Is PayPal Occasionally Failing because of TLS Testing?
PayPal has announced that they will require the secure communications protocol — TLS 1.2 — by June 2018. However, they will be periodically testing on live stores starting in March* and continuing until the switch over. Here’s part of the message they are sending to their merchants:
Please note, over the next few months, PayPal will conduct several rounds of testing to emulate the upgraded security experience so merchants can understand the areas of their integration that still requiring security protocol upgrades. If you have already made the required upgrades as outlined on the 2017-2018 Merchant Security Microsite, your PayPal integrations will not be impacted. If you have not made the required upgrades, we encourage you to do so as soon as possible to avoid service interruption that may occur during our security upgrade testing activities.
Dates for these tests and full deployment will be published on our Merchant Security Upgrade Testing page at least two weeks prior to implementation so please bookmark and return frequently for the most up to date information.
Typically the requirement to only accept TLS 1.2 will last for about an hour. However, the timing of that hour can be during your busiest hours!
Am I Affected?
If you are using ShopSite version 12 sp2 r4 or greater (12 sp3 for Windows Servers) you are good to go.
The current release of ShopSite at the time of this post is version 14.0. Here’s what it looks like in version 12 at the bottom lower left of the screen.
This store would need to upgrade since it is running version 12 sp2 r2.3
In addition, PayPal is also emailing its merchants based on what their servers see when an order comes from your site. The emails typically have this information:
Our records indicate that you still need to make some critical security upgrades to your systems as well. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures by the date specified:
• TLS 1.2 and HTTP/1.1 Upgrade – Complete by June 2018
– Update Needed: No• IPN Verification Postback to HTTPS – Complete by June 2018
– Update Needed: No• Discontinue Use of GET Method for Classic NVP/SOAP API’s – Complete by June 2018
– Update Needed: No• Merchant API Certificate Credentials Upgrade – Complete by September 2018
• Please note that this may be completed earlier based on the expiration date of your certificate.
– Update Needed: Yes
In the above message, everything is good except for the API Certificate Credentials. The API Certificate is actually something that you need to do every 3 years (for PayPal Express or PayPal Payments Pro). You generate your cert on PayPal’s site and then copy it into ShopSite’s configuration screen for PayPal.
Because they do expire, we recommend that you switch to the API Signature Credentials instead. If you do switch you will need to delete the certificate on PayPal, generate the signature and then update the configuration in ShopSite. Either method can be used for validating your account.
Other Services Affected by TLS 1.2?
Authorize.Net, First Data, and UPS have recently made the switch over. View this kbase article to see what other service providers have announced switchover dates. Since the PCI (Payment Card Industry) deadline is June 30, 2018, everyone will be requiring TLS 1.1 or 1.2 by then.
For more on TLS and why it is being required and by whom, see this blog post.
*PayPal now says that testing will begin in April.
Thank you for giving this valuable information about PayPal. Everyone should know about this.
Please keep sharing.