Posted: April 19, 2020 at 6:09 am
Good day. I have looked extensively through other topics and have not found anything that matches what I am experiencing. As a starting point – I am using WordPress Version: 5.4 (PHP Version: 7.3.8 and MySQL Version: 5.6.45). I am on Event Espresso (EE) Version: 188.8.131.52.P and the address it’s on is https://getknitevents.com.
Last week I updated to the latest version of EE. And just discovered yesterday, during an event launch, that when you select an event, fill out the registration page, click submit and then fill out the payment information (using PayPal Pro via API) it declines the payment, showcases a red “incomplete” exclamation next to the payment – however it still takes the payment and is crediting my PayPal account. Additionally, in EE it shows this transaction as incomplete and does not issue them a ticket.
I have went through your outline of suggested steps to troubleshoot and am coming up empty. I have also spoken with reps from both PayPal integration and GoDaddy but no one is seeing what could be wrong.
Two observations that may or may not be related:
(2) My 401 monitor through our SEO plugin has lite up since the update. In going into my error log 99% of the messages are directing to this:
[18-Apr-2020 10:45:26 UTC] PHP Warning: “continue” targeting switch is equivalent to “break”. Did you mean to use “continue 2”? in /home/xcyof2lxbmca/public_html/wp-content/plugins/espresso-json-api/includes/helpers/EspressoAPI_Validator.class.php on line 244
I am not a developer, just a business owner – so any help you can offer will be greatly appreciated. This is a very urgent situation so if I have to will take out a ticket with you all. Thank you for your time.
With PayPal Pro, its an ‘onsite’ payment method, meaning you don’t go to another payment page, it’s done directly from the page you input the details into.
When the payment fails it would normally show an error on the page, do you have that error?
Side note, using PayPal Pro increases your required PCI compliance level as your are hosting the payment fields on your own site. That’s fine if you are aware of it but it’s a much higher compliance level than using an offsite payment method such as Stripe and if it’s not something your aware could cause you a real headache should an issue arise.
That’s a warning thrown from the EE3 JSON API add-on, it’s a warning that the code can be changed but will continue to function as is, so that’s not ‘causing’ issues currently.
Which pages are showing 401 in the logs?
Do you use the EE3 Mobile apps at all?
Hey there, Tony.
Thanks for the reply. To your three follow-up questions:
@PCI compliance – we’ve not had any issues in 7+ years and have always used PayPalPro so assume that our security is not an issue. Unless something changed in this latest update?
@error message – as I mentioned in my original post the payment status shows as “incomplete” and reads “your transaction was declined for the following reason(s):” but doesn’t site anything particular. It does direct you to the “thank you” landing page however. So it looks just like the page would if it were the regular completion page (just showing incomplete vs. complete, a red exclamation vs. a green check, and the message (as aforementioned) up top. I do have a screen shot but not sure if I can share it?
@which pages showing on the 401: I mistyped in my original post, it is the “404 monitor” and it’s a mixed bag. I had contacted GoDaddy about it – and they assumed it was bots so I wasn’t giving it any weight – just thought I’d mention as it as it did start around the same time I did this update.
@EE3 Mobile – we do not.
Any other ideas on what might be causing this issue? We’re hoping to get it fixed as soon as possible and I welcome any possible solutions. Is this a known issue.
It’s completely separate from the update (and mostly EE other than the fact that you are using it through EE) and unfortunately just because you’ve used it for thus far doesn’t mean you’ve been compliant in doing so.
PCI compliance is essentially all down to risk and liability, the short of it is to make sure that you (the site owner) are aware of the procedures you need in place when handling card/personal details and your server is correctly maintained to try and prevent breaks (note shared hosting is not compliant with higher levels of PCI). It is you (the site owner) not us (Event Espresso) that is held liable if there is a data breach on your site and card details stolen or fraudulent transactions processed. If that happens (touch wood it never does) your payment provider may start working backwards through the transaction to your site and ask your for you PCI compliance certificate, which I’m assuming you don’t have. Worst case scenario they hold you liable for the data breach and lost funds.
PCI compliance is often something many people are unaware of until it’s a problem, then it too late.
Note, I’m not trying to be the PCI compliance police here, you’re free to use whatever payment method you prefer and I’m just passing over the information you may or may not already be aware of.
Take a look here: https://www.pcicomplianceguide.org/faq/
My opinion of it is PCI compliance can be a nightmare and unless familiar with it, use an offsite payment method so you need the lowest required level on your site and they handle everything else. Anyone who handles payment needs to be compliance so there is no such things as ‘not needing it’, but there are many levels ranging from SAQ-A (lowest) through to SAQ-D (highest).
The additional info you’ve posted here helps and there’s no need for a screenshot if it doesn’t show any additional info, although if you want to add it thats fine. You’ll need to host the image and post a link here.
We have details on how you can do that here: https://eventespresso.com/wiki/troubleshooting-checklist/#screenshots
OK, so likely nothing to do with the update, we’ll set this aside for now and revisit if needed.
Then you may not need that add-on at all, it’s used to communicate with the Apps and for developers to access EE information from your site if you have something custom.
If not, de-activate that add-on (don’t delete it yet) and check if your event lists and a quick registration function as expected.
No, we have no known issues with EE3 at this time but to explain, the problem on your site is down to the communication between your server and PayPal’s server.
The transaction is returning values that EE doesn’t expect, it could be due to changes on PayPal’s side, although it’s working on my test site using PayPal Sandbox.
To troubleshoot we’d need to add some debug code onto the site to see what is actually being returned, so before doing that and now knowing the above, are you going to continue using PayPal Pro?
