What to do regarding Paypal Security Upgrades (layman)
If you have received an email from PayPal with the title “Changes required to your PayPal integration to continue accepting payments.“, then yes you are not alone. It does seem pretty important and a quick check on PayPal’s developer site will indicate that it is legit (just in case its spam).
It states that it is going to perform security updates very soon in the beginning months of 2016, and quickly answers that ‘yes’ you do need to take action, otherwise suffer the consequences of a non functioning payment gateway.
Update: Some of the deadlines have been extended to 2017, which means more time for implementation changes to take place.
Security Changes and Deadline
Opening the link provided points us to a list of security details as below, which I re-arranged according to time sequence in terms of implementation deadline. We also will understand that it is part of an industry wide initiative (world wide i suppose) to improve security standards. This is indeed a good thing, albeit with the trouble of necessary updates and changes (unless all of mankind were angels and no hackers existed).
- IP Address Update for PayPal SFTP (deadline over)
- SSL Certificate Upgrade (June 17, 2016)
- IPN Verification Postback to HTTPS (June 2017)
- TLS 1.2 upgrade (support for TLS 1.0 will be retired) – June 2017
- Discontinue Use of GET Method for Classic APIs Microsite (June 2017)
- Merchant API Credential Upgrade (to SHA-256 2048-bit credentials) – Jan 31, 2016 and Jan 1, 2018
Other than trying to understand this gibberish, what is a layman to do? Here I will try and provide a brief description, followed by some typical recommendations to them. So no need to panic, lets begin.
IP Address Update for PayPal SFTP (deadline over)
If you exchange files with PayPal via FTP and you still did not notice anything wrong with your file transfer till now, then things are probably working fine because the deadline for implementation has passed. If you are not so lucky, get your tech person to check that DNS, and IP addresses, and firewall settings are configured properly and the connections tested.
SSL Certificate Upgrade (June 17, 2016)
SSL is mainly observed on websites with URLs containing https, and its purpose for securing any sensitive data transferred between your website and your users. This data transfer between your site and users used to be secured with keys that were secure enough because it would take a long time to break. But with recent great improvements in computing power, this is starting to be threatened. If you are purchasing web hosting, check with them or get your tech person to ask them if they are ready with SHA256 and G5 root certificate compatible. If you are running on your own servers, then you will need to check your keystore.
IPN Verification Postback to HTTPS (June 2017)
IPN is basically used by PayPal to notify your website of an event, so that it can perform a follow up task (eg backend service or administrative work after a user makes a payment). Moving forward, only HTTPS (SSL) will be supported for IPN acknowledgement to PayPal. PayPal basically needs this acknowledgement so that it knows that you have heard its call, and it wants this communication to be secure. Either get your tech person to check this in your code, or get the plugin owner/support to check this.
TLS 1.2 upgrade (support for TLS 1.0 will be retired) – June 2017
This TLS 1.2 and HTTP/1.1 protocols are quite technical to go into, but they basically are rules for securing communications between computers. These protocols will be needed to support the newer and more secure communication eg SHA256 mentioned above, so make sure that your hosts has checked this on their part because its going to come sooner or later. If you host your own server, get your tech person to check.
Discontinue Use of GET Method for Classic APIs Microsite (June 2017)
If you use the following PayPal features, then take note. Express Checkout, Website Payments Pro, MassPay and Button Manager. This is used mostly for your e-commerce plugin to communicate with PayPal. If its still using a old method called GET, it will need to be changed to POST. This is found in the code, and will need to be checked by your tech person or plugin developer.
Merchant API Credential Upgrade (to SHA-256 2048-bit credentials) – Jan 31, 2016 and Jan 1, 2018
Basically if your host or server is using PayPal’s old version of certificate, it needs to be updated to the new one (again for SHA256). Some backend method calls from code may communicate with PayPal and use them. This is also found in code, so either your tech person or plugin e-commerce developer will need to give answers on whether they are using these APIs for their method calls.
You may still have found this difficult to digest, or found something questionable. Feel free to comment and ask questions so we can all discuss and learn.
Full details: https://www.paypal-knowledge.com/infocenter/index?page
Paypal developer blog link below:
Simplify and gear up your business today.