PayPal service upgrades for merchants

[mma87]

Hello to all!

 

I received this mail from paypal, does anyone know if we have to do somethings?

 

ACTION MAY BE REQUIRED: PayPal service upgrades for merchants.

 

Because we support our merchants in helping them grow their business, we continue to make significant investments and improvements to our infrastructure. These improvements sometimes require us to perform necessary service upgrades.

Please read below as we explain what the change is, and what action may be required by you.*

What’s happening?

Over the course of 2015 and 2016, PayPal will be working towards upgrading various SSL certificates. The changes include upgrading the following:

1. The version of the VeriSign Trusted Root Certificate used to establish secure connections to PayPal.
2. The signing algorithm of certificates (from SHA-1 to SHA-256).

Why is this happening?

We’re taking measures to address industry-wide security concerns which aren’t unique to PayPal. When implemented, these measures can help us improve the security and reliability of our PayPal integrations and help guard against current and future security threats.

When is this happening?

We’ve published the schedule of our service upgrade plan. Please check our 2015-2016 SSL Certificate Change microsite for the most recent updates as published schedules may change. Our efforts to upgrade SSL certificates for our production endpoints are scheduled to start in May 2015, and will continue into next year.

Please note – The Sandbox environment is ready for testing. Testing in the Sandbox environment is one of the best ways to make sure your integration works.

What do I need to do?

For information regarding the important details of these upgrades, how it may impact your integration, and what you must do to future-proof your integration, please refer to the Merchant Security System Upgrade Guide on the microsite.

*Please note – If you’re impacted by this upgrade, you may be required to implement these changes prior to the dates listed on the microsite. Otherwise, you may not be able to process payments through your current integration with PayPal. In addition, if you’re integrated with a third party, please check with them on any additional steps you may need to take.

Questions can be directed to our Merchant Technical Services team on our Technical Support website. Click here for more information.

Thanks for your patience as we continue to improve our services.

[garyjj127]

I was wondering exactly the same thing! Looks like PayPal are going to be upgrading the API by 19th June, so it would be good to know if we have to do anything. I must confess I haven't got a clue what any of it means, but it's obviously security related, so I'd imagine something will need changing. The last update that PayPal made was a simple code change in the module, so hopefully will be something similar!

[mma87]

up!

 

have someone found a solution?

[Pronux]

have someone found a solution?

 

Solution for what exactly? Did you get an error message in your shop?

[mma87]

no, there isn't an error message, but I think the paypal module have to be updated or we have to do somethings to changing VeriSign and SHA-256

[leiluspocus]

I would be highly interested in knowing what to do too. 

 

I'm using the Paypal Europe module and I must say they have the worst customer support. I contacted them for the "Shipping state" error that is pretty common and I haven't got any news but a google spreadsheet asking me what was my bug exactly (and my mail was pretty clear).

 

I guess they will release an update anytime soon.

[mma87]

today I received a reminder email.

 

I don't know I we have to do somethings

[HH Services Limited]

today I received a reminder email.

 

I don't know I we have to do somethings

Yes, me too...

Anyone know if we have to do any changes in regards a SHA-256 issue?

I am on Paypal USA Canada...

[thx2012]

Any solution to this?

[HH Services Limited]

Is it a problem at all? Other times in which there were issues that required changes, this section of the forum was running wild with posts and solutions... This one seems a bit like no one is having any issue at all...

[thx2012]

Is it a problem at all? Other times in which there were issues that required changes, this section of the forum was running wild with posts and solutions... This one seems a bit like no one is having any issue at all...

 

Since the email was issued today, we are being pro-active in finding resolution.  Did you read the statement from paypal?  No issue is found, only concern over what steps we should be taking to resolve this. "this section of the forum is running wild with posts and solutions".. Please direct me to where you have found the answer to our question.

 

Thanks

[HH Services Limited]

Since the email was issued today, we are being pro-active in finding resolution.  Did you read the statement from paypal?  No issue is found, only concern over what steps we should be taking to resolve this. "this section of the forum is running wild with posts and solutions".. Please direct me to where you have found the answer to our question.

 

Thanks

Is it a problem at all? Other times in which there were issues that required changes, this section of the forum was running wild with posts and solutions... This one seems a bit like no one is having any issue at all...

 

Other times means other times not this one...

 

 

 

 

[cocothecat]

After being notified about this I done a bit of research I think no modification is needed as the return call back from the module uses a non secure domain i.e http instead of https IF you have modified your script OR have SSL enabled to use https call back i.e (after you make a payment it goes from paypal to your website) and the return address is https then you need to ensure your SSL certificate is upgraded from 128bit to 256 bit (SHA128 to SHA256 i think) you can get this done by asking your SSL provider to re-issue the certificate.

 

At least from my understanding.

Below is some info I found online you can use the test on SSLABS to see if your SSL is compatible if not have it re-issued.

 

"

What you need to do

If your website uses an SSL Certificate (HTTPS encryption, padlock in browser bar on checkout), then you need to make sure that the SSL uses SHA-2. You can check this on the SSLLABS site.

 

If your SSL Certificate uses the older SHA-1 and expires during or after 2016, then you need to contact your SSL provider to re-issue you with a new SSL Certificate based on SHA-2. To install the new certificate, you will need the original Private Key, the new Certificate, and the Intermediate Certificate (CA Bundle).

 

If your SSL Certificate expires during 2015, then you just need to make sure that the new SSL is issued with SHA-2. If you’re using cPanel to generate the Signin Request, then SHA-2 is already automatically supported."

Edited September 19, 2015 by cocothecat (see edit history)