PayPal SHA-256 Security Update Sept 2015

[buildingblocks]

ooo, I never saw that post. Thanks. The cart is version 1.3.9. so we may be out of luck on this one.......

I am pretty certain that this depends upon what version of ZenCart you are using
Refer to the support doc here
https://www.zen-cart.com/showthread....ort-Life-Cycle

[buildingblocks]

Paypal has been sending out these announcements again over the past couple of days and I've received several questions. I don't mean to beat this subject to death but another question please; for older carts that are using paypal express and do not have an ssl certificate installed, Will not having a patch for the minor changes you mention cause checkout to not work anymore? I'm thinking that if an ssl certificate is not in use, not having the patch will not be an issue. The issue will arise if the store owner decides to install an ssl cert. Just wanting to be certain.

I realize keeping carts current is always preferable and that is what I recommend but I want to answer correctly on this question.

There will be only a couple VERY MINOR changes needed to Zen Cart (and will be included in v1.5.5) ... but you WILL need to work with your hosting company to ensure your server is capable of the modern TLS 1.2 security communications requirements.

[lat9]

@buildingblocks, the way I read the PayPal notification, come June if a store doesn't utilize an SSL certificate, that store's not going to be able to use PayPal payment methods.

[mc12345678]

Sigh.

No, having a private SSL certificate on your domain is NOT a requirement for a Zen Cart store to operate with PayPal Express Checkout, including the Summer/Fall 2015 SHA-256 changes PayPal is making.

But a storeowner who is serious about customer engagement and customers feeling comfortable shopping there and that the storeowner actually cares about their security will happily install a private dedicated SSL certificate to their store. The annual cost of a private SSL certificate is so low nowadays that there's very little justification to not do it.

@buildingblocks, the way I read the PayPal notification, come June if a store doesn't utilize an SSL certificate, that store's not going to be able to use PayPal payment methods.

Based on the information provided earlier/above, unless something has changed, I think it is important to identify the difference between a store having a SSL to use for customer's logging onto the store versus the server that is hosting the store and it's communication with paypal... I state this also using information posted after Drbyte's post above indicating the requirements that PayPal. Are putting on the service that is reaching out to PayPal. It doesn't appear to reference how a customer accesses the sales site.

[lat9]

I'll note that DrByte's comment was made in September of 2015, and that the communication from PayPal appears quite clear.

From https://www.paypal-knowledge.com/inf...&locale=en_US:

PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2016. You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates. For information, click HERE.

Act by June 17, 2016

[DrByte]

Paypal has been sending out these announcements again over the past couple of days and I've received several questions. I don't mean to beat this subject to death but another question please; for older carts that are using paypal express and do not have an ssl certificate installed, Will not having a patch for the minor changes you mention cause checkout to not work anymore? I'm thinking that if an ssl certificate is not in use, not having the patch will not be an issue. The issue will arise if the store owner decides to install an ssl cert. Just wanting to be certain.

I realize keeping carts current is always preferable and that is what I recommend but I want to answer correctly on this question.

The majority of the requirements to meet these changes PayPal is talking about (and indeed the entire payment industry) have VERY LITTLE to do with having an "SSL certificate for your domain name".
But they DO have EVERYTHING to do with ensuring that the server's SSL/TLS capabilities for doing external communications over CURL/OpenSSL/etc to be up-to-date using modern versions and modern components.
More about that here: https://www.zen-cart.com/entry.php?8...Back-and-Front and also in the links PayPal has been sending out. Tell your server administrator to take care of upgrading the server's TLS and HTTP infrastructure to modern standards.

[buildingblocks]

Thanks, everyone for your input.