Quite a few of our customers that operate eCommerce sites have emailed to ask if they need to be concerned about a message they received from PayPal regarding an upcoming security change. The message reads as follows:
REMINDER: ACTION MAY BE REQUIRED: Payflow service upgrades for merchants
Weâre contacting our merchants with a reminder about some important information in response to an industry-wide security upgrade which is not unique to PayPal. This change involves upgrading Secure Sockets Layer (SSL) certificates for payflowpro.paypal.com to the SHA-256 hashing algorithm in October 2015.
Because these changes are technical in nature, we advise that you consult with your partner, website vendor, or individuals responsible for your Payflow integration. They will be able to identify what, if any, changes are needed. If you do not have a technology team, we recommend you find one, and we can work with them to ensure you continue to process payments through your current integration with Payflow.
Full technical details can be found in our Merchant Security System Upgrade Guide. In addition, our 2015 SSL Certificate Change microsite contains a schedule of our service upgrade plan.
Questions can be directed to our Merchant Technical Services team on our Technical Support website. Click here for more information.
Thanks for your patience as we continue to improve our services.
For the most part, this isn't anything to be concerned about. This change has been coming for a while. Because of security concerns, the eCommerce industry in general is phasing out support for the old 1024-bit SSL (https) certificates (SHA-1) in favor of the newer 2048-bit certificates (SHA-256). Google Chrome is deprecating support for SHA-1 by the end of 2015, and all support for SHA-1 will be deprecated by the end of 2016.
If you have any concerns whatsoever that your site might have an old style SSL certificate, you can run a site check at http://www.networking4all.com/en/support/tools/site+check/. The site check reports on the security type and strength of the SSL certificate installed on your server.
