Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.
To avoid any disruption of service, you must verify that your systems
are ready for this change by June 30, 2017
While we are allowing for these security updates to be made after June 30, 2017, we continue to recommend that you prioritize the changes and updated protocols specified by the PCI Council so you are best positioned to protect your customers from security and fraud-related issues.
NOTE: In addition to requiring HTTPS, PayPal is also upgrading the security standards of all external endpoints. You should verify that your current systems support these requirements. More details can be found on the SSL and TLS microsites.
The ipnpb.paypal.com and ipnpb.sandbox.paypal.com endpoints accept only HTTPS connections. If you currently use www.paypal.com, you should move to ipnpb.paypal.com when you update your code to use HTTPS.
When used for IPN postbacks, www.sandbox.paypal.com will accept only HTTPS connections.
After June 30, 2017
When used for IPN postbacks, www.paypal.com will accept only HTTPS connections.
Why is PayPal making this change?
PayPal is upgrading all external endpoints used by merchants and partners to make programmatic connections. One of these changes is allowing the use of HTTPS only when connecting with PayPal systems to ensure that all information is securely transmitted. IPN messages contain sensitive information about your customers and their transactions that should only be passed securely.
What are the upgraded security standards that PayPal is moving to for all external endpoints?
PayPal is upgrading all of its external endpoints to the latest industry standards:
For more help, go to https://www.paypal-techsupport.com.