PayPal 2016 merchant security upgrades

[Al Brookbanks]

A number of our customer have received the following correspondence from PayPal concerning a rollout schedule for security updates this year. We wanted to address how these changes may affect your CubeCart store. 

Quote

We recently announced several security upgrades planned for this year, some of which will require you to make changes to your integration. You’re receiving this email because your integration may need to be changed to accommodate these security upgrades.   What do I need to do? We’ve outlined the steps to take to ensure your integration is up to date. We’re letting you know about these changes now because we don’t want you to experience a disruption of service when they go into effect. Step 1: Consult with someone who understands your integration. We encourage you to inform your technical staff of these upcoming changes.  Step 2: Understand how these changes affect your integration. Here’s a list of the security changes we’re making in 2016. Please review and determine if these updates are required on your side. SSL Certificate Upgrade to SHA-256 TLS 1.2 and HTTP/1.1 Upgrade IPN Verification Postback to HTTPS IP Address Update for PayPal Secure FTP Servers Merchant API Certificate Credential Upgrade Discontinue Use of GET Method for Classic NVP/SOAP APIs Step 3: Get the technical details on these changes. Detailed information of each of the changes and a location to test your integration are available on our 2016 Merchant Security Roadmap Microsite. Select the hyperlinks in the chart for information about specific change events.  Step 4: Make the appropriate changes by each “Act by” date*. It’s important to have your changes in place by the “Act by” date for each change event. Step 5: Future-proof your integration. We recommend that you go through the Best Practices section on our 2016 Merchant Security Roadmap Microsite.  Why is PayPal making these changes? Protecting customer information is PayPal’s top priority. We support industry standards, such as crypto-industry’s mandate to upgrade SSL certificates to SHA-256, and the Payment Card Industry (PCI) Council’s TLS 1.2 mandate. We also surpass those standards by investing and building some of the finest protection available. By addressing these changes this year, we believe it helps future-proof your integration and reduce the need to invest in changing your integration in the near future. If you have any questions as you work through these changes, visit our Help Centre by clicking Help on any PayPal page. Thank you for your support of our commitment to maintain the highest security standards for all of our global customers.

 

Which milestones will affect my store?!

TLS 1.2 and HTTP/1.1 Upgrade -  Deadline June 17, 2016 - Now extended to June 30, 2017
To make sure that your CubeCart store continues to operate as normal please check that your web hosting is configured to have TLS 1.2  and HTTP 1.1 support. This can be done by looking at the "Server Info" or "PHP Info" area of your stores admin control panel. "OpenSSL" should have a value of 1.0.1 or higher. The screenshot below shows an example of what to be looking for. In this case the OpenSSL version is fine. 

You can also test if TLS 1.2 is supported using a tool such as the SSL Server Test by Qualys. Visit: https://www.ssllabs.com/ssltest/

The screenshot below shows that HTTP 1.1 is also supported. 

IPN Verification Postback to HTTPS -  Deadline September 30, 2016 - Now extended to June 30, 2017

PayPal send information about payments back to your store via postback notification. From September 30th 2016 PayPal will no longer send this information back to standard insecure (http protocol) URL's. This means that if you do not already have SSL configured in your store for secure padlocked (https protocol) pages you will need to enable this. This has to be done in two stages;

1. You'll need to source an SSL certificate. This is something that can normally be purchased from your web hosting company. It may be possible to save money by sourcing your own from somewhere like https://www.ssls.com but please check with your hosting company that SSL purchased from a 3rd party can be used. We are in no way affiliated to or associated with "Namecheap Inc" who operate ssls.com.
2. SSL will need to be enabled in CubeCart. For CubeCart version 5 and version 6 this can be done via the SSL tab in the settings section of your stores admin control panel. 

How can I test my store will be ok before the deadlines?

PayPal have already made these security changes to their testing "Sandbox" environment. We recommend creating a sandbox account at https://developer.paypal.com and switching your PayPal module to Sandbox mode from your CubeCart admin control panel. It is then possible to make test purchases to check that payments work and order statuses update from "Pending" to "Processing" automatically.

That's it! No other changes should be of concern. Please be sure to contact our technical support staff if you are unsure at all.