Announcement

Collapse
No announcement yet.

Paypal 2016 Merchant Security Upgrades

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Paypal 2016 Merchant Security Upgrades

    I've seen the other thread called 'what does Upgrade to SHA-256 mean for us' but it doesnt actually have an answer to the question does it?

    I use the integrated Paypal Express Checkout on V14. I'm expecting that this means I have nothing to worry about... but does anyone know? Are there any announcements from Sellerdeck regarding this?


    We recently announced several security upgrades planned for this year, some of which may require you to make changes to your integration. You’re receiving this email because we’ve identified areas of your integration that may need to be upgraded.

    What you’re about to read is very technical in nature – we understand that. Please contact the parties responsible for your PayPal integration, or your third party vendor (for example, shopping cart provider, and so on) to review this email.


    They’re best positioned to help you make the changes outlined in this email and in the 2016 Merchant Security Roadmap Microsite.

    What do I need to do to as a merchant?

    Here are the steps you’ll need to take to ensure your integration is up to date and you don’t experience a disruption of service when the changes happen.

    Step 1:
    Consult with someone who understands your integration. We encourage you to consult with the parties that set up your integration, which could be a consultant or third-party shopping cart. You may also need to find someone who can assist with making your integration changes.

    Step 2: Understand how these changes affect your integration. Here are the key areas requiring your attention.
    • If the chart shows “Yes”, you may require changes to be compatible with that security upgrade.
    • If you see a “No,” our data shows that you are already compliant or do not use that functionality.

    There may be other changes you need to make, but please pay particular attention to the following areas:

    Change Do I need to make a change?

    SSL Certificate Upgrade to SHA-256
    Yes

    TLS 1.2 and HTTP/1.1 Upgrade
    Yes

    IPN Verification Postback to HTTPS
    No

    IP Address Update for PayPal Secure FTP Servers
    No

    Merchant API Certificate Credential Upgrade
    No

    Discontinue Use of GET Method for Classic NVP/SOAP APIs
    No

    Step 3:
    Get the technical details about these changes. Detailed information about each of the changes and a location to test your integration are available on our 2016 Merchant Security Roadmap Microsite. Select the hyperlinks in the chart for information about specific change events.

    Step 4: Make the appropriate changes by each “Act by” date*. It’s important to have your changes in place by the “Act by” date for each change event.

    Step 5: Future-proof your integration. We recommend that you go through the Best Practices section on our 2016 Merchant Security Roadmap Microsite.
    Arka Tribal Jewellery

    #2
    I just received the same email. In my case I use the standard paypal integration which is probably used by the majority of sellerdeck users.

    My understanding of this is that it has nothing to do with SSL certificates used on the website but is all about the secure communications channels used to communicate with paypal and the IPN / success callback.

    So between us, paypl express and paypal standard users, I think we clearly need sellerdeck to take a look at what needs doing and explain how they're going to go ahead with any changes that might be necessary.

    Could someone from sellerdeck at least acknowledge that they're aware of this issue and are looking into it? That would be better than the total silence we usually get until it really p's people off and gets escalated.
    -----------------------------------------

    First Tackle - Fly Fishing and Game Angling

    -----------------------------------------

    Comment


      #3
      support pointed me towards this;

      http://community.sellerdeck.com/showthread.php?t=56358
      Arka Tribal Jewellery

      Comment


        #4
        So,

        After digging around a bit on this here's my understanding of the situation:

        1. SSL upgrade to SHA256.

        Paypal are upgrading their SSL certificates to SHA256 with a higher level of certificate signing. We just need to make sure that our servers are able to accept an SSL connection using these specifications.

        I haven't figured out yet how to test this, paypal have describe a php test that can be run from a putty SSH shell but I haven't been able to get this to work yet. I'm still looking at it.

        2. http/1.1 and TLS1.2

        Both these must be support by the server. In the the case of 1and1:

        - http/1.1 - Yes
        - TLS1.2 - No. Only TLS1.0 is currently supported on the shared servers.

        I have spoken to 1and1 about this this and they have confirmed that this has already been escalated internally and is now being looked at. My ticket has been added to the original so I'll be copied on the response when they get an answer and will post back here.
        -----------------------------------------

        First Tackle - Fly Fishing and Game Angling

        -----------------------------------------

        Comment


          #5
          Paypal have put in place a test url so you can test your server.

          I've written some php code to test your server against this url. Copy and paste the following code to a .php file and then upload to your site and visit the page. I called mine TSLcheck.php but you can use whatever name you like.

