paypal logo
undefined
  1. Supports SHA-256. PayPal is going to change the SSL certificates in all active endpoints and from the SHA-1 test environment to the SHA-256 algorithm, which is more robust and powerful. You must change the integration to be compatible with certificates that use SHA-256.
  2. Stop using VeriSign's G2 root certificate . In accordance with industry standards, PayPal will no longer accept secure connections that require the VeriSign G2 root certificate for trust verification. Only secure connection requests that expect the G5 root certificate to sign our certificate / chain of trust will result in secure connections of success.

For detailed information on these changes, see the vendor security system change guide (localized versions are attached below). For a basic introduction to Internet security, we also recommend these short videos about SSL certificates and public-key cryptography .

NOTE : These updates respond to a security change in the entire sector, and are not exclusive to PayPal. They will help you ensure the interaction of your website with the application programming interfaces (API) and the PayPal website.

This change has been completed as of October 18, 2016 .

NOTE : The clearest way to determine if your system is already compatible with the next requirements is to ask a web programmer or system administrator to test the integration using the PayPal test environment . An error in testing with the test environment indicates that you should review all of the following information and change the system environment.

Endpoints of the test environment: already available

The PayPal test environment endpoints have been configured with the latest security standards, to which the production endpoints will be migrated. You can use these endpoints to verify that your code meets the necessary standards before updating the production endpoints. These endpoints have been changed to the new 2048-bit SHA-256 certificates:

Production end points: already available

The following production endpoints have been changed to the new 2048-bit SHA-256 certificates:

For more information on these changes, see the vendor security system change guide (localized versions are attached below).

What has happened with SHA-1?

The decision to stop using the SHA-1 algorithm was ordered by CA / Browser Forum on October 16, 2014 .

Can I SIMULTANEOUSLY change the G5 root certificate and the SHA-256 certificate?

Yes. You must first confirm that the VeriSign G5 root certificate is in your keystore. If not, download it and add it. Next, change the SSL software to process SHA-256 certificates.

My systems require the installation of certificates in the keystore. Where can I get the new certificates that PayPal will implement?

The new certificates that will be implemented later this year can be consulted here , along with the production certificates in force.

How will I know if the changes affect my integration?

We have made changes in the environment of the testing environment prior to the activation of the next changes; this will allow you to verify your integration in the testing environment.

If you see these error messages or similar messages in the test environment, you must update your integration before making changes to our active environment.

Do I have to change my SDK?

No. However, you may need to verify that you are using the most recent version of the SDK . If not, follow the instructions provided to change the SDK. If you do not use a PayPal SDK, you should contact your external provider for help.

Although a change to the certificate should not be necessary, it might be necessary for TLS 1.2. For more information, see the TLS microsite .

How do I re-send an IPN that resulted in an error in the postback validation?

You can resend the IPN from your PayPal account. For detailed instructions, see the IPN Message Forwarding section on developer.paypal.com. Note: The IPN will not appear as an "error", because said IPNs were correctly delivered to your server; however, they have produced errors in the return (postback) to obtain the validation.

How do I test IPN in the environment of the testing environment?

See the section on IPN tests on developer.paypal.com, especially the section on testing in the test environment. For more help, you can open an application on the PayPal support page . In the product option, be sure to select "Security Changes (TLS / Certificate)" (Security Changes (TLS / certificate)), at the top of the list.

If you need more help, visit https://www.paypal-techsupport.com .

2015 Merchant Security System Upgrade Guide (Cross-borderSpanish) .pdf

2015 Merchant Security System Upgrade Guide (EUSpanish) .pdf

2015 Merchant Security System Upgrade Guide (EUPortuguese) .pdf

2015 Merchant Security System Upgrade Guide (USEnglish) .pdf


Rating: