All payment gateways will do a postback to let you know (eg) the payment reference etc. Most will also postback authorisation/authentication information, such as CSC/CVV2 check results so that you (the merchant) have the final say in whether to accept the payment or not.

On receipt of the postback you should be able to check if the ticket is still locked , and if not then issue a payment reversal through the payment gateway to cancel the payment. You then need to display a message sorry, timeout exceeded please try again

If the gateway doesnt support an instant reversal style functionality, then they will at least support some sort of void functionality whereby the funds are never actually taken from the customers card, and the authorisation hold drops off automatically (usually after two days, though it can take longer on some cards). For the (hopefully small) number of transactions that time-out, this may be acceptable. It would be worth monitoring how many transactions time-out so that the time-out period can be adjusted.

Alternatively, if the ticket is no longer locked, (and again, if the gateway supports it) send back a Refund payment.

It is likely that you can not use an external payment gateway entry page and do what it is you are trying to do.

Paypal and many other processors have a direct web service integration route. This means you collect the payment information on your page, it gets submitted to your server, and you make the web service call and get an immediate response from the processor. (I don t remember what PayPal calls the product that does this, but it used to be named PayFlow Pro and was bought from Verisign.)

So you don t lock the tickets when they are placed in the cart. Your workflow would be:

1. Collect payment information.
2. Once payment info is posted back to your server: a. Try to lock the tickets - return failure if not available b. On successful lock, process authorization
3. On successful authorization, tickets are removed from the available pool.
4. On unsuccessful authorization or error, tickets are unlocked and available for other users.

No need to deal with lock timeouts. They are only locked long enough to verify a valid payment.

You didn t ask about solving the issue while preventing PCI exposure. Since you ll probably ask:

There are processors out there that allow you to embed the payment information collection in your own page. There are some that allow you to obtain a "token" to replace a card number so that your server never receives a card number. The token can then be used on the server side web service call. You get what you need and you don t have to deal with PCI issues around receiving card numbers.

How about a more social solution instead of a technical one? Why not make it absolutely obvious that a ticket will become unlocked when you wait too long?

I think you should not block the ticket if someone puts it in his cart as in those 5 mins. you might end up driving away few other customers...

I suggest you to allow everyone to add the ticket to his/her cart unless someone actually makes the payment and buys it. Now when others proceed for checkout, just flash a message as "Sorry You Are Late... Ticket Sold Out !!!" and ticket should be removed from their cart.

This way the ticket will not be blocked from your customers and still the scenario of two people making payment for the same ticket will not arise.