Announcement

Collapse
No announcement yet.

Paypal 2016 Merchant Security Upgrades

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #31
    It definitely sounds like a step up from the usual "we don't support TLS1.2, why don't you get a dedicated server."
    -----------------------------------------

    First Tackle - Fly Fishing and Game Angling

    -----------------------------------------

    Comment


      #32
      The following statement is to clarify how the coming rollout of TLS v1.2 will affect SellerDeck users, particularly in relation to the earlier questions and statements in this thread. Hopefully it answers most of the questions above.

      The general enforcement of TLS v1.2 has been postponed to June 2018. However, PayPal currently still intend to enforce it for their services by 16th June 2016. This date may slip, but there is no guarantee that it will.

      Consequently all SellerDeck PayPal users need to take action by that date.

      1) All PayPal online checkout integrations will require the web server to support TLS v1.2. Specifically the perl module Crypt::SSL (which bundles Net::SSL) needs to support TLS v1.2. You must ensure that your web host will provide this support by 16th June. SellerDeck Hosting will be upgraded in good time, and this is already in progress.

      We're investigating the possibility of providing a script that could be used to test 3rd party servers, but can't guarantee that we will be able to do so.

      2) In SellerDeck 2013 and earlier the checkout communicates with PayPal using IPN and a mixture of http and https, depending whether or not the checkout is secured. PayPal have indicated that they may enforce the use of https on 30th September 2016. In this case these versions may require modification, and may require the use of https for the checkout. We are awaiting more information from PayPal, and will provide further updates as soon as we can.

      3) In SellerDeck 2014 and onwards the PayPal Website Payments integration is able to communicate securely with PayPal using PDT instead of IPN, provided you have entered your Identity Token in the Configuration dialog. In this case SSL on the checkout is not required, but TLS v1.2 support still is. Otherwise these versions function the same as earlier ones and have the same requirement.

      4) PayPal services on the desktop (added in SellerDeck 2016) all rely on the version of PHP that's embedded with the SellerDeck application. This is currently an older version that does not support TLS v1.2. If you use the PayPal desktop integration then the PHP used by your SellerDeck application must be upgraded to v5.6.10. This upgrade will be included in SellerDeck 2016 (v16.0.2) which will be available mid-May.

      This upgrade may affect plugins and design customisations that use PHP. You should check with your web designer and / or plugin provider that their code is compatible with PHP v5.6.10.
      Bruce Townsend
      Ecommerce Product Manager
      Sellerdeck Ecommerce Solutions

      Comment


        #33
        I've pasted my Identity Token into the correct place just as it came off the PayPal website. I assume this is correct.

        I'm slightly confused about what happens next.

        Is the next step up to my host or Sellerdeck?
        Scottish Gifts 4U - quality gifts from Scotland

        Comment


          #34
          Thanks Bruce, your post helps a lot.

          We're investigating the possibility of providing a script that could be used to test 3rd party servers, but can't guarantee that we will be able to do so.
          I've already posted a PHP one in post #5 on this thread that uses the test url paypal have provided. That said, I'm sure an official one would be very welcome and more user friendly.

          Mike
          -----------------------------------------

          First Tackle - Fly Fishing and Game Angling

          -----------------------------------------

          Comment


            #35
            I just contacted Host-It on live chat.

            It seems all their servers are TLS-1.2 compliant and they simply need to change the particular certificate of the website.

            So next step is to raise a ticket and see what happens.
            Scottish Gifts 4U - quality gifts from Scotland

            Comment


              #36
              I've spoken to 1 and 1 today and they've told me that they hope to have their managed servers upgraded to TLS 1.2 before PayPal goes ahead with their changes.

              They weren't making any promises but he sounded optimistic.
              Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

              Comment


                #37
                I've just spoken to 1 and 1 and was told it would not be upgraded and anyone on a shared server would not be able to use PayPal or SagePay.
                Kind Regards
                Karen

                Charmed Cards & Crafts

                Comment


                  #38
                  I should have been clearer - the guy at 1 and 1 was talking about to me about managed dedicated servers, not shared ones.
                  Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

                  Comment


                    #39
                    Ah I see. the guy I spoke to told me it was already supported on virtual and dedicated servers.
                    Kind Regards
                    Karen

                    Charmed Cards & Crafts

                    Comment


                      #40
                      He's wrong. It isn't
                      Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

                      Comment


                        #41
                        It will be interesting to see if Paypal actually stick to that date, and also if 1&1 actually don't or won't implement this on their shared servers.

                        Comment


                          #42
                          Sounds like it's time I give 1and1 another call.
                          -----------------------------------------

                          First Tackle - Fly Fishing and Game Angling

                          -----------------------------------------

                          Comment


                            #43
                            Response from Host-it to a request for compatibility.

                            I just double check and our server support in 100% TLS v1.2 and your websites are prepared to paypal update service.
                            Regards

                            Jason

                            Titan Jewellery (Swift Design)
                            Zirconium Rings
                            Damascus Steel Rings

                            Comment


                              #44
                              Just had this from 1and1, so support for the new protocol is being deployed it would seem:

                              On 24 May 2016 we will update the operating system of our Linux Hosting servers, including the server your website is hosted on. This update will optimise resource utilisation, improve system security, and add support for TLS 1.2.

                              Please note that there will be new versions of scripting languages and new database libraries. If you use one of the following scripting languages or libraries for your website, please ensure that your scripts are compatible with the following versions that will be installed:

                              - Perl 5.20
                              - Python 2.70 and 3.4
                              - Ruby 2.1
                              - Berkeley DB 5.3

                              After the operating system update, we will only support 64-bit applications. Please note that with the update, we will no longer provide a 32-bit compatibility on our Linux Hosting servers.

                              Please prepare all necessary adjustments by 24 May 2016, to ensure that your website will remain functional even after the operating system update.
                              Additional details regarding the update will come later in a second e- mail.

                              Release notes for the operating system update can be found here:
                              https://www.debian.org/releases/stable/releasenotes
                              Kind Regards
                              Karen

                              Charmed Cards & Crafts

                              Comment


                                #45
                                I just received this via email from 1and1 today which seems quite conclusive:

                                Dear Mr. Hughes,

                                On 24 May 2016 we will update the operating system of our Linux Hosting servers, including the server your website is hosted on. This update will optimise resource utilisation, improve system security, and add support for TLS 1.2.
                                I'll run a test after the update and confirm back.

                                Mike

                                Ooh. Karen. You changed your post while I was posting mine. I guess the email has been widely sent.
                                -----------------------------------------

                                First Tackle - Fly Fishing and Game Angling

                                -----------------------------------------

                                Comment

                                Working...
                                X