Paypal SSL Changes

Discussion in 'Payments processing' started by jigsawtrading, May 21, 2015.

  1. jigsawtrading

    jigsawtrading aMember Pro Customer

    Joined:
    Sep 28, 2012
    Messages:
    10
    I appreciate that some phishing emails were going out warning of SSL changes at Paypal but I have received official emails from Paypal saying that they are making SSL changes. I have also discussed it personally with my Paypal account manager.

    The changes are as follows:

    I was wondering if the aMember system needed to change in any way for this and if so, when those changes would be implemented.

    Thanks

    Peter
  2. pjman

    pjman Member

    Joined:
    Oct 18, 2013
    Messages:
    37
    No changes needed to Amember. Just make sure your ssl certificate is running sha-2 and you are good to go.
  3. danscarr1

    danscarr1 New Member

    Joined:
    Oct 15, 2007
    Messages:
    1
    Hi folks,

    I hope I'm not breaking protocol by writing here but can you give details on where to find the ssl certificate and how to check the version?

    Thanks,
    Dan
  4. maylocnuoc

    maylocnuoc New Member

    Joined:
    Sep 16, 2015
    Messages:
    1
    Testing Your SSL Certificate Upgrade
    Any tests that are currently run against PayPal Sandbox endpoints will require a VeriSign G5 root certificate, so you can test your upgrades by making requests against the Sandbox environment by using the following steps:

    Swap out the live API credentials / API endpoints on the merchant application with the Sandbox credentials / API endpoints.
    If you receive a handshake error (e.g. “No trusted certificate found”), check the merchant keystone to see if the PayPal VeriSign G5 root certification is present.
    If not, download the VeriSign Class 3 Public Primary Certification Authority – G5 root certificate, or download the endpoint-specific SSL certificates, and put these certificates in their keystore.
  5. alleycorp

    alleycorp Member

    Joined:
    Jan 7, 2014
    Messages:
    34
    I received a note recently from our payment processor along the lines of a PCI-DSS change that they will no longer support SSL or TLS 1.2 after 06/30/16. We're instead required to change to using TLS v 1.2.

    There does not appear to be any setting in the Configuration panel of aMember for security, at least none that I could find. We're currently running version 4.3.6 and have an upgrade planned in the coming weeks as we have a lot of customization done and custom plugins created that need to be accounted for and then tested. I did got through Alex's announcements on various updates and did not see anything regarding this new security requirement, at least not in the most recent upgrades.

    Below is the text of the notice we received. Any assistance on how to change our security to the latest requirement would be greatly appreciated.

    Please update your encryption method before June 30, 2016

    The new version of the Payment Card Industry Data Security Standard (PCI DSS), version 3.1 that was effective April 15, 2015, no longer considers Secure Socket Layer (SSL) and early versions of Transport Layer Security (TLS) strong forms of encryption to protect cardholder data.

    As a result of the update, businesses using SSL must either begin using TLS version 1.2 or create a risk mitigation plan with a timeline for when they will stop using SSL encryption or TLS 1.1 and lower versions. Modern web browsers already support TLS v1.2 or higher encryption.



    Here is what you need to do by June 30, 2016
    If you are not already using TLS version 1.2:




    Visit pcisecuritystandards.org/security_standards
    /documents.php
    for help migrating to the updated version and to review a summary of the changes.




    Update your server to accept the updated version if you manage and or host your own web acceptance pages.




    Contact your Approved Scan Vendor (ASV) and arrange a plan that shows a specific timeline for your migration. It should include the disabling of SSL by June 30, 2016.



    Here is what will happen if you do not migrate to TLS version 1.2 by June 30, 2016




    You'll be considered PCI non-compliant.




    Your required external quarterly vulnerability scans will fail.


    Here is what you should know about SSL encryption




    Some card terminals that do not have the ability to support TLS v1.2 can continue to use SSLv3 after June 30, 2016.




    We'll still support SSL until June 30, 2016 to prevent service interruption to businesses not ready to transition.




    We'll notify you as we make the transition to the new encryption standard.
  6. caesar

    caesar aMember Pro Developer Staff Member

    Joined:
    Oct 16, 2009
    Messages:
    1,659
    @alleycorp these security changes do not affect aMember at all. It is server stuff. There is a little possibility for issues if your web-hosting server has an outdated version of OpenSSL installed. Please contact your hosting support and ask about support for TLS v 1.2 on your server.
  7. alleycorp

    alleycorp Member

    Joined:
    Jan 7, 2014
    Messages:
    34
    Thanks Caesar. I'll contact our hosting company on this.

Share This Page