- This topic has 12 replies, 5 voices, and was last updated 6 years, 10 months ago by
.
-
Posts
-
PayPal is making some IPN and other changes to their system. If you have received an email about it then don’t panic.
Our plugins are ALWAYS kept upto date. You will always have access to a fully working version of the plugin that just works.
PayPal IPN Changes
As of right now, we are using the latest IPN handling code taken from PayPal’s PHP code library. If you have any doubt, just load a fresh new copy of the plugin to make sure you are using the updated PayPal IPN verification code:
https://support.tipsandtricks-hq.com/forums/topic/re-install-or-load-a-fresh-build-of-the-plugins
Regarding the SSL Certificate
SSL certificate is NOT required for our standard PayPal checkout option (the default option of eStore plugin). So if you are not using an SSL certificate now, then nothing to worry (nothing to do for you).
If you are using an SSL certificate on your site then ask your hosting provider to make sure it is “SHA-256” compatible. Decent hosting companies should give you the correct SSL certificate. So not much to worry here.
Our notice is telling us that our “IPN Verification Postback to HTTPS” needs to be changed. Does this not have to be done if we are using eStore?
Well that’s great! I just received that email.
More great support from Tips and Tricks
One follow up question: Will we need to update WP eStore to the latest version before the Paypal deadline on 16th Sept 2016 to make sure Payments will still work.
The email I got from Paypal specifically said that their testing indicated that our integration was not compliant with “IPN Verification Postback to HTTPS”.
Thanks
John
If you need to do anything, you will hear from us before the deadline.
All of our plugins use the HTTPS URL of PayPal for IPN postback. We use the following URL:
I have just looked up their PHP library code for IPN handling and we are using the latest one.
If anything needs to be changed, we will use any updated code provided by PayPal to do the verification. So this is a non-issue.
We are an official PayPal partner so we will get notified from PayPal for sure.
Nicely done; excellent work to see pro-active communication in advance on questions related to this issue…
Great info – glad you wrote about this.
It says a change is required for the IPN verification issue – so I guess this just means I need to make sure I am using the latest version of eStore?
Also – while unrelated to eStore, it is telling me they are unable to determine “if my systems are SHA-256 compatible”. Seems to be something related to SSL.
Does this mean we now need to have SSL in place in order to even use paypal on a site?
Thanks for your help!
B
Yes, if you use a current version of eStore, you have nothing to worry about.
SSL certificate is NOT required for our standard PayPal checkout option (the default option of eStore plugin). So if you are not using a SSL certificate now, then nothing to worry (nothing to do).
If you are using a SSL certificate on your site then ask your hosting provider to make sure it is “SHA-256” compatible.
Good Morning and Happy new Year,
I’m sure you guys have this in hand, but just so you are aware, I just (December 21st.) received the attached from PayPal:
As you can see they are still saying that we need to update to HTTPS for IPN post back.
It seems that this is not just a generic email, but that they are saying that our particular integration needs an update.
We are running the latest versions: WPES 8.0.1 and Payment Gateway 2.2.7
Best
John
<<<<<PAYPAL MAIL>>>>
John Harries,
Every day, hundreds of millions of people use PayPal to manage and move money online or on a mobile device. That’s why one of our top priorities is to ensure our customers have a safe, secure experience when transacting with PayPal.
This year, we’ve made a number of upgrades to the PayPal system enabling us to continue providing the highest level of security available for customers. Throughout 2018, we will continue to upgrade our security protocols to the highest levels of protection available, which includes moving all of our systems to TLS 1.2, an enhanced security protocol that encrypts customer data over the Internet. We also announced several new security requirements for merchants who use PayPal, to ensure they do their part to protect sensitive customer data, as well.
Our records indicate that you still need to make critical security upgrades to your systems. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures as soon as possible.
Change Change Required?
Merchant API Certificate Credential Upgrade No
TLS 1.2 and HTTP/1.1 Upgrade No
IPN Verification Postback to HTTPS Yes
Discontinue Use of GET Method of Classic NVP/SOAP No
If you have not made the necessary changes by the date specified, you won’t be able to accept payments with PayPal until you do so. But most importantly, failure to make these upgrades will put your customers’ sensitive personal and financial data at risk.
How do I make these changes?
More information on the required changes and how to implement them can be found on our Merchant Security Road Microsite:
• 2016-2017 Merchant Security Roadmap
• TLS1.2 and HTTP/1.1 Upgrade Roadmap
• IPN Verification Postback to HTTPS
• Discontinue Use of GET Method for Classic NVP/SOAP API’s
• Merchant API Certificate Credentials Upgrade
If you need additional support with these changes, we encourage you to contact your web hosting company, ecommerce software provider, in-house web programmer or system administrator.
As a leading payment provider, we’re committed to continually building and investing in the strongest protections possible. Thank you for your support and for helping us maintain the highest security standards for all of our shared global customers.
If you have any questions or concerns, please contact your account manager.
No changes required as far as our plugins are concerned (our plugin already posts data back to PayPal’s HTTPS URL for IPN verification).
However, if you are using a website without SSL certificate (so if you are using a non-https URL for the Thank you page and IPN URL) then you should contact PayPal support and verify that your site doesn’t need to use HTTPS URLs.
Hi Admin,
Thanks for coming up. We are fully HTTPS, so I think I’m good, but I will double check. Thanks for the guidance.
Good Morning,
Seems like all I had to do was change our site address in PayPal’s IPN screen to HTTPS from HTTP. I have forgotten that I set it that way back several years ago before we went SSL.
Sorry, I should have checked this before bothering you.
Anyway, seems like PayPal are going to insist on SSL for IPN come July 2018.
Best
John
- You must be logged in to reply to this topic.