We just set up the Payflow Pro gateway and hooked it to our merchant account a couple days ago.
This morning there is a ‘declined’ charge coming from the ID and User we created for Magento.
Looking into it further - the PayPal records show a billing name, shipping address, and other order type information.
Magento Admin DOES NOT HAVE THIS ORDER
So - How is someone using the unique user we created for Magento for our merchant gateway to make an order that isn’t in Magento?
The Magento site is fully SSL, and it hasn’t even seen much traffic - we just started going live and have had a few visits - and now we have our first mystery fraud.
How is it that Magento can be so easily spoofed into sending a transaction? This potentially really bad news for anyone using magento community version and a on-site payment method.
Thankfully the transaction was declined because of missing some information - but the real issue is how someone got the User ID for our merchant gateway from Magento so easily. bad Magento!