PayPal Security Changes

This month PayPal is implementing its latest security upgrades, and if you have systems (CiviCRM or otherwise) that integrate with the PayPal platform you may be affected.  Here's a summary of what's happening.

1) PayPal will now require all secure connections to use an encryption method called "SHA-256".  This will probably most affect users of the PayPal IPN service.  IPN is how PayPal sends transactions back to your system for automatic recording. 

Here's how to check if you are ready for this change:

In a browser, go to your website using https (ala  In the address bar a little lock will be displayed.  Click that lock and examine the information displayed; you may need to explore a little bit to find it.  You should see "SHA-256" somewhere.  If you do then you are protected.   If not, you probably need to upgrade your SSL certificate to get SHA-256 encryption.

I think that all SSL certificates that have been issued in the past year will have this encryption so most everyone should be already good with this.

Also, you might not have an SSL certificate.  In which case, in your browser, you got either redirected to http or perhaps an error page was displayed.  Don't worry about that, it probably means you do not have SSL configured.  PayPal says this is acceptable and they will continue to work with you.

2) PayPal is also requiring connections to their platform to use only 2048-bit encryption. This is a bit complex to explain in a short blog post... however suffice it to say that there most likely is a file on your server called a 'ca-bundle'. This file contains "root" certificates for the major providers of SSL certificates. PayPal is requiring that this file include a root certificate from VeriSign called a G5 certificate.

How to make sure? The simplest answer is to ask your hosting provider.  Most likely this G5 certificate is already there.... but if you have been on a host server for some time, the ca-bundle may be out of date.  Adding the G5 certificate is simple, but you do need some technical expertise to do it.

Note: if your website is hosted on CiviHosting, no worries.  CiviHosting has assured me that both the above items are in place on their platform.

For more details on PayPal's changes, click here.

Related Blog Posts



Technologies for Nonprofits