cancel
Showing results for 
Search instead for 
Did you mean: 

PayPal Endpoint certificate upgrade - SHA-256 encryption

Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

I clicked on the link you provided and it took my to my main page after signing in.  I looked at help topics etc and still do not see where I find this preference.  Once we log in - WHERE is it?

Your explaination was well worded, thank you.  Is there someone who proofreads these releases?  This last one was not worthy of a corporation of Paypal's size.

 

My final question that I can not get answers to (and maybe off topic) - Does this involve the direct check out Paypal integration? Also - with the integration, will Etsy sellers be help to that same aweful 6 month return policy or will you work under the Etsy return policy?  We sellers can't seen to get a straight answer from anyone.  

 

Thanks for the clarifications.

Administrator

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Hi GBCs,

 


GBCs wrote:

I clicked on the link you provided and it took my to my main page after signing in.  I looked at help topics etc and still do not see where I find this preference.  Once we log in - WHERE is it?

...

 

Thanks for letting me know.  I've added instructions to the post for how to locate the setting directly in a PayPal Business account.  If you are using a personal account for selling, the setting would not be there but you may want to still check with the shopping cart provider.

 


GBCs wrote:

...

Your explaination was well worded, thank you.  Is there someone who proofreads these releases?  This last one was not worthy of a corporation of Paypal's size.

...

 

I appreciate the feedback! Smiley Happy I'll make sure we pass this along to our comms team.

 


GBCs wrote:

...

My final question that I can not get answers to (and maybe off topic) - Does this involve the direct check out Paypal integration? Also - with the integration, will Etsy sellers be help to that same aweful 6 month return policy or will you work under the Etsy return policy?  We sellers can't seen to get a straight answer from anyone.  

 

Thanks for the clarifications.


 

This can affect all PayPal products if a merchant is using Instant Payment Notifications (IPN).  These are server to server notifications from PayPal to the checkout server.  If a merchant is managing their orders with any sort of system outside of PayPal, it is likely that the system relies on receiving IPNs from PayPal and could be affected.

 

The PayPal Purchase Protection policies affect all transactions unless the buyer's account or transaction is ineligible based on the requirements outlined in 13.2 and 13.3 of the policy.   Please note that buyers may have still had the option to dispute through their credit card issuer as well with varying timeframes depending on the card issuer policy.  More info on dispute and chargeback risks here: Disputes, claims, chargebacks and bank reversals

 

Great questions! Smiley Happy I hope this info helps.

 

- Frank

 

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Wow! Thank you for the link clarifying the 6 month return policy. I really think there is a huge misperception about this and would highly suggest getting the info out there very publicly. Web sites and e-zines are full of negative comments and people saying they are leaving PP just as they left eBay. If you clarify this as well as you did the goofy email, there will be a world wide sigh of relief and also clarify exactly what will qualify for the 6 months. Exactly. No link involved. Maybe a very well worded email? Thanks
Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Frank, I appreciate your efforts to clarify the email notice from PayPal.  At first I thought it was phishing and I did not use the links in the email, even thought the email addressed me specifically.  It took me several minutes of searching on PayPal to find your information.  It seems PayPal is causing sellers unnecessary confusion (wasting our time.)  This issue is between PayPal and the services providing checkout.  As far as I can tell there is little sellers can do about preparing for the change besides trying to contact their checkout service and making sure they are updated.  Seems PayPal would be more successful with integration if they contacted all the services providing checkout rather than bother all the sellers.  Seems to me there is nothing a seller really needs to do.  It would have been appropriate for PayPal to provide the information I have just stated rather than the scary email that was sent.

Administrator

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

@tdlclifford,

I appreciate the feedback and great points.  Some merchants are integrating checkout with their own code and solutions so we wanted to include them as well.  Merchants may also have buyers contacting them asking why they can't pay.  In that case, we want to be sure the merchants are aware of the change so they can advise any affected buyers to upgrade their browser.

 

@xurizaemon,

Great question!  My current understanding is that IPN over plain HTTP will still be supported after the certificate upgrade.  Meaning you will still be able to supply a plain HTTP link for your IPN listener.  However if your IPN listener is SSL/TLS enabled, it will need to be compliant with SHA-256.  Your listening server will also need to be able to accept SHA-256 certs from the PayPal servers when it posts the IPN message back for validation..  I will double check on this with our Merchant Technical Support team to be sure and update my post with the result.  Either way, I highly recommend enabling encryption on your website to build user trust.

 

Hi @Nen101,

Don't worry, your iPad will be fine and won't be affected by this change.  If you are a seller advertising items on your own website, you'll want to make sure your website supports the new changes.  But if you're selling on eBay for example, you won't need to do anything. Smiley Happy

 

 

Thanks,

Frank

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
Administrator

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Hi @Drawn,

 

That's correct.  Etsy sellers will be ok. Smiley Happy  Buyers may be blocked from buying with old browsers but usually it's a quick and easy fix to download and install the new version.

 

Don't worry if you don't have a business account.  Many people still sell items using their personal accounts.  The main difference is there are more reports and business features for business accounts.  Also customers will see a business name instead of your personal name when they pay.   It's free to upgrade so if there's no harm in trying it out. Smiley Happy

 

Here's how to upgrade: https://www.paypal.com/selfhelp/article/FAQ900/1

 

Thanks,

Frank

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
Administrator

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Hi @fabiovento,

 

Welcome!

 

For task 2, the listener server is acting as the client by sending the POST request to PayPal.  When acting as a client, it will need to be able to successfully validate the PayPal certificate.  So even if the listener is using plain HTTP, the server will need to ensure that it has updated root certificates.

 

I recommend testing your IPN listener with the PayPal Sandbox to be sure.  We have already migrated the sandbox over to SHA-256.

 

More details about the change as well as migration guides can be found here:

Certificate Change Microsite

 

Thanks,

Frank

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Hi Frank,

thank you a lot for your answer!

 

Unfortunately, I still don't have a clear idea Smiley Sad

 

My question is: when my server acts as a client (task 2) and sends a POST to PayPal to verify the received IPN, will my server still be able to successfully connect to PayPal using plain HTTP?

 

Or else, PayPal will accept only HTTPS connections for that?

Administrator

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

@fabiovento,

 

Ah, now I understand. Smiley Happy

 

Only HTTPS connections are allowed for the post back to PayPal at https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate.  All requests to paypal.com URLs are forced to SSL/TLS.

 

Thanks,

Frank

If you see a helpful post, please accept it as a solution or give the author kudos. Smiley Happy Thanks!
New Community Member

Re: PayPal Endpoint certificate upgrade - SHA-256 encryption

Refer to online resources, such as those listed below, for details on compatible configurations, then contact your website technical team for development support.

 

I am my website technical team and I haven't got a clue what all this means.

 

Plain English please.