Project

General

Profile

Actions

Task #1844

closed

PayPal security upgrades

Added by Florian Effenberger about 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Team - Q2/2017
Start date:
Due date:
2017-06-30
% Done:

0%

Tags:

Actions #1

Updated by Florian Effenberger almost 8 years ago

"We’re rescheduling 3 of the upgrades and postponing them until the middle of 2017. They are:

  • TLS 1.2 HTTP/1.1 requirement
  • HTTPS requirement for IPN Postback
  • Discontinue GET Method for Classic API

Due to industry standards, the move to SHA-256 for our endpoints needs to happen in 2016."

According to PayPal, we need to act on:

Actions #2

Updated by Florian Effenberger over 7 years ago

  • Assignee changed from Alexander Werner to Christian Lohmaier
  • Target version changed from Q2/2016 to Qlater

Nothing needs doing at the moment, so re-assigning to Cloph and later

Actions #3

Updated by Florian Effenberger over 7 years ago

  • Due date deleted (2016-06-17)
Actions #4

Updated by Florian Effenberger over 7 years ago

  • Due date set to 2017-06-30

Still pending seems to be "TLS 1.2 AND HTTP/1.1 Upgrade" (https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1914&viewlocale=en_US), due 30 June 2017

Actions #5

Updated by Florian Effenberger about 7 years ago

  • Target version changed from Qlater to Q2/2017
Actions #6

Updated by Florian Effenberger about 7 years ago

As per their latest mail:

As a leading payment provider, security is our number one priority and PayPal continually invests and innovates to deliver the strongest protection possible.  In some instances, this means adapting to our environments and upgrading merchant integrations to the current industry standards, like those set by the Payment Card Industry (PCI) Security Standards Council. We appreciate your patience and support of protecting our customers and their payments. 

To better assist customers with these security updates, we’ve created the following materials to further clarify this technical update: 

• 2016-2017 Merchant Security Roadmap
• TLS 1.2 and HTTP/1.1 Upgrade Roadmap
• PayPal security guidelines and best practices. 

We also encourage you to speak with your web hosting company, e-commerce software provider or in-house web programmer/system administrator for further assistance in implementing these changes, if needed.

Scheduled change dates provided in this email and on the TLS 1.2 and HTTP/1.1 Upgrade Microsite are subject to change. Please monitor our TLS 1.2 and HTTP/1.1 Upgrade Microsite for the most up-to-date information.

Below are a few key points concerning security updates we will begin implementing after June 30, 2017 and we strongly recommend your systems be compatible to ensure your business is not disrupted . 

• The PayPal Sandbox, or testing environment, has been upgraded to allow only TLS 1.2 and HTTP/1.1 connections. 

• All production endpoints will be updated to accept only TLS 1.2 and HTTP/1.1 connections after June 30, 2017.  Please note that if you haven’t made the necessary upgrades to your systems to become compliant, your business will be unable to accept payments with PayPal until the required changes have been made.

• A verification endpoint is available, which can be found at http://links.mkt2944.com/ctt?kn=20&ms=NTM0NzAwNjkS1&r=MjE0NDg0ODcyMTg0S0&b=2&j=MTEwMzUwMTY0NQS2&mt=1&rt=0 and has the latest security standards so customers can quickly check if their systems are ready to accept transactions after June 30, 2017.

There are four remaining areas that our security upgrades will impact and we’ve identified the areas that need your attention. The chart below shows whether you’ll need to make changes, or if your business is already compliant or doesn’t use that functionality:

• TLS 1.2 and HTTP/1.1 Upgrade – Complete by June 30, 2017
- Update Needed: Yes

• IPN Verification Postback to HTTPS – Complete by June 30, 2017
- Update Needed: No

• Discontinue Use of GET Method for Classic NVP/SOAP API’s – Complete by June 30, 2017
- Update Needed: No

• Merchant API Certificate Credentials Upgrade – Complete by January 1, 2018
    o Please note that this may be completed earlier based on the expiration date of your certificate. 
- Update Needed: No

• IP Address Update for PayPal Secure FTP Servers – Completed as of May 12, 2016

• SSL Certificate Upgrade – Completed as of October 18, 2016
Actions #7

Updated by Christian Lohmaier almost 7 years ago

  • Status changed from New to Resolved

resolved in terms of the website/donation forms.
We don't hook up into paypal directly, don't trigger connections to paypal ourselves. Rather we assemble a form that the user submits and is then on paypal's server. So tls or http version is not in our control.

But if we choose to later integrate with paypal apis for linkback/transaction reports, I made sure that php/curl on our website does comply/satisfy the tls/http check

Actions #8

Updated by Florian Effenberger over 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF