I'm conisdering adding payment possibilities to a PHP script I am developing. I think the first way I'll do this will be through StormPay.
I've read somewhere that Stormpay have an IPN system, where they call a script on your server, to confirm that a page has been called.
I can't find any documention on this IPN system, but from what I do know(which isn't an awful lot), Stormpay get a request from my client, they verify details, they send the IPN to a confirmation page on my server, and they they forward the user to my "thank you" page.
Any links on where I can get more information on this would be appreciated.
Also what security precautions would need to be taken regarding this.
I'm aware that CC Card security is taken care of by StormPay's server, but how do I make sure that people don't simply access the confirmation page(the page my server uses to confirm that they've paid) directly, without paying the money to Stormpay? I know I could make sure the IP address calling the page is the one used by the IPN, but can't IP addressed be spoofed?
I know I'm not going to get a 100% secure solution, but I'd like to close up any known security holes, to make it as difficult as possible.
Any information on what alternatives are available besides stormpay(besides paypal), as well as their pros and cons would also be appreciated.
Since this question is in parts, I'll award points for the different parts, if someone answers one part of the question and not another. I'll also add more points if the answer(or any part of the answer) proves to be more complex than I thought, or is merited by 300 points.