IPN Verification Postback to HTTPS

If you are using PayPal’s instant Payment Notification (IPN) service, you will need to ensure that HTTPS is used when posting the message back to PayPal for verification. HTTP postbacks will no longer be supported.

Merchant Security Roadmap

The information that follows is of a highly technical nature and should be reviewed by one of the following:

  • Your web hosting company
  • Your e-commerce software provider
  • Your in-house web programmer/system administrator

In a Nutshell...

Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

To avoid any disruption of service, you must verify that your systems are ready for this change by June 2018.

To help merchants understand the areas of their integration that still require work we will conduct brief rounds of testing in April to demonstrate the upgraded security experience. For information, click Here.

What do I need to do?

Flow chart
NOTE:
In addition to requiring HTTPS, PayPal is also upgrading the security standards of all external endpoints. You should verify that your current systems support these requirements. More details can be found on the SSL and TLS microsites.

Technical Details

The ipnpb.paypal.com and ipnpb.sandbox.paypal.com endpoints only accept HTTPS connections. If you currently use www.paypal.com, you should move to ipnpb.paypal.com when you update your code to use HTTPS.

Ready Now

When used for IPN postbacks, www.sandbox.paypal.com will only accept HTTPS connections.

After June 2018

When used for IPN postbacks, www.paypal.com will only accept HTTPS connections.

FAQs

Why is PayPal making this change?

PayPal is upgrading all external endpoints used by merchants and partners to make programmatic connections. One of these changes is only allowing the use of HTTPS when connecting with PayPal systems to ensure that all information is securely transmitted. IPN messages contain sensitive information about your customers and their transactions that should only be passed securely.

What are the upgraded security standards that PayPal is moving to for all external endpoints?

PayPal is upgrading all of its external endpoints to the latest industry standards:

  • HTTP 1.1 or newer
  • HTTPS only
  • TLS 1.2 or newer only
  • 2048-bit, SHA-256 certificates signed with VeriSign’s G5 root

For more information, please reference the SSL and TLS microsites.

UPDATE

PayPal is committed to providing the highest level of security to protect customer and transactional data, and we work closely with our merchant community to do the same. In response to feedback from several merchants, PayPal did not strictly enforce some of these vital security upgrades prior to the June 2017 deadline. However, in order to provide the most secure experience for all of our customers, PayPal must proceed with implementing these upgrades in the first half of 2018. In early 2018, we will conduct brief rounds of testing which will emulate the upgraded security experience so that merchants can understand the areas of their integration that still require work. Dates for these tests and full deployment will be published on this site at least two weeks prior to implementation.