PayPal upgrading SSL Certificates in 2015-2016

If you're using PayPal for handling payments, you'll soon be receiving an email from them to advise that they're upgrading their SSL certificates, and pointing to this document for reference: https://www.paypal-knowledge.com/infocenter/index?page=content&id=FAQ1766

WHAT ACTION DO I NEED TO TAKE?
The Zen Cart software is not affected by these changes.

But if you haven't applied the 2014 POODLE update then you should do that immediately.

However, we have THREE RECOMMENDATIONS:
1. It is recommended that you upgrade to at least Zen Cart v1.5.4 to make future adjustments much simpler; and

2. EVEN IF YOU DON'T USE SSL ON YOUR STOREFRONT, to communicate with any payment service DOES require that your server have a working SSL infrastructure in the back-end. This is almost always already present, but isn't always up-to-date. So, you should still CHECK YOUR WEBSERVER for compatibility with the new SHA-256 certificate technology which will be required by most web services in 2015. At the very least you need to be using a minimum Apache version of 2.0.63 (if you're using Apache. If you're using IIS, talk to your server admin to fix that), and OpenSSL 0.9.8o or newer (v1.1.x is better).

3. If you use SSL on your storefront, test your site's SSL here: https://www.ssllabs.com/ssltest/ and have your hosting company fix all issues so that you get an "A" grade. (While an "A" itself isn't mandatory for the purposes of PayPal or Zen Cart, any issues preventing you from getting an "A" deserve investigation by someone who understands such matters. Hopefully your hosting company is well versed in that area. If not, that's a revealing piece of information to consider when renewing your hosting services.) We recommend you aim for an "A" rating, just to minimize possible issues (again, not specific to PayPal or Zen Cart), and make your site compatible with as many browsers as possible while providing the best security and insulating against all known threats due to improper configuration.

FOR THE TECHNICALLY-INTERESTED:
PayPal's update is occurring in 2 stages: A VeriSign G2-to-G5 Root Certificate Upgrade, and then a SHA-256 SSL certificate.

And, strictly speaking, those changes have NO IMPACT on the PHP code used in Zen Cart. But they do affect underlying server technologies used on your webserver.

1. VeriSign Root Certificate Upgrade:
We've already tested Zen Cart against the PayPal sandbox, which is already using the Verisign G5 Root Certificate, and it works fine. But that's because the webservers we tested on already have the Verisign G5 Root Certificate authority files installed. Your host can help you with this. See the link below.

2. SHA-256 SSL certificate
According to their announcement as of the date of this post, PayPal isn't updating the "api-3t.paypal.com" endpoint (used in Zen Cart v1.3.x and v1.5.x) until June 2016 (and sandbox too, so we can't test that just yet; nevertheless, it's a server config thing, not a Zen Cart thing).
But in 2015 there is a big push for all webservers to start using SHA-256 SSL certificate chains. As such, you should ensure that your hosting company properly updates your server's SSL certificate store.

a) PayPal offers some advice for your hosting company here: 2015 Merchant Security System Upgrade Guide (U.S. English).pdf

b) And you can also ask your hosting company to fix any SSL problems reported for your site as mentioned in #3 above.