cancel
Showing results for 
Search instead for 
Did you mean: 

PayPal Endpoint certificate upgrade - SHA-256 encryption

Administrator

PayPal Endpoint certificate upgrade - SHA-256 encryption

September 2016 Reminder

 

Hi everyone,

Don't forget, the endpoints will be upgraded after September 30th, 2016.  If you haven't already checked your integration, please see the details on our SSL Certificate Upgrade site for instructions.

 

 Also please be sure to check out the 2016-2017 Merchant Security Roadmap here:

2016-2017 Merchant Security Roadmap

 

Just to make sure there are no surprises in the future. Smiley Happy

 

Thanks,

- Frank

 

September 2015:

 

Hi PayPal Community,

 

You may have received an email that PayPal will be upgrading our endpoint certificates to SHA-256 on September 30th, 2016.  Please note the date may change to align with industry security standards.  I want to take some time to clarify this change and who will be affected.

 

Who does this affect?

 

  • Buyers using older browsers may have trouble accessing PayPal and making payments following the upgrade.  If you are buyer using a modern browser and recent version, you will not be affected by this change.  Here is the list of the minimum versions needed for some popular browsers.  Click the browser link to install the latest version.

 

Browser Minimum Version required
Chrome 26+
Firefox 1.5+
Internet Explorer         6+ (With XP SP3+)
Opera 9.0+
Safari 3+ (Ships with OS X 10.5)

 

    • Merchants using PayPal Instant Payment Notifications (IPN) may be impacted by the change if their web server is not enabled for SHA-256 compliance. If you are using a 3rd party solution for order management and for integrating PayPal on your website, you may be using IPN.  Please check with your shopping cart provider to see if you are affected.

    • One way to check if your account is currently using Instant Payment Notifications is to see if you have this setting enabled in your PayPal account.  After logging into PayPal, click this link to be taken directly to the Instant Payment Notification settings:
      https://www.paypal.com/cgi-bin/customerprofileweb?cmd=%5fprofile%2dipn%2dnotify 
      If the link does not work, this setting can be found in Business accounts by clicking "Profile" in the upper right corner.  Then "Profile and Settings" and "My Selling tools".  Then click "Update" next to the entry for Instant payment notifications.

Please note that even if this setting is disabled, it is possible that IPN is being enabled on a per transaction basis with the shopping cart provider.  We recommend checking with the shopping cart provider to be sure as well.

 

 

I'm affected, now what do I do?

 

  • If you are a buyer, please upgrade your browser to the latest version.

 

  • If you are a merchant who uses IPN with PayPal, your server will need to be upgraded to support SHA-256.  Please contact your web host or the checkout partner providing the integration solution to ensure SHA-256 is enabled for the server.

 

  • [Update September 14th, 2015]:  I've confirmed with our Merchant Technical Support team that this change will not affect the initial IPN message to your listener.  If the listener does not have it's own certificate and using plain HTTP, the message will still be sent.  However, when the listener is sending the message back to PayPal to validate, the listener server will need to successfully validate the new SHA-2 certificate for PayPal.  To clarify, this means you do not need your own certificate for your website but your server needs to be able to support SHA-2 when acting as a client.  We encourage all merchants to utilize encryption on their websites to increase customer security and trust.

 

 

What is SHA-256 and why is it important?

 

"SHA" stands for Secure Hashing Algorithm and 256 stands for the length of the text this process creates (in bits).  Generally speaking, the longer the length, the harder it is for someone to break the encryption or pretend to be the website you are using.  Over time, security researchers make improvements to these algorithms to make them more secure and PayPal will upgrade our services to ensure our customers are protected by industry standard encryption and authentication.

 

SHA is just one component of the encryption and authentication protocols that keeps communications secure with websites.  You may have heard reference to these security protocols as TLS or SSL.

 

If you would like to get more into the nuts and bolts of hashing algorithms and encryption, there's a lot of great information around the internet.

 

 Thanks,

- Frank

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
78 REPLIES
Member

Is this PayPal email real? It describes upgrading various SSL certificates.

I received the email below which describes changes to the PayPal  SSL certificates. I am afraid to click the information links in the email untill I know it is real. I did not see any information about this subject when I logged into my PayPal account.  Thanks

 

 

=== email text is below =====

 

PayPal       
 
UPDATE: ACTION MAY BE REQUIRED: PayPal service upgrades for merchants.

