[FIXED] What PayPal data should I save in my database for future use?

Issue

You know how in some sites you can save a payment method like a credit card that you can use later without having to fill the needed fields again?

I've never used PayPal and couldn't seem to be able to find what data is usually filled when making a purchase.

CREATE TABLE VisaPayment (
    idVisaPayment int NOT NULL AUTO_INCREMENT,
    name varchar(100) NOT NULL UNIQUE,
    idUser int NOT NULL,
    cardNumber int NOT NULL,
    cardCVCNumber int NOT NULL,
    cardExpirationDate int NOT NULL,
    PRIMARY KEY (idVisaPayment),
    FOREIGN KEY (idUser) REFERENCES Users(idUser),
);

If the above is my table for storing Visa card data, what attributes should I save for PayPal?

I found What kind of data obtained from a paypal transaction I should store inside my local database? and Which API will allow me to save PayPal as a reusable payment type, but they're not what I'm looking for. The case in the first link is for after a purchase has been made and the latter requires something called a reference transaction, which I cannot (nor wish to) obtain because I don't have a business.

This is for a project database.

So for now, all I have is the following code:

CREATE TABLE PaypalPayment (
    idPaypalPayment int NOT NULL AUTO_INCREMENT,
    name varchar(100) NOT NULL UNIQUE,
    idUser int NOT NULL,
    <???>
    PRIMARY KEY (idPaypalPayment),
    FOREIGN KEY (idUser) REFERENCES Users(idUser),
);

Solution

Some notes on storing cards:

1. If you are storing a real card number, it needs to be securely encrypted. There are strict Payment Card Industry (PCI) guidelines on this, and you need to follow a lengthy questionnaire (SAQ-"D") to be compliant if you really are storing ~16 digit numbers.
2. You are not allowed to store a CVC/CVV number, ever. Under absolutely no circumstances. It is the kind of information that needs to be immediately forgotten after it is inputted and transmitted (anything else is a complete violation of card processing rules)

---

Regarding a record of a successful PayPal transaction:

1. This is very simple, there will be a completed PayPal capture or transaction ID, which is 17 alphanumeric capitals. It is not the same as a v2/checkout/orders ID, which can have the same 17 alphanumeric format but is only used during the checkout approval process. So, after a PayPal order is captured, there will be a deeper payment object in the capture response with a new id that is the actual transaction ID. This new id from the capture response is what should be persistently stored and used for accounting purposes, and can be reconciled with reports in the receiving www.paypal.com account.
2. Note that the transaction ID in the receiving PayPal account, and the transaction ID that the payer will see in their sending PayPal account, are two different transaction IDs, so do not display the above mentioned transaction ID to the buyer. Only display your own invoice ID, which should be unique and which you can pass along as part of the PayPal transaction when you set it up.

Answered By - Preston PHX

Answer Checked By - Marie Seifert (PHPFixing Admin)