paypal logo

Merchants and partners use HTTPS to securely connect with PayPal’s servers. We use the Transport Layer Security (TLS) protocol to encrypt these communications. To ensure the security of our systems and adhere to industry best practices, PayPal is updating its services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections.

To avoid any disruption of service, you must verify that your systems are ready for this change by June 2018.

PayPal is committed to providing the highest level of security to protect customer and transactional data, and we work closely with our merchant community to do the same. In response to feedback from several merchants, PayPal did not strictly enforce some of these vital security upgrades prior to the June 2017 deadline. However, in order to provide the most secure experience for all of our customers, PayPal must proceed with implementing these upgrades in the first half of 2018. In early 2018, we will conduct brief rounds of testing which will emulate the upgraded security experience so that merchants can understand the areas of their integration that still require work. Dates for these tests and full deployment will be published on this site at least two weeks prior to implementation.

NOTE: To avoid having to make versioning changes reactively in the future, we recommend that you code your system to always negotiate using the most recent version possible.

Sandbox and Payflow Pilot Endpoints - Ready Now

The PayPal Sandbox and Payflow Pilot endpoints have been configured with the latest security standards to which the Production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards before the Production endpoints are updated. These endpoints allow only TLS 1.2 and HTTP/1.1 connections:

Production Endpoints - Ready after June 2018

The Production endpoints will allow only TLS 1.2 and HTTP/1.1 connections:

NOTE: For details on Braintree endpoints, click here.

Verify your systems at!

PayPal has created a new endpoint - - to help you verify that your systems can support the latest security standards. This endpoint supports all of the security standards to which the PayPal endpoints are moving.

As every system build is different, you will need to contact your systems administrator to upgrade your framework to support TLS 1.2. If you need further outside assistance, please see our PayPal Partner Directory for businesses that assist with these types of systems questions. For additional help, we have put together language-specific testing notes for common environments. We expect significant impact to Java environments, including Android. Other environments, including .NET, PHP, Ruby, Python and Node.js, may also be affected. For complete details, see:

Do I need to use TLS 1.2 when connecting to Braintree endpoints?

Yes, Braintree is upgrading its services to require TLS 1.2 for all HTTPS connections. For details and timelines, click here.

Will PayPal be changing its dates now that the PCI Council has changed its deadline? New!

Yes. As you may be aware, the Payment Card Industry Security Standards Council (PCI Council) recently extended the deadline payment processors have to make these changes from 2016 to 2018. To ensure we continue to set the bar in providing the highest security standards available while also accommodating the needs of our customers, PayPal has made the decision to allow security updates to be made after June 30, 2017. To avoid any disruption of service, you must verify that your systems are ready for this change by June 2018. We continue to recommend that you prioritize the changes and updated protocols specified by the PCI Council so you are best positioned to protect your customers from security and fraud-related issues.

What happened to the Temporary Sandbox endpoints?

The following endpoints were made available for testing against the new standards before the Sandbox endpoints were updated. Now that the Sandbox endpoints have been updated, these test endpoints should not be used.

For more help, go to