"REQUIRED to avoid service interruption you need to complete important security upgrades"

69Michi
Contributor
Contributor

Hello, I received an email from paypal reminding me that I need to complete some important security upgrades. Specifically, the email asks me to do "TLS 1.2 and HTTP/1.1 Upgrade." The consequence of unable to do this by a specific date is that I won't be able to accept payment from my Paypal anymore. But as I read through everything and even tried to google, it seems like I only need to do this upgrade if I own a website that use Paypal as payment portal? (All the terms sound very technical, I couldn't quite understand everything) I do not have any website and my Paypal is a personal Paypal, not a business one. I just want to confirm if this email really is addressing me and if I need to do any update to my account. Thank you.

Login to Me Too
24 REPLIES 24

entowol
New Community Member

I got this email as well.  I called customer service and they informed me that the email did not come from PayPal. It is a phishng email and should be marked as such.  She was able to confirm the last emal they sent which was my last trasaction. 

Login to Me Too

kbfalvo
Member
Member

I had this issue as well and it looked completely legit and even (somehow) had a paypal.com address it was sent from..

I very quickly clicked on it but I was not logged in at the time so hopefully I am safe. I was not sure if it was legit or not because I do not think they would ask a basic user to do something/go through something so complicated-- security seems like it would be their issue to solve since they are the ones actually processing the transations. Be safe out there.

Login to Me Too

xwindowuser
Contributor
Contributor

I have several dating sites that  use paypal as a gatway to implement a subscription payment for these dating sites.

Over teh pay year or so I made some changes for the upcoming tls 1.2 update, or so I thought. but now all the stuff I was reading and using to test and update is GONE. or moved somewher that I can't find.

now all I can find is the flow chart about if my server is hosted, is this or that etc...

 

Is the upcoming update something I can dela with my encoding something inot my site software? or is it something that has to be made on the server itself?

 

where can I find test scripts to see if I am good or what I may need to do.

 

I am not a deleloper, but I have been "hacking" my way through this stuff so far and have been ok, until now.

all things have moved and I am not finding anything, been searching for several hours now.

any help is appreciated.

Login to Me Too

Zavrina
New Community Member
I just got the same email as well. Exact same situation here. I'm a personal account user and don't have a website/don't sell anything. Very confused and wondering the same as you. It also said to upgrade the same exact thing as it told you. I assume this was a glitch in their system since we both got the exact same email with the exact same 'upgrade needed
Login to Me Too

69Michi
Contributor
Contributor

/t5/About-Settings/TLS-1-2-and-HTTP-1-1-Security-upgrades-help/m-p/1391511#M38862

 

You can check out this forum that posted about the same situation. There are quite a few replies and one of the people said they contacted Paypal and confirmed that the email did not come from Paypal themselves, so I guess it is a scamming attempt after all.

Login to Me Too

jessneffers
Contributor
Contributor

Full subject line says: "Reminder: REQUIRED to avoid service interruptions you need to complete important security upgrades"

The body of the email says I need to click on a link to a microsite to update my "IPN Verification Postback to HTTPS" information.

It goes on to say "If you have not made the necessary changes by the date specified, you won’t be able to accept payments with PayPal until you do so.  But most importantly, failure to make these upgrades will put your customers’ sensitive personal and financial data at risk."

 

I can't tell if this was actually sent from Paypal or is a scam. Does anyone know?


Thanks.

Login to Me Too

teww
New Community Member

I checked out the email and the links contained within. The information seems to apply to sellers who are selling from their own website that contains a payment portal. It sounds like you are probably like me, selling from a site like eBay, and that the E-mail was most likely recieved in error.

 

I would like to know why I recieved the email though; it created a lot of concern that I would not be able to sell in the future if I am not able to verify that I'm not using any insecure payment portals. Was the email intended to let me know that ebay isn't using tls for their payment info?

Login to Me Too

apsys
New Community Member

I can't find anything on the PayPal website that helps to understand how to upgrade or change anything. If anyone has any insight it would be appreciated! 

Login to Me Too

ArchieJr
Contributor
Contributor

Hi,

 

I recieved an email from PayPal stating:

 

"Our records indicate that you still need to make critical security upgrades to your systems. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures as soon as possible.


Change Change Required?
Merchant API Certificate Credential Upgrade No
TLS 1.2 and HTTP/1.1 Upgrade No
IPN Verification Postback to HTTPS Yes
Discontinue Use of GET Method of Classic NVP/SOAP No"

 

So we need to change IPN Verification Postback to HTTPS.

 

Below is what we have now. How do we need to change this?

 

 

// post back to PayPal system to validate

$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n";
$header .= "Host: www.paypal.com\r\n";
$header .= "Connection: close\r\n\r\n";

$fp = fsockopen( 'tls://ipnpb.paypal.com', 443, $errno, $errstr, 30);

 

Login to Me Too

bhonest2
New Community Member

I recieved the following email (this is the text version) and I am not sure if it's from paypal. Can you assist? Thank you:

 

Subject: 

Reminder: REQUIRED to avoid service interruptions you need to complete important security upgrades.

Body:


Brian,

Every day, hundreds of millions of people use PayPal to manage and move money online or on a mobile device. That’s why one of our top priorities is to ensure our customers have a safe, secure experience when transacting with PayPal.

This year, we’ve made a number of upgrades to the PayPal system enabling us to continue providing the highest level of security available for customers. Throughout 2018, we will continue to upgrade our security protocols to the highest levels of protection available, which includes moving all of our systems to TLS 1.2, an enhanced security protocol that encrypts customer data over the Internet. We also announced several new security requirements for merchants who use PayPal, to ensure they do their part to protect sensitive customer data, as well.

Our records indicate that you still need to make critical security upgrades to your systems. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures as soon as possible.


Change Change Required?
Merchant API Certificate Credential Upgrade No
TLS 1.2 and HTTP/1.1 Upgrade Yes
IPN Verification Postback to HTTPS No
Discontinue Use of GET Method of Classic NVP/SOAP No


If you have not made the necessary changes by the date specified, you won’t be able to accept payments with PayPal until you do so. But most importantly, failure to make these upgrades will put your customers’ sensitive personal and financial data at risk.

How do I make these changes?

More information on the required changes and how to implement them can be found on our Merchant Security Road Microsite:

• 2016-2017 Merchant Security Roadmap
• TLS1.2 and HTTP/1.1 Upgrade Roadmap
• IPN Verification Postback to HTTPS
• Discontinue Use of GET Method for Classic NVP/SOAP API’s
• Merchant API Certificate Credentials Upgrade

If you need additional support with these changes, we encourage you to contact your web hosting company, ecommerce software provider, in-house web programmer or system administrator.

As a leading payment provider, we’re committed to continually building and investing in the strongest protections possible. Thank you for your support and for helping us maintain the highest security standards for all of our shared global customers.

If you have any questions or concerns, please contact your account manager.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.