Support » Plugin: WP eCommerce » Paypal Changes could break store

  • isay81

    (@isay81)


    Hello

    I received the following email a few days ago. Is WP ecommerce makeing the necessary changes to the plugin to make sure everything will work, or is this something each merchant is required to do? If we are required to do it, please help!

    Global security threats are constantly changing, and the security of our merchants continues to be our highest priority. To guard against current and future threats, we are encouraging our merchants to make the following upgrades to their integrations:
    1.Discontinue use of the VeriSign G2 Root Certificate
    2.Update your integration to support certificates using the SHA-256 algorithm

    For detailed information on these changes, please reference the Merchant Security System Upgrade Guide. For a basic introduction to internet security, we also recommend these short videos on SSL Certificates and Public Key Cryptography.

    NOTE: The information below is in response to an industry-wide security upgrade and is not unique to PayPal. These updates will help secure your website’s interaction with the PayPal website and Application Programming Interface (API). Not all merchants are required to make these changes. Please ensure you are prepared for this event by consulting with your technology team, website vendor or individual(s) responsible for your PayPal integration.

    VeriSign G2 Root Certificate Upgrade Timeline

    In accordance with industry standards, PayPal will no longer accept secure connections that are signed by the VeriSign G2 Root Certificate.

    Please note that the following rollout dates are subject to change. We recommend that you check back for updates.

    February 18, 2015 – Complete
    •api.sandbox.paypal.com
    •svcs.sandbox.paypal.com

    February 24, 2015 – Complete
    •api-3t.sandbox.paypal.com
    •api-aa.sandbox.paypal.com
    •api-aa-3t.sandbox.paypal.com

    March 31, 2015
    •pointofsale.paypal.com

    June 19, 2015
    •api.paypal.com
    •svcs.paypal.com

    August 19, 2015
    •api-3t.paypal.com
    •api-aa.paypal.com
    •api-aa-3t.paypal.com

    SHA-256 SSL Certificate Upgrade Timeline

    PayPal is upgrading SSL certificates on all Live and Sandbox endpoints from SHA-1 to the stronger and more robust SHA-256 per the following timeline.

    Please note that the following dates are subject to change. We recommend that you check back for updates.

    February 18, 2015 – Complete
    •www.sandbox.paypal.com

    March 4, 2015 – Complete
    •pointofsale.sandbox.paypal.com

    March 19, 2015 – Complete
    •cr.cybercash.com

    April 8, 2015
    •pilot-payflowpro.paypal.com
    •pilot-plcc.payflow.paypal.com
    •pilottbv4proxy.vps.paypal.com
    •pilot-payflowprointernal.paypal.com

    July 8, 2015
    •payflowpro.paypal.com
    •payflowpro.verisign.com
    •payflowprointernal.paypal.com
    •plcc.payflow.paypal.com
    •tbv4proxy.vps.paypal.com

    July 15, 2015
    •cr-payflow.verisign.com
    •payflow.verisign.com

    July 22, 2015
    •vps-ipn.paypal.com
    •tb-vps-ipn.vps.paypal.com

    September 1, 2015
    •pointofsale.paypal.com

    September 15, 2015
    •posprivatevpn.paypal.com
    •posprivatevpn-api.paypal.com
    •posprivatevpn-api-3t.paypal.com
    •posprivatevpn-svcs.paypal.com

    Q1 2016 (Tentative)
    •api.sandbox.paypal.com
    •svcs.sandbox.paypal.com
    •api-3t.sandbox.paypal.com
    •api-aa.sandbox.paypal.com
    •api-aa-3t.sandbox.paypal.com

    Q2 2016 (Tentative)
    •api.paypal.com
    •svcs.paypal.com
    •api-3t.paypal.com
    •api-aa.paypal.com
    •api-aa-3t.paypal.com

    http://WWW.PAYPAL.COM – SSL Certificate Upgrade Timeline

    PayPal is upgrading SSL certificates on http://www.paypal.com per the following timeline.

    Please note that the following dates are subject to change. We recommend that you check back for updates.

    March 23, 2015 – Complete
    •www.paypal.com (intermediate change)

    September 30, 2015
    •www.paypal.com (SHA-256)

    FAQs

    Q. What is the SHA-256 rollout schedule?

    To avoid service interruption, your clients must support SHA-256 by mid-2016.

    Q. How do I know if my integration is affected?

    We are making changes to the Sandbox environments prior to any Live changes, so you can verify your integration against the Sandbox. If you see these or similar error messages in the Sandbox environment, you will need to update your integration before we make changes to our Live environment (per the timeline above).
    •“Unable to find valid certification path to requested target”
    •“SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled”
    •“alert handshake failure”
    •“Problem with the SSL CA cert (path? access rights?)”

    Q. Do I need to update my SDK?

    No, however, you may want to verify that you are using the latest version of your SDK. If not, follow the instructions provided to update your SDK. If you are not using a PayPal SDK, then you will need to contact your third-party provider for assistance.

    Q. How do these updates affect the new optimized API endpoint (api-s.paypal.com)?

    If you really want to future-proof your integration, try our optimized API endpoints – api-s.paypal.com (Live) and api-s.sandbox.paypal.com (Sandbox) – which already support G5 Trusted Root Certificates and SHA-256. For details, see the following overview and requirements.

    Q: What is the status of PayPal Sandbox used for integration testing?

    Currently, PayPal Sandbox endpoints have been upgraded to accept secure connections signed by the G5 Root Certificate. We will be modifying the Sandbox to use SHA-256 prior to upgrading the production environment to allow merchants ample time to test their integration. The date(s) surrounding this modification will be published when confirmed.

    https://wordpress.org/plugins/wp-e-commerce/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Doesn’t look like you have received any response thus far. It if helps, you could try another solutions such as this one I wrote about: best merchant rates from my own use.

    If not, good luck.

    This discussion is also taking place here:
    https://wordpress.org/support/topic/paypal-upgrade

    Edward

    (@edwardinstinct)

    Hi all… There is nothing that needs to be done with the store plugin. We do not bundle certificates with our gateways. The notice is a general notice sent to all Paypal users but is directed at those using point of sale and integrated systems. The methods the store uses are not affected..

    If there were anything that needed to be done it would be server related and not plugin related.

    Hope this helps

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Paypal Changes could break store’ is closed to new replies.