Why do I need to upgrade my system to TLS 1.2?
The Payment Card Industry Security Standards Council (PCI) issued a new security standard that must be implemented by June 26, 2018. By this date, all entities must stop using Secure Sockets Layer (SSL)/ early Transport Layer Security (TLS) as a security control in their systems and completely transition to a secure version of TLS encryption protocols, such as TLS 1.2. You can read more about the security standards on the PCI website.
When does the upgrade need to be completed by?
Action required by June 26, 2018.
If your PayPal integration uses an older encryption protocol, you must upgrade your PayPal integration(s) to the TLS 1.2 cryptographic protocol by June 26, 2018.
How do I upgrade to TLS 1.2?
Here's how to upgrade and test your system:
- Visit our security website to view the requirements.
- If your website is hosted by a third-party, work with your web hosting company or ecommerce software provider. Otherwise, please contact your in-house web programmer or system administrator to make these updates.
- Use our testing environment to confirm that your servers support the latest security standards. The testing environment will present a "PayPal_Connection_OK" message if you’ve completed the server update correctly. Note that you must test your API using your server, not your web browser.
*Note for merchants using a downloaded shopping cart: Whoever hosts the connection to PayPal is required to meet the PCI-DSS encryption requirements. We encourage you to contact your web host or a developer to evaluate your compliance with our encryption requirements, and then take the appropriate steps to address any potential vulnerabilities.
Before June 26, 2018, PayPal will conduct weekly test to emulate the upgraded security experience. The testing dates are published on our security website.
These tests will help you understand the areas of your integration that still require security protocol upgrades. If your systems have been upgraded to support TLS 1.2, you shouldn’t be impacted during the testing periods. However, if your system integrations aren’t upgraded, you may experience interruptions to PayPal services, such as payment processing and reporting. Please be advised that each testing period could last several hours.
Make the necessary security protocol upgrades now to make sure you’re ready before the June 26, 2018 deadline. If you need additional support, please contact your web hosting company, ecommerce software provider, in-house web programmer, or system administrator.
What happens if I don't upgrade to TLS 1.2?
If you don't upgrade your integration by June 26, 2018, you may not be able to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business account.