Jump to content
MDDHosting Forums

PayPal and SSL technical changes


Kraken
 Share

Recommended Posts

PayPal sent me an email headlined "ACTION MAY BE REQUIRED: Important merchant integration upgrade information." It warns me "Because these changes are technical in nature, we advise that you consult with your partner, website vendor, or individuals responsible for your PayPal integration. They will be able to identify what, if any, changes are needed. If you do not have a technology team, we recommend you find one."

 

Hmm, I guess that means my web host since I buy my SSL cert through MDD. I'm not technical enough to understand anything more than that the tech requirements for SSL certs are changing. Specifically:

 

 

What security upgrades should I make to my integration in 2015-2016?

Global security threats are constantly changing, and the security of our merchants continues to be our highest priority. To guard against current and future threats, we are encouraging our merchants to make the following upgrades to their integrations:

  1. Discontinue use of the VeriSign G2 Root Certificate. In accordance with industry standards, PayPal will no longer accept secure connections that are signed by the VeriSign G2 Root Certificate. Only secure connection requests that are expecting our certificate/trust chain to be signed by the G5 Root Certificate will result in successful secure connections.
  2. Update your integration to support certificates using the SHA-256 algorithm. PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 algorithm.

For detailed information on these changes, please reference the Merchant Security System Upgrade Guide. For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.

 

My browser's certificate viewer gives me just enough info to be concerned -- I see "PKCS #1 SHA-1 With RSA Encryption"

 

So for starters my questions are: (1) Is this a server-level thing or does it affect my private SSL cert? and (2) do I need to replace my cert before it expires in November?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...