For detailed information on these changes, please reference the Merchant Security System Upgrade Guide (localized versions are attached below). For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.
NOTE: These updates are in response to an industry-wide security upgrade and are not unique to PayPal. They will help secure your website’s interaction with the PayPal website and Application Programming Interfaces (APIs).
Note: The clearest way to determine whether your system already supports the upcoming requirements is to have a web developer or system administrator run a test of your integration using the PayPal Sandbox. A failure in testing with the Sandbox indicates you should review all the following information and upgrade your system’s environment.
Sandbox Endpoints - Ready Now
The PayPal Sandbox endpoints have been configured with the latest security standards to which the Production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards before the Production endpoints are updated. These endpoints have been upgraded to the new SHA-256, 2048-bit certificates:
Production Endpoints - Ready Now
The following Production endpoints have been upgraded to the new SHA-256, 2048-bit certificates:
For additional information on these changes, please reference the Merchant Security System Upgrade Guide (localized versions are attached below).
What happened to SHA-1?
Can I update BOTH the G5 root and SHA-256 certificate at the same time?
Yes. First, confirm that the VeriSign G5 Root Certificate is in your keystore. If not, then download and add it. Next, update your SSL software to process SHA-256 certificates.
My systems require that certificates be installed in the keystore. Where can I get the new certificates that will be deployed by PayPal?
The new certificates that will be deployed later this year can be found here along with the current production certificates.
How do I know if my integration is affected?
We have made changes to the Sandbox environments prior to the upcoming Live changes, so you can verify your integration against the Sandbox.
If you see these or similar error messages in the Sandbox environment, you will need to update your integration before we make changes to our Live environment.
Do I need to update my SDK?
No, however, you may want to verify that you are using the latest version of your SDK. If not, follow the instructions provided to update your SDK. If you are not using a PayPal SDK, then you will need to contact your third-party provider for assistance.
Although an upgrade shouldn't be required for the certificate, an upgrade may be required for TLS 1.2. For details, see the TLS microsite.
How do I resend an IPN that failed in the POST back validation?
You can resend the IPN from your PayPal account. For detailed instructions, please see Resending IPN Messages at developer.paypal.com.
NOTE: The IPN will not display as “Fail,” as those IPNs were successfully delivered to their server; however, they failed in the POST back to get the validation.
How do I test IPN in the Sandbox environment?
See IPN Testing at developer.paypal.com, and refer specifically to "Sandbox testing." For additional help, you can open a ticket on the PayPal Technical Support page. For the Product option, be sure to select "Security Changes (TLS/Certificate)," which is pinned at the top of the list.
For more help, go to https://www.paypal-techsupport.com.