TLS 1.2 and HTTP/1.1 Upgrade

PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal. You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates. For information, click HERE.

Act by June 2018*

Discontinue Use of GET Method for Classic APIs

PayPal will no longer support the use of the GET HTTP request method for our classic NVP/SOAP APIs. If you currently use any of these APIs, you will need to ensure that your API requests only use the POST HTTP request method. For information, click HERE.

Act by June 2018*

IPN Verification Postback to HTTPS

If you are using PayPal‚Äôs Instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported.  For information, click HERE.

Act by June 2018*

Merchant API Certificate Credentials Upgrade

The API certificate credentials issued by PayPal for use with the Classic API are being upgraded to SHA-256 signed 2048-bit certificates. If you currently connect to PayPal using API certificate credentials, you will need to generate a new API certificate via your account profile and use it for all API requests. For information, click HERE.

Act by September 2018 (depending on your certificate expiration date)*

Security Best Practices

Future-proofing your integration is a constant challenge, and PayPal is here to help. For a review of security best practices, click HERE.

PayPal is committed to providing the highest level of security to protect customer and transactional data, and we work closely with our merchant community to do the same. In response to feedback from several merchants, PayPal did not strictly enforce some of these vital security upgrades prior to the June 2017 deadline. However, in order to provide the most secure experience for all of our customers, PayPal must proceed with implementing these upgrades in the first half of 2018. In early 2018, we will conduct brief rounds of testing which will emulate the upgraded security experience so that merchants can understand the areas of their integration that still require work. Dates for these tests and full deployment will be published on this site at least two weeks prior to implementation.

Completed Items

IP Address Update for Secure FTP Servers

If your integration is set up to systematically exchange files with PayPal's Secure FTP Reporting/Batch Servers, please note that the IP addresses for these servers have changed. If your integration is hardcoded to the previous IP addresses, you will need to upgrade immediately to avoid any disruption of service. For information click HERE.

Complete as of May 12, 2016

SSL Certificate Upgrade

PayPal has upgraded the SSL certificates used to secure our web sites and API endpoints. These new certificates are signed using the SHA-256 algorithm and VeriSign's 2048-bit G5 Root Certificate. You will need to ensure that your environment supports the use of the SHA-256 algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate. For information, click HERE.

Complete as of October 18, 2016