PayPal Integration: I received an email from PayPal saying my integration security may need to be upgraded

  • Profile Image
    Asked on March 21, 2016 at 01:19 PM


    I received an email from PayPal telling me that my integration security needs to be upgraded.

    I imagine you are already on this, but I need to be able to assure the powers above that this is taken care of.

    So, are you updating your PayPal integration to comply with it's new security standards?


    Carl McCutchen

  • Profile Image
    Answered on March 21, 2016 at 01:40 PM

    I found an article about PayPal, our integration and our links work using a secure URL(HTTPS), this is recommended to captura user's data such as addresses, Credit Card information and other data that is very important to keep safe, here is an article about it as well:

    If on the email that you received are other standards, please do let us know here the details about it, we will ask to our developers in order to know this information. 

  • Profile Image
    Answered on March 21, 2016 at 01:51 PM

    Thanks for your prompt reply.

    Here is the email I received, or most of it:

    2016 merchant security upgrades

    We recently announced several security upgrades planned for this year, some of which may require you to make changes to your integration. You’re receiving this email because we’ve identified areas of your integration that may need to be upgraded.

    What you’re about to read is very technical in nature – we understand that. Please contact the parties responsible for your PayPal integration, or your third party vendor (for example, shopping cart provider, and so on) to review this email. They’re best positioned to help you make the changes outlined in this email and in the 2016 Merchant Security Roadmap Microsite.

    What do I need to do to as a merchant?

    We’ve outlined the steps to take to ensure your integration is up to date. We’re letting you know about these changes now because we don’t want you to experience a disruption of service when they go into effect.

    Step 1: Consult with someone who understands your integration. We encourage you to consult with the parties that set up your integration, which could be a consultant or third party shopping cart. You may also need to find someone who can assist with making your integration changes.

    Step 2: Understand how these changes affect your integration. Based on our records, we’ve identified areas that require your attention. It’s not a complete list, but does provide changes we feel you need to make to be ready for the security upgrades.

    If the chart shows “Yes”, it means our records indicate that you may require changes to be compatible with that security upgrade. If you see a “No,” that means our data shows that you are already compliant or do not use that functionality.

    We want to call out that the information provided in this email may not reflect all the changes you need to make. Please assess your integration with the emphasis being on the items we’ve identified below:


    Change Do I need to make a change?
    SSL Certificate Upgrade to SHA-256 Yes
    TLS 1.2 and HTTP/1.1 Upgrade Yes
    IPN Verification Postback to HTTPS No
    IP Address Update for PayPal Secure FTP Servers No
    Merchant API Certificate Credential Upgrade No
    Discontinue Use of GET Method for Classic NVP/SOAP APIs No

    Step 3: Get the technical details on these changes. Detailed information of each of the changes and a location to test your integration are available on our 2016 Merchant Security Roadmap Microsite. Select the hyperlinks in the chart for information about specific change events.

    Step 4: Make the appropriate changes by each “Act by” date*. It’s important to have your changes in place by the “Act by” date for each change event.

    Step 5: Future-proof your integration. We recommend that you go through the “Best Practices section on our 2016 Merchant Security Roadmap Microsite.

  • Profile Image
    Answered on March 21, 2016 at 02:23 PM

    So far, I believe our developers should have already received the same email. But let me forward the email you received to them.

    You can check more information with the security protocol that we have using by clicking the green lock icon in the address bar in your browser.


    Based from what I know, our SSL uses 256-bit encryption and TLS 1.2. You can further get the details as shown in the screenshot above. May we know if your payment/order form is embedded on a website that does not use HTTPS or SSL protocol? That may be one reason for it, although I am not quite sure because the integration is actually directed on our form. Unless you are using an old form link that does not use HTTPS? Please do share us the website link to where the form is so that we can better check.

  • Profile Image
    Answered on March 29, 2016 at 05:41 AM

    Hi Carl,

    We would like to inform you that our servers and integrations are already compliant to the security upgrades mentioned by PayPal.

    You do not need to do anything in regards to this email. Please let us know if you have any other questions or concerns.

    Best regards