PayPal IPN validation

Question

Following is from PayPal Order Management Integration Guide:

Processing the PayPal Response to Your Postback

PayPal responds to your postbacks with a single word in the body of the response: VERIFIED or INVALID.

When you receive a VERIFIED postback response, perform the following checks on data in the IPN:

1. Check that the payment_status is Completed.
2. If the payment_status is Completed, check the txn_id against the previous PayPal transaction that you processed to ensure it is not a duplicate.
3. Check that the receiver_email is an email address registered in your PayPal account.
4. Check that the price, carried in mc_gross, and the currency, carried in mc_currency, are correct for the item, carried in item_name or item_number.

After you complete the above checks, notification validation is complete. You can update your database with the information provided, and you can initiate other appropriate automated back-end processing.

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">

    <input type="hidden" name="cmd" value="_cart" />
    <input type="hidden" name="upload" value="1" />
    <input type="hidden" name="business" value="GXLC9H9VFPLQE">

    .....


    <input type="submit" name="Submit" value="Submit" />

</form>

In step 3 I should check receiver_email, but I don't want to.

I don't want to keep my paypal account email in my application.

My question is: can I check business variable instead?

Answer 1

I have an answer here:

The 'checks' provided are just recommendation and not a requirement to use the IPN. You can check for "business" instead of "receiver_email". However, if you pass in the form, the value of "business" that is returned to you in the IPN will be the merchant email address on your account while the value of "receiver_id" will be GXLC9H9VFPLQE.

So if you want to check for your merchant ID instead of email address, then check for "receiver_id".