Paypal SSL Changes

I appreciate that some phishing emails were going out warning of SSL changes at Paypal but I have received official emails from Paypal saying that they are making SSL changes. I have also discussed it personally with my Paypal account manager.

The changes are as follows:

I was wondering if the aMember system needed to change in any way for this and if so, when those changes would be implemented.

Thanks

Peter

No changes needed to Amember. Just make sure your ssl certificate is running sha-2 and you are good to go.

Hi folks,

I hope I'm not breaking protocol by writing here but can you give details on where to find the ssl certificate and how to check the version?

Thanks,
Dan

Testing Your SSL Certificate Upgrade
Any tests that are currently run against PayPal Sandbox endpoints will require a VeriSign G5 root certificate, so you can test your upgrades by making requests against the Sandbox environment by using the following steps:

Swap out the live API credentials / API endpoints on the merchant application with the Sandbox credentials / API endpoints.
If you receive a handshake error (e.g. “No trusted certificate found”), check the merchant keystone to see if the PayPal VeriSign G5 root certification is present.
If not, download the VeriSign Class 3 Public Primary Certification Authority – G5 root certificate, or download the endpoint-specific SSL certificates, and put these certificates in their keystore.

I received a note recently from our payment processor along the lines of a PCI-DSS change that they will no longer support SSL or TLS 1.2 after 06/30/16. We're instead required to change to using TLS v 1.2.

There does not appear to be any setting in the Configuration panel of aMember for security, at least none that I could find. We're currently running version 4.3.6 and have an upgrade planned in the coming weeks as we have a lot of customization done and custom plugins created that need to be accounted for and then tested. I did got through Alex's announcements on various updates and did not see anything regarding this new security requirement, at least not in the most recent upgrades.

Below is the text of the notice we received. Any assistance on how to change our security to the latest requirement would be greatly appreciated.

Please update your encryption method before June 30, 2016

The new version of the Payment Card Industry Data Security Standard (PCI DSS), version 3.1 that was effective April 15, 2015, no longer considers Secure Socket Layer (SSL) and early versions of Transport Layer Security (TLS) strong forms of encryption to protect cardholder data.

As a result of the update, businesses using SSL must either begin using TLS version 1.2 or create a risk mitigation plan with a timeline for when they will stop using SSL encryption or TLS 1.1 and lower versions. Modern web browsers already support TLS v1.2 or higher encryption.



Here is what you need to do by June 30, 2016
If you are not already using TLS version 1.2:

•


Visit pcisecuritystandards.org/security_standards
/documents.php for help migrating to the updated version and to review a summary of the changes.

•


Update your server to accept the updated version if you manage and or host your own web acceptance pages.

•


Contact your Approved Scan Vendor (ASV) and arrange a plan that shows a specific timeline for your migration. It should include the disabling of SSL by June 30, 2016.



Here is what will happen if you do not migrate to TLS version 1.2 by June 30, 2016

•


You'll be considered PCI non-compliant.

•


Your required external quarterly vulnerability scans will fail.


Here is what you should know about SSL encryption

•


Some card terminals that do not have the ability to support TLS v1.2 can continue to use SSLv3 after June 30, 2016.

•


We'll still support SSL until June 30, 2016 to prevent service interruption to businesses not ready to transition.

•


We'll notify you as we make the transition to the new encryption standard.

Thanks Caesar. I'll contact our hosting company on this.