PayPal currently accepts both GET and POST HTTP methods on our classic NVP/SOAP APIs, used for Express Checkout, Website Payments Pro, MassPay and Button Manager. Going forward, PayPal will allow the use of the POST request method only for these APIs. This change will not impact the behaviors of our other API products, such as REST and Adaptive APIs.
To avoid any disruption of service, you must verify that your systems are ready for this change by June 30, 2017.
While we are allowing for these security updates to be made after June 30, 2017, we continue to recommend that you prioritize the changes and updated protocols specified by the PCI Council so you are best positioned to protect your customers from security and fraud-related issues.
About Classic NVP/SOAP APIs
In most cases, PayPal’s classic APIs are integrated using either the Name-Value Pair (NVP) or Simple Object Access Protocol (SOAP) protocol and use PayPal’s api* endpoints (such as “api-3t.paypal.com”). These NVP/SOAP APIs are used for Express Checkout, Website Payments Pro, MassPay and Button Manager. You can determine if a request is using an NVP/SOAP API by looking at the URL used for the request to see if it matches these criteria:
For more details, including a full list of API operations, see the FAQs below, as well as the NVP and SOAP API Reference documentation on the Developer Portal.
Temporary Sandbox Endpoints - Ready Now
PayPal has created new, temporary Sandbox endpoints that have been configured with the latest security standards to which the Sandbox and Production endpoints will be moving. You can use these temporary endpoints to verify that your code supports the required standards before the Sandbox endpoints are updated:
These endpoints will be available until September 30, 2016.
Sandbox Endpoints - Ready after June 17, 2016
The Sandbox environment will allow the use of the POST method only for classic NVP/SOAP API requests:
Production Endpoints - Ready after June 30, 2017
The Production environment will allow the use of the POST method only for classic NVP/SOAP API requests:
What is the difference between the GET and POST HTTP request methods?
GET is used to request data, while POST is used to submit data to a specified resource. From a security perspective, the key difference is that GET requests pass parameters in the URL and can be cached. This site has much more detail about the differences.
Why is the PayPal REST API not impacted?
The REST API uses the various HTTP request methods as part of the API design. The GET method is used to request details about an object. Because API credential information is passed as HTTP headers, the risk associated with the caching of GET requests is reduced.
What are the specific API operations affected by this change?
Express Checkout API Operations
Mass Payments API Operation
Website Payments Pro API Operations
Button Manager API Operations
For more help, go to https://www.paypal-techsupport.com.