With payment service providers (PSPs), the general communication setup usually looks something like this:
1) Your server contacts the PSP and establishes the transaction, indicating the required amount and details of your PSP account.
2) PSP responds with a transaction identifier, which you then add to the form. This transaction identifier does not contain pricing information - it is simply the transaction record identifier configured by your server using PSP.
3) The visitor fills out a form, which is sent to the PSP. Then they redirect the visitor to your site.
4) The server requests the PSP server and verifies that the transaction was successful (i.e., the OK visitor payment method completed the transaction with the PSP, etc.)
Communication between the server and the PSP is usually done using a library such as curl.
Google provides several libraries / examples of how to handle transactions correctly (and most other PSPs do the same, in my experience): http://code.google.com/apis/checkout/samplecode.html
The exact information about the connection may vary depending on the PSP, but in principle it should not be necessary for the โtotal amountโ to pass through the form displayed to the visitor. All this is done from server to server so that the visitor cannot change the details.
Allenjb
source share