Chat with our moderator team every Wednesday between 1-2pm PT (4-5pm ET). Learn more in Community Events
September 2016 Reminder
Don't forget, the endpoints will be upgraded after September 30th, 2016. If you haven't already checked your integration, please see the details on our SSL Certificate Upgrade site for instructions.
Also please be sure to check out the 2016-2017 Merchant Security Roadmap here:
Just to make sure there are no surprises in the future.
Hi PayPal Community,
You may have received an email that PayPal will be upgrading our endpoint certificates to SHA-256 on September 30th, 2016. Please note the date may change to align with industry security standards. I want to take some time to clarify this change and who will be affected.
Who does this affect?
|Browser||Minimum Version required|
|Internet Explorer||6+ (With XP SP3+)|
|Safari||3+ (Ships with OS X 10.5)|
Please note that even if this setting is disabled, it is possible that IPN is being enabled on a per transaction basis with the shopping cart provider. We recommend checking with the shopping cart provider to be sure as well.
I'm affected, now what do I do?
What is SHA-256 and why is it important?
"SHA" stands for Secure Hashing Algorithm and 256 stands for the length of the text this process creates (in bits). Generally speaking, the longer the length, the harder it is for someone to break the encryption or pretend to be the website you are using. Over time, security researchers make improvements to these algorithms to make them more secure and PayPal will upgrade our services to ensure our customers are protected by industry standard encryption and authentication.
SHA is just one component of the encryption and authentication protocols that keeps communications secure with websites. You may have heard reference to these security protocols as TLS or SSL.
If you would like to get more into the nuts and bolts of hashing algorithms and encryption, there's a lot of great information around the internet.
I received the email below which describes changes to the PayPal SSL certificates. I am afraid to click the information links in the email untill I know it is real. I did not see any information about this subject when I logged into my PayPal account. Thanks
=== email text is below =====
UPDATE: ACTION MAY BE REQUIRED: PayPal service upgrades for merchants.
UPDATE: Please see an important update below in red.
Because we support our merchants in helping them grow their business, we continue to make significant investments and improvements to our infrastructure. These improvements sometimes require us to perform necessary service upgrades.
Please read below as we explain what the change is, and what action may be required by you.*
Over the course of 2015 and 2016, PayPal will be working towards upgrading various SSL certificates. The changes include upgrading the following:
The version of the VeriSign Trusted Root Certificate used to establish secure connections to PayPal.
The signing algorithm of certificates (from SHA-1 to SHA-256).
Why is this happening?
We’re taking measures to address industry-wide security concerns which aren’t unique to PayPal. When implemented, these measures can help us improve the security and reliability of our PayPal integrations and help guard against current and future security threats.
When is this happening?
We’ve published the schedule of our service upgrade plan. Please check our 2015-2016 SSL Certificate Change microsite for the most recent updates as published schedules may change. Our efforts to upgrade SSL certificates for our production endpoints are scheduled to start in May 2015, and will continue into next year.
Please note – Testing in the Sandbox environment is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections signed by the G5 Root Certificate. Please review the microsite for information when SHA-256 testing is available for your integration.
What do I need to do?
For information regarding the important details of these upgrades, how it may impact your integration, and what you must do to future-proof your integration, please refer to the Merchant Security System Upgrade Guide on the microsite.
*Please note – If you’re impacted by this upgrade, you may be required to implement these changes prior to the dates listed on the microsite. Otherwise, you may not be able to process payments through your current integration with PayPal. In addition, if you’re integrated with a third party, please check with them on any additional steps you may need to take.
Questions can be directed to our Merchant Technical Services team on our Technical Support website. Click here for more information.
Thanks for your patience as we continue to improve our services.
Was this email helpful? Please click here to let us know how we're doing at keeping you informed.
I've received this same message at least twice this week. Can't find the message on PayPal offial site, so I am ASSUMING it is false, but would really like to know for certain. Has anyone received an answer. I am NOT clicking on any links!
I also have only only one website client, out of 30, who says they received this same email.
Would love to know if this is legit?
I have received those emails a couple times, too. I haven't clicked any of the many links included. It says it's from Paypal at paypal.com
I have also received this email numerous times. I'm assuming it's fraud, can PayPal weigh in on this??
I agree with your point. If this is a legitimate email, we should be able to find the same exact message somewhere on the real PayPal site, as we do with eBay messages. I never click links on my eBay emails, but go to the eBay site for the message on "MyeBay". PayPal should do the same thing so we aren't so befuddled.
As to what this means, I still have no clue. It must not affect me, since I haven't the foggiest idea what they're talking about.
Thanks for bringing this email to our attention. I'll be honest, I'm not 100% sure that it's legitimately from us, however I do know that we have been upgrading our SSL certificates. I'm about 95% sure that it's from us, but because of that 5% the best suggestion I have is to forward it to email@example.com so the experts can take a look at it.
I'm not sure what links are in there, however the best one I can provide is the link to our Merchant Technical Support group. If you have any questions about integration or implementation of any of the things discussed here, they're going to be the go-to people. Matter of fact, just visiting their site shows multiple links relating to this, including one that details much of the same information. So I'm now like 98% sure it's legit.
Hope this helps!
It says it has been sent to us because we are merchants. I am not other than EBay and Etsy. I would assume that those platforms would have to make the changes noted, not the individual users. So I fear that a lot of us got the email in error or it is not legit.
I just got a similar one today, but the thing is, I DO NOT HAVE A WEBSITE NOR DO I USE PAYPAL ASIDE FROM JUST EBAY OR ANOTHER COMMERCE SITE. in other words it's inappropriate to send it to me as i don't have any kind of dealings with it. Why would paypal even send it to someone that doesn't have a website nor did I ever have paypal on a website????