That may be, but you have the ability to invalidate the payment, as what PayPal sent you in a request for validation showed a price that did not equal what you were expecting to receive. You can use this to then ensure the user doesn’t get a valid key/password/whatever to use the Wifi.
This would put the onus on the customer who tried to cheat the system. Much like how it was common practice to put a sql injection in the login form for most airport wifi connections because it would give you free access.
That is the whole point of IPN to have a validation step in between where you get instant notification of the payment being submitted to ensure it meets your expectations. I really wish I had my side project where I used this available still.