I appreciate the info about PCI. I am aware, somewhat, of everything involved and because we do not store any information and everything is processed through PayPal Pro I do not see any issues. I have called PayPal and spoke to a customer service representative after your first wrote about it and they confirmed that everything on their end with PCI is up-to-date and shouldn’t be causing an issue. I also submitted a more detailed inquiry ticket just to triple check.
To your question – we do plan to continue using PayPal Pro so if you can troubleshoot using some debugging code that be greatly appreciated.
Please let me know what you discover and how else I can assist. I really appreciate your assistance and attention here.
I will be awaiting your update.
As an additional follow-up. I did get official confirmation from PayPal that the PCI is up-to-date and compliant. So there should not be any issues there. I also spoke to their tech support for merchant services and their synopsis is that – since the payment is being posted to our PayPal account – the issue is no with PayPal Pro per say but with the communication between PayPal and our website/Event Espresso. PayPal is taking the payment but the website/Event Espresso isn’t “hearing” that it’s been processed and is therefore showing a decline and not issuing a ticket.
Not sure if this is helpful, but in an effort to expedite I thought I would share their thoughts.
Thanks for your help and time.
I’m sorry to keep harping on about it but I don’t want you misinformed, your understanding is incorrect here. It’s a common misunderstanding and not helped by all of the conflicting info you’ll read and hear.
PCI compliance does not just apply if you store card details, to quote the site I linked you to:
In effect, PCI compliance applies to everyone, it is the level that changes.
Your site transmits the card details to PayPal directly meaning you take the card details on your site then send them over to PayPal, if your server is compromised those card details can be easily captured.
Sure, or course PayPal are PCI compliant as they are one of the biggest players in the market, they simply must be compliant.
However, that does not mean that you are compliant when using that service unless you have worked through SAQ-D (Take a look HERE) as there’s much more to it than where/what the card details go/do. Specifically, ask the merchant if you and your site are fully PCI compliant simply by using the PayPal Pro or do you need SAQ-D (tbh, it wouldn’t surprise me if that customer service rep just said ys as they are compliant, which again falls into the conflicting info, it’s not correct), the answer should be no.
Ok, then we’ll need to add some debug code to your site so you can test another transaction and see what is shown.
We’ll need access to your site, including FTP access, which you can provide using this form:
Note, we generally require a support token to work directly on the site. However an error should be shown to help troubleshoot this so I’ll add the code without one so we know what is happening. If it turns out this is not an EE issue in itself we will require a support token to troubleshoot on the server further.
Thank you for the continued help. Per your request, I just issued you access to our site. Please let me know if that doesn’t work or if you need further credentials. If you discover an issue that you can assist with and we need to purchase a support ticket – I’d be happy to do so if we can get this fixed today.
Let me know – thank you.
Thanks for the wp-admin details but as mentioned, we also need FTP credentials.
If you don’t have those you’ll need to request them from your host (or create an FTP account on their control panel if you know how). We need some way to access the files on the server to add the code.
Sorry – I overlooked that. I went into my FTP and created those creditials for you and submitted via the same secure logo in details link from above. Please note – that is the credentials for the FTP not the Cpanal as I incorrect included in my submission.
Please let me know – thanks again.
Can you recheck the password please.
Also, whilst I haven’t been able to log in, we often get FTP credentials to empty directories as the home directory for that user was not set to root, might be good to confirm this new user account is set to the root directory whilst checking the password.
Is there a way to resend the passport to you securely to make sure I sent it properly? When I go to the provided FTP site it says “site of something cool” like its a non-existing place. Let me know – thanks. NOTE: I did reset the password settings using the same username/password – so it might be worth giving it a second try if you haven’t already?
I actually set-up the FTP user with GoDaddy and they had me clear the credentials so you have access to everything. So that should be set.
Please let me know – thanks.
The most secure method is using the form from above:
That’s common if the subdomain is being used for FTP only.
Same issue so I assume
What domain did GoDaddy tell you to use? You sites domain simply times out when I try to access it using that.
I did it through my C-Panel. There is an “FTP Manager” there, that allows me to “add an FTP account”. I will try resetting the password and resend you credentials. If you have other ideas – let me know.
Hey again, Tony.
In an effort to share as much information as possible to rectify this issue I wanted to share the response I received from PayPal’s integration technical support team. That is as follows:
“I reviewed your Payflow and PayPal accounts, and did not see any issue with the account setup that would be causing any declines. Further, I reviewed your your transactions for the past few days, and did not see any that were denied by PayPal/Payflow. What I believe is happening here is that Event Espresso is either not reading the API response data correctly, or not receiving IPN data, and doesn’t know if the payment completed or not, and is showing the payment as “declined”/”incomplete”. Typically with PayPal Pro transactions, the software should be reading the API response data to indicate whether the payment was successful or not. PayPal Express transactions, on the other had, should utilize IPN (Instant Payment Notification) messages to to know whether the payment was completed, which appears to be setup properly in your PayPal account.
Please let me know if you have any follow up questions, or if Event Espresso has any questions/clarification for PayPal, and I’ll be here to help where I can. Have a great, safe rest of your day, Nick, and I look forward to hearing back from you.”
Please note – I removed a middle section where they suggested I reach out to you, for brevity’s sake.
Excited to hear back and see what you discover. If you are still having trouble getting into our FTP please let me know.
Thanks for the update and yes, this is something with the API response which is why I need to add some code to the site. The PayPal Pro payment method works fine on my test sites so I need to see the exact response on your site.
The plugin is checking for a specific field to be a specific set of values, its either not one of those or nothing at all (an error on the request itself) but that’s not being shown through the ‘normal’ error catch we have on within the payment method.
I emailed you directly over the FTP credentials, unfortunately they still don’t work so I requested you send over the FTP config file from your cPanel account so I can import it directly. Both me an Josh tested the credentials and get authentication error so far.