Merchant Security Upgrade Testing (PP-LIVE-8238)

MTS_Ciaran
Moderator
Moderator

Testing to being April 12th 2018. Please see HERE for full schedule.

 

Please Use this thread for any questions related to the Security Upgrades coming June 2018 and the upcoming testing for these changes. 

For full details on these changes click HERE

------------------------------------

AFFECTED PRODUCTS:

  • REST APIs
  • SOAP & NVP APIs
  • Payflow APIs
  • Homepage
  • Online Checkout
  • Retail Checkout
  • Account
  • Payflow
Initial Notification:
To prepare for the Payment Card Industry (PCI) mandated security upgrade deadline of June 30, 2018, PayPal plans a series of tests to verify that our API endpoints meet the latest security standards.
 
If you have already upgraded your integration to the highest security protocols, you should not experience impacts from our testing.
 
However, if you have not upgraded your PayPal integrations to comply with these standards, service interruptions may occur during our testing windows.
 
It is strongly recommended that you perform the necessary upgrades immediately as we will be performing tests from March 12 to March 22, and early June 2018. Below is a quick summary of the testing schedule for the first round of tests:
 
  • March 12-14: TLS 1.2
  • March 14-15: GET response
  • March 19-21: HTTP 1.1
  • March 21-22: Instant Payment Notification (IPN) HTTPS
 
More information can be found on our Merchant Security Upgrade Testing Microsite.
Login to Me Too
26 REPLIES 26

cmrdev
Contributor
Contributor

We've been regularly receiving emails from Paypal with the subject line "Merchant security upgrade testing TLS 1.2 Impact" where in the body highlighted in red is the sentence "Our records indicate this Merchant Security Testing impacted you". Based on our testing etc, we believe we're ready for the full TLS 1.2 cutover and have after a first round of problems (which came around the time Paypal started doing the weekly smoke tests) we've resolved those issues. However we're still getting these emails so we're wondering if these emails show we still have an issue (and if so, can we get some details re: the issue) or if they were generated because we used to have an issue and it hasn't been checked by Paypal since. If it's the later, is there any way to turn that particular email notification off? Our Finance director is understandably nervous every time he gets this email.

Login to Me Too

Monters
Contributor
Contributor

I'm in the same boat, and it's stressing me out so much.

Login to Me Too

MTS_Ciaran
Moderator
Moderator

hey both, Ive checked both you guys and you look set, doesn't seem to be any TLS connections less than 1.2, the notifications look to be related to historical data, also keep in mind that you can test the changes on the PayPal sandbox environment, which is already setup to only allow TLS1.2, so if your integration works on sandbox, it will work on live 🙂

Login to Me Too

Monters
Contributor
Contributor

Hi MTS_Ciaran,

 

I'm not signed on with the account in question. Is there any way I can PM you to check out the account in question, please?

 

Regards,
Craig

Login to Me Too

cs_tt
Contributor
Contributor

This is the account by-the-way (Monters)


@Monters wrote:

Hi MTS_Ciaran,

 

I'm not signed on with the account in question. Is there any way I can PM you to check out the account in question, please?

 

Regards,
Craig


 

Login to Me Too

MTS_Ciaran
Moderator
Moderator

On that account, the notification is related to IPN traffic, small amount actually and was last seen on TLS1 on June 13th, so it looks like youre good to go. The older data point is what is driving the notifications. 

Login to Me Too

Jet3
Contributor
Contributor

I'm in the same boat.

 

I believe I updated fully to TLS 1.2 yesterday prior to 2pm Pacific, and it works okay at www.sandbox.paypal.com...

However got a threatening email from PayPal this morning, telling me my payments will no longer be processed:

 

"Our records show that your PayPal integration uses an older encryption protocol. You must take the following actions immediately to upgrade your PayPal integration(s) to the TLS 1.2 cryptographic protocol by June 27, 2018. "

 

I put another sandbox transaction through the at 9:24am PST today (6/27/18), please can you confirm everything is okay your end.

 

For the next time you upgrade your systems, I recommend providing a report to your users indicating where the problem is (a log of the transaction process).

Login to Me Too

Monters
Contributor
Contributor

Hey Jet3. So I've had two separate PayPal employees confirm that I'm ok today. Apparently, they've been very conservative with their warnings. So if you weren't compliant within the last 14 days, then you'll continue to receive warnings even if you're good now. I know this comment doesn't confirm that you're okay, but hopefully it provides some peace of mind.

 

FYI: I got confirmation on this Post this afternoon and this morning when I rang PayPal and explained my situation. It might be worth logging into your PayPal Account and contacting Customer Support direct to get a more immediate answer.

Login to Me Too

Joshus_
Contributor
Contributor

Paypal is telling me to upgrade my security protocols to TLS 1.2 I have no idea what that is and how to upgrade it. What do I need to do

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.