPAL_CONFIG[:partner]),
Curl::PostField.content('VENDOR', <paypal_login>),
Curl::PostField.content('USER', <paypal_login>),
Curl::PostField.content('PWD', <paypal_password>)
if success
recd_string = curl.body_str.split('&').collect{|i| i.split('=')}

I am generating a secure token for an order and for a particular amount. Below is the explanation for the parameters:

TNXTYPE: Transaction Type. ‘A’ – Authorization request will be used to generate secure token.(mandatory)
TENDER : Method of payment. ‘C’ stands for it’s credit card payment.(mandatory)
AMT : Transaction Amount(mandatory)
ORDERID: For which order you are doing transaction.
CURRENCY: Currency of the transaction(here it is USD)
CREATESECURETOKEN: Boolean value whether paypal should needs to create secure token or not.
SECURETOKENID: Before generating secure token we need to generate secure token ID.  Both secure token ID and secure token will make a unique transaction. It should be ’18’ characters.
PARTNER: it is always ‘paypal’
VENDOR : Paypal login
USER: paypal login
PWD: Paypal password.

Note: Before sending the request to paypal you have to set SSL version. Otherwise paypal won’t give any secure token. This request gets sent to on testing mode and to in production mode.

Redirect to paypal hosted pages for payment and handling the callback

After we get secure token then we have to submit the form with secure ID and secure token to

<form accept-charset="UTF-8" action="" id="pay" method="post">
<input id="SECURETOKEN" name="SECURETOKEN" type="hidden" value="1j3G4l8NGMUyUOulrB3I0bAAQ">
<input id="SECURETOKENID" name="SECURETOKENID" type="hidden" value="801f9cfb2dd4127002138e21794f0e77b252">
<input id="mode" name="mode" type="hidden" value="test"> <!-- Comment this line when your are running app on production mode -->

As we are using paypal hosted pages for doing payment, it redirects to paypal website where the can actually do payment. You can customize hosted pages by logging on to your paypal account. You can even set the success and failure redirect URLs in the hosted pages configuration.

This process ensures that there is never any sensitive credit card or payment information being sent to our server, hence we have auto-compliance for the website and don’t require any PCI compliance or even an SSL certificate!

I hope after reading this article no one will spend that much time that I have spent on this to integrate. Suggestions would be welcome.

7 thoughts on “How To Set Up Paypal Payflow In Rails

  1. Just a warning to anybody reading this: you may not need an SSL cert in this case to meet PCI regulations, but you should always use HTTPS/SSL to serve the payment page to help prevent a man-in-the-middle attack where a malicious hacker could insert malicious code into the page that tracks key strokes in the form or tries to modify the form target url to send credit card data to his site for harvesting.

  2. Would this still work? I’m trying to implement it so i would appreciate if someone update me on possible changes

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.