Recently PayPal shared their 2016-2017 Merchant Security Roadmap which highlights a number of security changes they’ll be making over the next couple of years. Whilst they’ve done their best to explain what these mean and how they might affect you it’s a bit difficult to know what you’re actually supposed to do. With that in mind we’ve taken a look through the list and have tried to explain what it is you’ll need to do.
SSL Certificate Upgrade (Act by June 17, 2016)
PayPal will be updating their SSL certificates to the latest security standards. In order for things to continue working smoothly you’ll need to contact your web hosts and ask them to confirm that their servers include the Verisign G5 Root Certificate and that the server environment supports SHA-256 certificates. You can always refer them to this page for more information.
TLS 1.2 and HTTP/1.1 Upgrade (Act by June 30, 2017)
PayPal will be updating their protocols to TLS 1.2 and HTTP/1.1. This is another one to ask your web hosts about as they just need to ensure their servers are up to date and support both TLS 1.2 and HTTP/1.1 connections. PayPal have included more information for web hosts here.
IPN Verification Postback to HTTPS Microsite (Act by June 30, 2017)
When using PayPal’s IPN (Instant Payment Notification) service you’re required to send data back to PayPal for verfication. This will now need to be done via HTTPS.
If you’re using Magento you don’t need to do anything as it already uses the HTTPS address. This can be ssen here in the file app/code/core/Mage/Paypal/Model/Config.php Line 712 the function getPaypalUrl
For those with custom integrations or using other software/platforms you’ll need to verify that the IPN is using the HTTPS address.
Discontinue Use of GET Method for Classic NVP/SOAP APIs (Act by June 30, 2017)
Communicating with PayPal’s NVP/SOAP API’s can currently be done with GET or POST however they are removing the option of communicating via the GET method.
If you’re using Magento you don’t need to do anything as it already uses the POST method for API calls. This can be ssen here in the file app/code/core/Mage/Paypal/Model/API/Nvp.php Line 960 Zend_Http_Client::POST
For those with custom integrations or using other software/platforms you’ll need to verify that you’re not using the GET method for API calls to the Classic NVP/SOAP
Merchant API Certificate Credentials Upgrade (Act by January 1, 2018)
This is one you’ll need to check yourself as PayPal will do security checks when confirming API information. PayPal have provided the following instructions:
The easiest way to tell if you have the new type of API certificate is to navigate to the Manage API certificate page in your account profile:
- Log in to your PayPal account.
- Go to Profile > My selling tools > API access > View API Certificate.
- For your current API certificate:
- If the Expiration date is three (3) years after the Request Date, you have the new type and are good to go.
- If the Expiration date is ten (10) years after the Request Date, you need to replace it before January 1, 2018.
If you’ve had to replace your API certificate please let us know.
We hope the above information has made things easier to understand and seem less intimidating. If you have any questions or concerns or need us to action anything for you based on the above please let us know.