Paypal has been sending out these announcements again over the past couple of days and I've received several questions. I don't mean to beat this subject to death but another question please; for older carts that are using paypal express and do not have an ssl certificate installed, Will not having a patch for the minor changes you mention cause checkout to not work anymore? I'm thinking that if an ssl certificate is not in use, not having the patch will not be an issue. The issue will arise if the store owner decides to install an ssl cert. Just wanting to be certain.
I realize keeping carts current is always preferable and that is what I recommend but I want to answer correctly on this question.
@buildingblocks, the way I read the PayPal notification, come June if a store doesn't utilize an SSL certificate, that store's not going to be able to use PayPal payment methods.
Based on the information provided earlier/above, unless something has changed, I think it is important to identify the difference between a store having a SSL to use for customer's logging onto the store versus the server that is hosting the store and it's communication with paypal... I state this also using information posted after Drbyte's post above indicating the requirements that PayPal. Are putting on the service that is reaching out to PayPal. It doesn't appear to reference how a customer accesses the sales site.
ZC Installation/Maintenance Support <- Site
Contribution for contributions welcome...
I'll note that DrByte's comment was made in September of 2015, and that the communication from PayPal appears quite clear.
From https://www.paypal-knowledge.com/inf...&locale=en_US:
PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2016. You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates. For information, click HERE.
Act by June 17, 2016
The majority of the requirements to meet these changes PayPal is talking about (and indeed the entire payment industry) have VERY LITTLE to do with having an "SSL certificate for your domain name".
But they DO have EVERYTHING to do with ensuring that the server's SSL/TLS capabilities for doing external communications over CURL/OpenSSL/etc to be up-to-date using modern versions and modern components.
More about that here: https://www.zen-cart.com/entry.php?8...Back-and-Front and also in the links PayPal has been sending out. Tell your server administrator to take care of upgrading the server's TLS and HTTP infrastructure to modern standards.
.
Zen Cart - putting the dream of business ownership within reach of anyone!
Donate to: DrByte directly or to the Zen Cart team as a whole
Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.
Thanks, everyone for your input.
Bookmarks