Paypal changes TLS1.2

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Paypal changes TLS1.2

Post by jmestep » Wed Mar 21, 2018 2:24 am

A couple of our merchants have received this announcement from Paypal. Both sites are R12 SR1 and are set to use .net 4.6 in the web.config file.
Is there something AC needs to change in the source code?
Every day, hundreds of millions of people use PayPal to manage and move money online or on a mobile device. That is why one of our top priorities is to ensure both our customers and your customers have a safe, secure experience when transacting with PayPal. We are committed to providing the highest level of security to protect customer and transactional data and have been upgrading our systems to ensure we are processing on the latest and most secure protocols. One of those security protocol upgrades, in line with the Payment Card Industry (PCI) DSS mandate, is to the Transport Layer Security (TLS) cryptographic protocol, which requires TLS 1.2, no later than June 30, 2018.

Our records indicate your current PayPal integration is utilizing a version that is less than TLS 1.2. With the deadline for this security upgrade currently set at June 30, 2018, you will need to act immediately to upgrade your PayPal integration(s) to utilize TLS 1.2 cryptographic protocol PRIOR to this date.

Failure to upgrade your integration by June 30, 2018 will lead to an inability to connect to PayPal for processing customer transactions. For further information on the TLS 1.2 upgrade, please bookmark the TLS 1.2 Upgrade Microsite page and visit frequently to ensure you are armed with the most current information. You will also find information on the other merchant security upgrades on the 2017-2018 Merchant Security Microsite page.

Please note, over the next few months, PayPal will conduct several rounds of testing to emulate the upgraded security experience so merchants can understand the areas of their integration that still requiring security protocol upgrades. If you have already made the required upgrades as outlined on the 2017-2018 Merchant Security Microsite, your PayPal integrations will not be impacted. If you have not made the required upgrades, we encourage you to do so as soon as possible to avoid service interruption that may occur during our security upgrade testing activities. Dates for these tests and full deployment will be published on our Merchant Security Upgrade Testing page at least two weeks prior to implementation so please bookmark and return frequently for the most up to date information.

• Smoke test announcement, times, and endpoints found here: https://www.paypal-notice.com/en/Mercha ... e-Testing/
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
compunerdy
Admiral (ADM)
Admiral (ADM)
Posts: 1283
Joined: Sun Nov 18, 2007 3:55 pm

Re: Paypal changes TLS1.2

Post by compunerdy » Wed Mar 21, 2018 2:39 am

Was trying to figure this out as well.. Paypal keeps sending me E-mails about it

TLS 1.2 and HTTP/1.1 Upgrade – Complete by June 30, 2017
Update Needed: Yes

But everything I test says I am upgraded so I am not sure.. I tried this on my server and it said it passed.

https://tlstest.paypal.com/

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: Paypal changes TLS1.2

Post by jmestep » Wed Mar 21, 2018 2:48 am

More info- one of the merchants has asked about this info:
https://www.paypal-notice.com/en/TLS-1. ... 1-Upgrade/
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Paypal changes TLS1.2

Post by jguengerich » Wed Mar 21, 2018 6:15 am

I'm guessing that would be covered by following these guidelines:
http://help.ablecommerce.com/index.htm# ... LS_1.2.htm
But, I don't use PayPal, so I can't say for sure.
Jay

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: Paypal changes TLS1.2

Post by jmestep » Wed Mar 21, 2018 9:51 pm

Jay,
I'm assuming TLS1.2 is OK since it is OK for UPS and Authorize.net after making AC suggested changes. Merchants are still concerned since Paypal is sending out these notices. It would just be reassuring to get confirmation from AC.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: Paypal changes TLS1.2

Post by Katie » Wed Mar 21, 2018 11:34 pm

Merchants are still concerned since Paypal is sending out these notices. It would just be reassuring to get confirmation from AC.
Honestly, it's hard for me to know why PayPal is sending out a notice to customers using Gold 12 SR1. I did some research last night and found AC8-3141: PayPal Security updates in effect on June 17th 2017.

http://help.ablecommerce.com/index.htm# ... atches.htm

Check out the above link. The original issue report was triggered by PayPal's TLS change to the sandbox environment. We decided at that time to upgrade the PayPal core DLLs, and so we supplied these patches via the page above. We also sent out notices through our technical news/support mailing list. This all happened around Sept. 2016.

All I know is that AbleCommerce doesn't force any specific TLS version. If it's working for UPS and Authorize.net, then I would also like to assume that it will work for Paypal. There is no reason it shouldn't, as long as the Paypal is up to date.

Thanks,
Katie
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

tomk
Ensign (ENS)
Ensign (ENS)
Posts: 7
Joined: Fri Dec 06, 2013 12:50 pm

Re: Paypal changes TLS1.2

Post by tomk » Tue Jun 19, 2018 1:47 am

Hi – FYI I have been told by PayPal Tech Support that they will be testing the new security connections tomorrow 6/20/18 between 7:00 AM and 11:00 AM Pacific Time. Although we have been confirmed as being in compliance it will be nice to see some PayPal activity go through during that time period without any issues before the permanent conversion at the end of the month. If you do experience PayPal or PayFlow Pro issues during that time period then the TLS1.2 requirement would be something to check into.

Post Reply