Announcement

Collapse
No announcement yet.

Paypal 2016 Merchant Security Upgrades

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Host-It shared hosting returns the following code:
    Paypal TLS Tester

    If you see, 'PayPal_Connection_OK' below - Great, everything is OK.

    If you see 'bool(false)' then it looks like there's a problem.

    Test Result:

    bool(false)
    Error Message:

    string(17) "SSL connect error"
    Error Message meanings:

    According to paypal the following error messages might be seen:

    HTTPS – tlstest.paypal.com will return an HTTP 400 response with the following text in the body: “ERROR! Connection is not HTTPS. Please use https://tlstest.paypal.com”

    HTTP/1.1 - tlstest.paypal.com will return an HTTP 400 response with the following text in the body: “ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1”

    TLS 1.2 (SHA-256) - An SSL connection error will be thrown by your code.
    Ben
    http://www.fairygoodies.co.uk

    Comment


      #17
      I've yet to hear of anyone who has success with this.
      Have PayPal acted too prematurely perhaps?

      Comment


        #18
        I've yet to hear of anyone who has success with this.
        I've had success on one of my web hosts. See post #14.

        Have PayPal acted too prematurely perhaps?
        I suspect most of the large hosting companies are very conservative on what updates they install and when. At the same time I believe PCI-DSS does now mandate the use of TLS1.2 and SHA-256 so I'm not sure Paypal had any option but to try and force the issue.
        -----------------------------------------

        First Tackle - Fly Fishing and Game Angling

        -----------------------------------------

        Comment


          #19
          Originally posted by Duncan Rounding View Post
          I've yet to hear of anyone who has success with this.
          Have PayPal acted too prematurely perhaps?
          I have checked my site hosted with Clook Internet and seems to be OK
          string(20) "PayPal_Connection_OK"

          Test Result:
          string(20) "PayPal_Connection_OK"
          Error Message:
          string(0) ""
          Darren Guppy
          Golf Tee Warehouse
          Golf Tees and Golf Accessories.

          Comment


            #20
            I have had a call from PayPal this morning about this. The business support guy was surprised to hear that anyone had issues - this was the first they knew of it.

            I have sent him a link to this thread.

            Clearly if PayPal doesn't realise that one of the biggest hosts 1&1, as well as others have problems, then the whole system is screwed.

            Basically we'll have to stop using PayPal if a solution isn't found.

            And where is Sellerdeck in all of this? Absolutely non-interested.
            Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

            Comment


              #21
              Originally posted by guccij View Post
              And where is Sellerdeck in all of this? Absolutely non-interested.
              I'm just glad they haven't jumped in to this thread to sell their hosting services here...

              Hmm... I wonder if their hosting has the same problem?

              Comment


                #22
                We've looked into this technically and I can confirm that on the website there are no implications beyond the one already covered (http://community.sellerdeck.com/showthread.php?t=56358).
                Last edited by brucet; 29-Mar-2016, 12:38 PM.
                Bruce Townsend
                Ecommerce Product Manager
                Sellerdeck Ecommerce Solutions

                Comment


                  #23
                  Hi Bruce,

                  Can you just confirm that this response includes the september requirement for https on the IPN verification post back.

                  If you are using PayPal’s Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported. For information, click HERE. https://www.paypal-knowledge.com/inf...ewlocale=en_US

                  Act by September 30, 2016
                  -----------------------------------------

                  First Tackle - Fly Fishing and Game Angling

                  -----------------------------------------

                  Comment


                    #24
                    Our problem is with TLS 1.2

                    Comment


                      #25
                      Sorry, correction to my earlier post. The web site integration as supplied does not support IPN directly. Beyond the hosting requirement already mentioned, it is not affected by the change.

                      You can set it up to use IPN yourself, and if you've done that then you should make sure that the notification URL uses https. (I don't have any details on how it's done, but if you've done it then you will understand the requirement).

                      The desktop-side PayPal integration introduced in SellerDeck 2016 will require an upgrade to the PHP version included with the software. This upgrade will be shipped with v16.0.2, which will be released mid May.
                      Bruce Townsend
                      Ecommerce Product Manager
                      Sellerdeck Ecommerce Solutions

                      Comment


                        #26
                        The web site integration as supplied does not support IPN directly.
                        At the risk of being called an idiot, of course it does. That's how you know someone has paid.
                        -----------------------------------------

                        First Tackle - Fly Fishing and Game Angling

                        -----------------------------------------

                        Comment


                          #27
                          Sagepay requires this also from 31st May, surely 1and1 will have to comply or we won't be able to take payments at all. You can test your domain here: https://www.sha2sslchecker.com. I note that 1and1themselves have it in place!! How did you manage it Mike? I can see yours seem to be fine. Mine isn't.
                          Kind Regards
                          Karen

                          Charmed Cards & Crafts

                          Comment


                            #28
                            You can test your domain here: https://www.sha2sslchecker.com. I note that 1and1 themselves have it in place!! How did you manage it Mike? I can see yours seem to be fine. Mine isn't.
                            Hi Karen,

                            The sha2sslchecker test is testing the encryption level of the SSL certificate on your website. Mine was renewed last year and came up to spec then. Get on the phone to 1and1 support and they should be able to get you a new SSL certificate.

                            The issue with paypal is slightly different in that with paypal our servers have to be able to connect at the higher levels to their server using the advanced encryption protocols. 1and1 haven't implemented support for these on their servers yet so that still needs to be addressed.

                            Mike
                            -----------------------------------------

                            First Tackle - Fly Fishing and Game Angling

                            -----------------------------------------

                            Comment


                              #29
                              Bruce,

                              Can I check a couple of your answers as I think there's still a lack of clarity on this issue:

                              Sorry, correction to my earlier post. The web site integration as supplied does not support IPN directly. Beyond the hosting requirement already mentioned, it is not affected by the change.
                              Are you talking about the new integration available from 14.0.2 onwards that supports Payment Data Transfer (PDT) as an alternative to IPN? i.e. as referenced here:

                              http://community.sellerdeck.com/showthread.php?t=56694

                              If so, then I assume people using anything before 14.0.2 will still be using IPN and this will still be an issue?

                              In addition, if PDT is the preferred option then aren't the same issues going to apply? or is there something about PDT that doesn't require a secure connection to comply with the updated PCI-DSS standards?


                              You can set it up to use IPN yourself, and if you've done that then you should make sure that the notification URL uses https. (I don't have any details on how it's done, but if you've done it then you will understand the requirement).
                              As I understand it, the September issue for PayPal is for the case where the IPN notification is posted back to paypal for verification. This doesn't sound to me like just being a case of using https for the notification url (and would require an SSL certificate on the web server it it was).

                              If you are using PayPal’s Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported. For information, click HERE. https://www.paypal-knowledge.com/inf...ewlocale=en_US

                              Act by September 30, 2016
                              Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed.
                              To me this sounds as if it's saying the postback to Paypal to verify the IPN notification will have to use https and this would need to be a feature of the website integration. It doesn't sounds like anything under the sellerdeck users control.
                              -----------------------------------------

                              First Tackle - Fly Fishing and Game Angling

                              -----------------------------------------

                              Comment


                                #30
                                I chased 1and1 for an answer and today I got this:

                                At the moment we still have set exact date for deployment of TLS 1.2

                                Once the date have been confirmed we will be notifying the customers.
                                I think there's a typo in there, but I read it as they are doing something about this

                                Comment

                                Working...
                                X