Users can copy & paste a credit card payment URL and process a payment without our knowledge, any suggestions?

Our customers can copy & paste the URL of a third party payment and make payments even when logged out of our software.

If the users do this we currently have no way of knowing, and our records will not show that they made a payment.

Obviously this is a pretty serious issue.

I'm a newer developer and this is a rather daunting, open-ended problem that I'd like some guidance on.

Here's what I have to go on so far:

1. The postback from this third party payment page contains all of the information necessary for us to create a record of the payment.

Is there a way we can capture this postback even when the user is logged out of our software, so that our records never get out of sync with the third party's?

2. Another idea is to only permit payments to be made when the user is also logged into our server, regardless of how they arrived at the URL.

How can we track this with a third party web page?

Sorry if this is an overloaded question; imagine how I feel!

Thanks in advance for your help!