Which security protocols are required to connect to PayPal?

As of June 30, 2018, the Payment Card Industry (PCI) Security Standard Council requires that all e-commerce companies upgrade to TLS 1.2 to ensure a secure environment for encrypted customer and payment information. If merchants don't make the necessary changes by June 30, they'll lose their ability to complete payment transactions. 

To ensure that all PayPal customers meet this standard, by June 30 PayPal requires TLS 1.2 for all HTTPS connections and version 1.1 for HTTP connections. To increase merchants' awareness of this deadline, PayPal has been sending alerts through the following channels:

  • Reminder messages in emails and upon login to PayPal
  • Calls to selected merchants
In addition, you can find detailed information about the security upgrades at TLS 1.2 and HTTP/1.1 Upgrade, at PayPal's Merchant Security Upgrade Testing website, and the PCI Security Standards Council site

Here are answers to some commonly asked questions about upgrading:

Where can I find IPN, PDT sample scripts that comply with HTTP 1.1 specification?
You'll find samples at GitHub and StackOverflow. If you're unfamiliar with this process or use a third-party shopping cart, contact the individual support channels for your cart to help facilitate any change that may be needed.

Why does HTTP 1.1 require the "Host" header?
Refer to this Internet address conservation whitepaper for further details.

What if I don't make these changes to my IPN/PDT scripts?
PayPal returns HTTP 400 to any requests to www.paypal.com without the "Host" header in the HTTP request.

Where can I test my IPN/PDT scripts?
Run your tests in the PayPal Sandbox. The Sandbox is configured to return HTTP 400 to any HTTP requests without the "Host" header.