UPDATE: Please see an important update below in red.

----

Because we support our merchants in helping them grow their business, we continue to make significant investments and improvements to our infrastructure. These improvements sometimes require us to perform necessary service upgrades.

Please read below as we explain what the change is, and what action may be required by you.*

What’s happening?

Over the course of 2015 and 2016, PayPal will be working towards upgrading various SSL certificates. The changes include upgrading the following:

The version of the VeriSign Trusted Root Certificate used to establish secure connections to PayPal.
The signing algorithm of certificates (from SHA-1 to SHA-256).
Why is this happening?

We’re taking measures to address industry-wide security concerns which aren’t unique to PayPal. When implemented, these measures can help us improve the security and reliability of our PayPal integrations and help guard against current and future security threats.

When is this happening?

We’ve published the schedule of our service upgrade plan. Please check our 2015-2016 SSL Certificate Change microsite for the most recent updates as published schedules may change. Our efforts to upgrade SSL certificates for our production endpoints are scheduled to start in May 2015, and will continue into next year.

Please note – Testing in the Sandbox environment is one of the best ways to make sure your integration works.  Sandbox endpoints have been upgraded to accept secure connections signed by the G5 Root Certificate.  Please review the microsite for information when SHA-256 testing is available for your integration.

What do I need to do?

For information regarding the important details of these upgrades, how it may impact your integration, and what you must do to future-proof your integration, please refer to the Merchant Security System Upgrade Guide on the microsite.

*Please note – If you’re impacted by this upgrade, you may be required to implement these changes prior to the dates listed on the microsite. Otherwise, you may not be able to process payments through your current integration with PayPal. In addition, if you’re integrated with a third party, please check with them on any additional steps you may need to take.

Questions can be directed to our Merchant Technical Services team on our Technical Support website. Click here for more information.

Thanks for your patience as we continue to improve our services.

Was this email helpful? Please click here to let us know how we're doing at keeping you informed.
 
 

W3 New Community Member
New Community Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

I've received this same message at least twice this week.  Can't find the message on PayPal offial site, so I am ASSUMING it is false, but would really like to know for certain.  Has anyone received an answer.  I am NOT clicking on any links!

New Community Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

I also have only only one website client, out of 30, who says they received this same email.

 

Would love to know if this is legit?

New Community Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

I have received those emails a couple times, too. I haven't clicked any of the many links included. It says it's from Paypal at paypal.com

New Community Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

I have also received this email numerous times. I'm assuming it's fraud, can PayPal weigh in on this??

 

Thanks,

CB

New Community Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

I agree with your point.  If this is a legitimate email, we should be able to find the same exact message somewhere on the real PayPal site, as we do with eBay messages.  I never click links on my eBay emails, but go to the eBay site for the message on "MyeBay".  PayPal should do the same thing so we aren't so befuddled.

 

As to what this means, I still have no clue.  It must not affect me, since I haven't the foggiest idea what they're talking about.

Moderator

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

Hi All!

 

Thanks for bringing this email to our attention. I'll be honest, I'm not 100% sure that it's legitimately from us, however I do know that we have been upgrading our SSL certificates. I'm about 95% sure that it's from us, but because of that 5% the best suggestion I have is to forward it to spoof@paypal.com so the experts can take a look at it.

 

I'm not sure what links are in there, however the best one I can provide is the link to our Merchant Technical Support group. If you have any questions about integration or implementation of any of the things discussed here, they're going to be the go-to people. Matter of fact, just visiting their site shows multiple links relating to this, including one that details much of the same information. So I'm now like 98% sure it's legit. Smiley Happy

 

Hope this helps!

 

- Andy

Tags (1)
Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

It says it has been sent to us because we are merchants.  I am not other than EBay and Etsy.  I would assume that those platforms would have to make the changes noted, not the individual users.  So I fear that a lot of us got the email in error or it is not legit. 

Member

Re: Is this PayPal email real? It describes upgrading various SSL certificates.

I just got a similar one today, but the thing is, I DO NOT HAVE A WEBSITE NOR DO I USE PAYPAL ASIDE FROM JUST EBAY OR ANOTHER COMMERCE SITE. in other words it's inappropriate to send it to me as i don't have any kind of dealings with it. Why would paypal even send it to someone that doesn't have a website nor did I ever have paypal on a website????