TLS 1.2 and HTTP/1.1 Upgrade

PayPal is upgrading the protocols used to secure all external connections made to our systems. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal in 2018.

You will need to verify that your environment supports TLS 1.2 and HTTP/1.1, and if necessary make appropriate updates.

Merchant Security Roadmap

The information that follows is of a highly technical nature and should be reviewed by one of the following:

  • Your web hosting company
  • Your e-commerce software provider
  • Your in-house web programmer/system administrator

In a Nutshell...

Merchants and partners use HTTPS to securely connect with PayPal’s servers. We use the Transport Layer Security (TLS) protocol to encrypt these communications. To ensure the security of our systems and adhere to industry best practices, PayPal is updating its services to require TLS 1.2 for all HTTPS connections. At this time, PayPal will also require HTTP/1.1 for all connections.

To avoid any disruption of service, you must verify that your systems are ready for this change by June 30, 2018

White Paper:The Foundation for PayPal's June 2016 TLS 1.2 upgrade

Technical Details

Sandbox Endpoints - Ready Now

The PayPal Sandbox endpoints have been configured with the latest security standards to which the Production endpoints will be moving. You can use these endpoints to verify that your code supports the required standards prior to the Production endpoints getting updated. These endpoints only allow TLS 1.2 and HTTP/1.1 connections:

  • api.sandbox.paypal.com
  • api-3t.sandbox.paypal.com
  • api-aa.sandbox.paypal.com
  • api-aa-3t.sandbox.paypal.com
  • svcs.sandbox.paypal.com
  • pointofsale.sandbox.paypal.com
  • ipnpb.sandbox.paypal.com
  • www.sandbox.paypal.com

Payflow Pilot Testing Endpoints - Ready after February 28, 2017

The Payflow testing endpoints will only allow TLS 1.2 and HTTP/1.1 connections:

  • pilot-payflowpro.paypal.com
  • pilot-payflowlink.paypal.com
  • test-cr.cybercash.com

Production Endpoints - Ready after June 30, 2018

The Production endpoints will only allow TLS 1.2 and HTTP/1.1 connections:

  • api.paypal.com
  • api-3t.paypal.com
  • api-aa.paypal.com
  • api-aa-3t.paypal.com
  • svcs.paypal.com
  • pointofsale.paypal.com
  • ipnpb.paypal.com
  • www.paypal.com
  • payflowpro.paypal.com
  • payflowlink.paypal.com
  • xml-reg.paypal.com
  • payments-reports.paypal.com
  • cr.cybercash.com

Verify your systems at https://tlstest.paypal.com!

PayPal has created a new endpoint – https://tlstest.paypal.com – to help you verify that your systems can support the latest security standards. This endpoint supports all of the security standards to which the PayPal endpoints are moving.

  • On success: A successful connection to https://tlstest.paypal.com will return an HTTP 200 response with the following text in the body: "PayPal_Connection_OK"
  • On failure: One of the following errors will occur depending on what your system does not support:
    • HTTPS – tlstest.paypal.com will return an HTTP 400 response with the following text in the body:"ERROR! Connection is not HTTPS. Please use https://tlstest.paypal.com"
    • HTTP/1.1 - tlstest.paypal.com will return an HTTP 400 response with the following text in the body:"ERROR! Connection is using HTTP/1.0 protocol. Please use HTTP/1.1"
    • TLS 1.2 (SHA-256) - An SSL connection error will be thrown by your code.

For additional help, we have put together language-specific testing notes for common environments. We expect significant impact to Java environments, including Android. Other environments, including .NET, PHP, Ruby, Python and Node.js, may also be affected. For complete details, see:Language-Specific Testing Notes

FAQs

Will PayPal be changing its dates now that the PCI Council has changed its deadline?

Yes. As you may be aware, the Payment Card Industry Security Standards Council (PCI Council) recently extended the deadline payment processors have to make these changes from 2016 to 2018. To ensure we continue to set the bar in providing the highest security standards available while also accommodating the needs of our customers, PayPal has made the decision to move our date for requiring TLS1.2 to June 30, 2017.

What happened to the Temporary Sandbox Endpoints?

The following endpoints were made available for testing against the new standards before the Sandbox endpoints were updated. Now that the Sandbox endpoints have been updated, these test endpoints should not be used and will go away on February 29, 2016.

  • test-api.sandbox.paypal.com
  • test-api-3t.sandbox.paypal.com
  • test-svcs.sandbox.paypal.com
  • test-ipnpb.sandbox.paypal.com