PayPal will stop working on 30th June if you don’t upgrade to TLS
PayPal will stop working on 30th of June and merchants will be unable to accept payments if they’ve not updated their websites to the latest standards which includes an upgrade to TLS.
The deadline for merchants to upgrade to Transport Layer Security (TLS) 1.2 June 30, 2018 and PayPal are requiring all merchants to upgrade their security protocols to TLS 1.2, in line with the requirements set by the Payment Card Industry (PCI) Council. The TLS protocol is used to encrypt communications between your platform and PayPal’s servers.
What do you need to do to upgrade to TLS?
Merchants should verify whether their website supports TLS 1.2 and, if necessary, make appropriate updates.
If you have a hosted service
Contact your provider to ensure they support TLS 1.2 and HTTP/1.1
Does your system already support TLS 1.2 and HTTP/1.1?
If the answer is yes then you’re all set. If not, then you need to upgrade to TLS 1.2 and HTTP/1.1 before the 30th of June.
Have you hard coded an earlier version of TLS or HTTP?
Update your code to always use the latest version of TLS and HTTP supported by PayPal endpoints.
More information about the required changes, the impact of the changes, and how to implement them can be found on PayPal’s Merchant Security Microsite.
What remains unclear from the email we got is whether the PayPal is saying…
“You specifically are not secure”
“We are writing to everyone to tell you to check if you are secure”
Furthermore, is the whole account frozen or only those transactions through a non compliant site?
Our current business uses PayPal invoicing but that is not linked to a website. However, in the past, I have created small test sites to try out PayPal payment buttons.
I wonder where I put them…?
I’m guessing this is to do with the Express Checkout integration. Users are redirected to a PayPal screen when paying but when that has been completed PayPal make a connection to your web site to confirm the payment status to complete checkout. If this connection does not happen over a TLS https connection then the checkout procedure will fail.
This was my best guess as well.
Still not clear whether the trigger is the existence of a poor connection or the use of that connect and whether it freezes the whole account or just transactions through that particular connection.
This is academic for us, it is just the lack of specificity from PayPal that seems odd.
Why have I not been contacted by paypal?
Is this a PSA announcement for retail users, or do I need to upgrade as well as merchants?