          <html>
          <head>
          <title>Paypal TLS tester</title>
          <meta name="author" content="Mike Hughes">
          </head>
          <body>

          <p><b>Paypal TLS Tester</b></P>

          <p>If you see, 'PayPal_Connection_OK' below - Great, everything is OK.</p>
          <p>If you see 'bool(false)' then it looks like there's a problem.</p>

          <?php
          $curl = curl_init();
          curl_setopt ($curl, CURLOPT_URL, "https://tlstest.paypal.com/");
          curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

          echo "<p><b>Test Result:</b></P>";
          var_dump(curl_exec($curl));
          echo "<p><b> Error Message:</b></p>";
          var_dump(curl_error($curl));
          ?>
          <p><b> Error Message meanings:</b></p>
          <P> According to paypal the following error messages might be seen:</p>
          <p>HTTPS – tlstest.paypal.com will return an HTTP 400 response with the following text in the body:
          “ERROR! Connection is not HTTPS. Please use https://tlstest.paypal.com”</p>
          <p>HTTP/1.1 - tlstest.paypal.com will return an HTTP 400 response with the following text in the body:
          “ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1”</p>
          <p>TLS 1.2 (SHA-256) - An SSL connection error will be thrown by your code.</p>


          </body>
          </html>
          I've tested it on my site on a 1and1 shared server and it confirms there is a problem. I get the error message

          string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 "

          It would be nice if other people could try it to see if works for them.

          Mike
          -----------------------------------------

          First Tackle - Fly Fishing and Game Angling

          -----------------------------------------

          Comment


            #6
            Same error here on 1&1 Business / Linux. I get error:
            Code:
            If you see 'bool(false)' then it looks like there's a problem.
            
            Test Result:
            
            bool(false)
            Error Message:
            
            string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 "
            Norman - www.drillpine.biz
            Edinburgh, U K / Bitez, Turkey

            Comment


              #7
              Yup our 1and1 dedicated server has the same result:

              "string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 ""
              Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

              Comment


                #8
                SellerDeck are aware of this and will issue an update regarding the impact.

                Comment


                  #9
                  Thanks Duncan,

                  While Sellerdeck are looking at this can you make sure that the September change is looked at too.

                  If you are using PayPal’s Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported. For information, click HERE. https://www.paypal-knowledge.com/inf...ewlocale=en_US

                  Act by September 30, 2016
                  It sounds to me as if they're saying the callback to Paypal to verify the IPN will have to be made using https. If it isn't already done this way then it should be a simple change to the code but it would be nice to have confirmation of what, if anything, will be done and when.
                  -----------------------------------------

                  First Tackle - Fly Fishing and Game Angling

                  -----------------------------------------

                  Comment


                    #10
                    I've contacted 1and1, we have our sites on their Dedicated Managed Servers, their answer is:

                    Our Managed Dedicated servers do not support TLS1.2 and unfortunately due to the configuration of the managed servers this cannot be upgraded.
                    I will try to push them to escalate also...

                    The php fails on our sites.

                    Comment


                      #11
                      Right so we're all leaving 1&1 then? Grr.
                      Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

                      Comment


                        #12
                        Heart Internet Shared Hosting gives :

                        Code:
                        If you see 'bool(false)' then it looks like there's a problem.
                          Test Result:
                        bool(false)
                        
                         Error Message:
                        string(17) "SSL connect error"
                        Elysium:Online - Official Accredited SellerDeck Partner
                        SellerDeck Design, Build, Hosting & Promotion
                        Based in rural Northants

                        Comment


                          #13
                          Same result with Heart Internet VPS


                          Have asked their support the question...... I'll report back.
                          Elysium:Online - Official Accredited SellerDeck Partner
                          SellerDeck Design, Build, Hosting & Promotion
                          Based in rural Northants

                          Comment


                            #14
                            Just as a check, I ran the script on some cheap hosting I have with M247 and everything passes.

                            string(20) "PayPal_Connection_OK"
                            So at least I know the script is working and where I can go if 1and1 don't get their act together.
                            -----------------------------------------

                            First Tackle - Fly Fishing and Game Angling

                            -----------------------------------------

                            Comment


                              #15
                              Hi,

                              Thanks for the script, I have two sites hosted with teclan personally and a friend has 3, just tried it and it confirms a problem to so will get hold of teclan
                              Many Thanks
                              Lee
                              www.mdnsupplies.co.uk
                              www.hookandloopfasteners.co.uk

                              Comment

                              Working...
                              X