paypalvaultpaypal-vault

Prevent vaulting of duplicate cards using PayPal SDK in PHP without access to card details


I am using the PayPal SDK to process payments and vault credit card information after an order is created. The flow is as follows:

  1. An order is created.

  2. PayPal SDK captures the order with the entered card details (we don't have access to these card details on theclient side as the PayPal SDK renders the card fields)

  3. On success,the card is vaulted against the customer's ID.

The issue I'm facing is that if a same user enters the same card again, the card is vaulted a second time, creating duplicate vaulted cards.

What I need:

  1. If the user tries to vault the same card again, it should not be vaulted.
  2. We don't have access to the card details on the client side, so we can't compare card numbers directly.

My current attributes for vaulting are:

  $payment_source = $customer_exist ? [
  "card" => [
    "attributes" => [
      "customer" => [
        "id" => $customer_id,
      ],
    ],
    "vault" => [
      "store_in_vault" => "ON_SUCCESS",
      "usage_type" => "PLATFORM",
      "customer_type" => "CONSUMER",
      "permit_multiple_payment_tokens" => true,
    ],
    "verification" => [
      "method" => "SCA_ALWAYS",  // or "SCA_WHEN_REQUIRED"
    ]
  ],
  "experience_context" => [
    "shipping_preference" => "NO_SHIPPING",
    "return_url" => isset($return_url) && $return_url ? $return_url : "https://example.com",
    "cancel_url" => "https://example.com"
  ]
] : null;

What I've tried:

I set "permit_multiple_payment_tokens" => false to prevent multiple tokens, but this didn't resolve the issue.

Since we don't have access to the actual card details (only the tokenized version managed by PayPal), is there a way to check if the card is already vaulted before creating a new entry for it?

Any suggestions on how to solve this?


Solution

  • Don't prevent it.

    When cards are vaulted, store the last 4 digits of the card. Display currently vaulted cards when the user attempts to add another, so they can see it's already there.

    The odds of the same user having two different cards that end with the same last 4 digits are very low, so in theory you could reject duplicates based on that. I would not bother though.