PayPal IPN SSL and SHA Security Updates

Instant Payment Notification (IPN) allows you to integrate your PayPal payments with your website’s backend operations, so you get immediate notification and authentication of the PayPal payments you receive. PayPal is about to upgrade their security so anyone who uses IPN may need to make changes to their servers too.

The security industry are phasing out 1024-bit SSL certificates (G2) in favor of 2048-bit certificates (G5), and also moving towards a higher strength data encryption algorithm to secure data transmission, SHA-2 (256) over the older SHA-1 algorithm standard.

Google Chrome is deprecating support for SHA-1 by the end of 2015, and all support for SHA-1 will be deprecated by the end of 2016, so PayPal has to make these changes. On (or around) the 30th of September PayPal will therefore upgrade their certificate for to SHA-256.

Most of the above SSL and SHA information will probably sound like gobbledygook to most readers. What it really means is that if your website accepts PayPal payments it’s worth a quick call to your integrator to make sure that they’re ready for the security upgrades at the end of the month.

If you’re using a standard off the shelf ecommerce website which has a PayPal plugin or supports PayPal as standard than there’s a very high chance that you don’t have to worry and website software service provider or plug in writer has already made the changes. If you’re website stops working towards the end of the month and you get SSL or encryption errors or people tell you that they can’t pay you, then the latest PayPal security updates will almost certainly be the root cause, in which case get your technical guru to take a read of the notes on the PayPal website.