Which security protocols are required to connect to PayPal?

Starting on June 26, 2018, PayPal will be making changes that may impact your ability to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business account. 

To ensure that all PayPal customers meet this standard, PayPal requires TLS 1.2 for all HTTPS connections and version 1.1 for HTTP connections. To increase merchants' awareness of this deadline, PayPal has been sending alerts through the following channels:

  • Reminder messages in emails and upon login to PayPal
  • Calls to selected merchants
In addition, you can find detailed information about the security upgrades at TLS 1.2 and HTTP/1.1 Upgrade, at PayPal's Merchant Security Upgrade Testing website, and the PCI Security Standards Council site

Here are answers to some commonly asked questions about upgrading:

Where can I find IPN, PDT sample scripts that comply with HTTP 1.1 specification?
You'll find samples at GitHub and StackOverflow. If you're unfamiliar with this process or use a third-party shopping cart, contact the individual support channels for your cart to help facilitate any change that may be needed.

Why does HTTP 1.1 require the "Host" header?
Refer to this Internet address conservation whitepaper for further details.

What if I don't make these changes to my IPN/PDT scripts?
PayPal returns HTTP 400 to any requests to www.paypal.com without the "Host" header in the HTTP request.

Where can I test my IPN/PDT scripts?
Run your tests in the PayPal Sandbox. The Sandbox is configured to return HTTP 400 to any HTTP requests without the "Host" header.