What Do PayPal’s Security Upgrades Mean For You?

What Do PayPal’s Security Upgrades Mean For You?



Have you’ve been seeing ‘upcoming changes’ notifications from PayPal? Wonder what they mean? Fret no longer, Crucial is here to save the day.

PayPal has recently introduced the plans to upgrade their security and therefore improve their reliability and strength. These security-related product updates are part of an industry-wide initiative to improve security standards. Some updates are mandatory and required by every website that transmits or processes cardholder data — this is deemed mandatory by the PCI Security Council.

The changes will be made from 2016-2018.

For Crucial customers:

  • If you’re running a VPS with CentOS 6 (and above) → you’re fine.
  • If you’re running a VPS with CentOS 5 (and below) → you’ll need to upgrade to a higher version.

Is it a dealbreaker or not?

  • If you’re using PayPal for your website and small business →
  • If you’re not using PayPal for your website and small business, or it isn’t very important → don’t worry about the security changes.

TLS 1.2 Upgrade

misc (1)-min

What this means for you:

  • PayPal is upgrading the protocols used to secure all external connections made to their systems.
  • For merchants and partners using HTTPS to connect to PayPal’s servers.
  • Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will both become mandatory for communication with PayPal by June 30, 2017.

How to check:

  • You can check if your systems can support the latest PayPal security standards using this tool, made by PayPal themselves: https://tlstest.paypal.com
    • If successful: It will return a HTTP 200 response, showing the text “PayPal_Connection_OK”.
    • If unsuccessful:
      • HTTPS – It will return a HTTP 400 response, showing the following: “ERROR! Connection is not HTTPS. Please use https://tlstest.paypal.com”.
      • HTTP/1.1 – It will return a HTTP 400 response with the following: “ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1”
      • TLS 1.2 (SHA-256) – An SSL connection error will be thrown by your code.

For technical information: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US

IP Address Update for PayPal Secure FTP

What this means for you:

  • Those of you who have set-up their website’s integration to systematically exchange files with PayPal’s Secure FTP Reporting/Batch Servers, the IP addresses for these servers are changing, and so you will need to upgrade accordingly.
  • The change was made as of May 12, 2016.

What to do:

For technical information: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1912&viewlocale=en_US

IPN Verification Postback to HTTPS

misc-min

What this means:

  • For those who are using PayPal’s Instant Payment Notification (IPN) service, you’ll need to ensure that HTTPS is used when posting the message back for PayPal to verify.
  • After June 30, 2017, HTTP postbacks will no longer be supported.

What to do:

For technical information: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1916&viewlocale=en_US

Merchant API Credential Upgrade

misc-min (1)

What this means:

  • PayPal’s API certificate credentials are being upgraded to SHA-256 signed by 2048-bit certificates. If this applies to you, you’ll need to have a new certificate issued and start using it for all API requests.
  • Depending on when your certificate expires, you’ll have to upgrade by Jan 1, 2018.

What to do:

For technical information: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1915&viewlocale=en_US

SSL Certificate Upgrade

misc (1)-min (1)

What this means:

  • PayPal is upgrading the SSL Certificates used to secure their websites and API endpoints.
  • You’ll need to ensure that your environment supports the use of SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.
  • This will need to be done by June 17, 2016.

What to do:

1. Check if your system already supports SHA-256
2. Check if your system already uses the G5 Root Certificate for trust validation

How to check:

For technical information: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US