How PayPal helps keep you secure.

Apr 30 2018 | Alice Wong, Small business - North Americas, PayPal

Learn how everything we do around security aims to live up to our commitment that PayPal is the "secure way to pay and be paid." 
As a strategic business priority, we work hard every day to fight cybercrime, and we also invest heavily in trying to keep our sites and services as secure as possible. Here are just a few ways we help you stay secure:
 
1. PayPal security key.
Using the PayPal security key is optional, but it’s a highly recommended way to keep your account secure. The PayPal security key is a two-step authentication that sends you a one-time personal identification number (PIN), which is unique for each login session. You use this temporary code, and your password, to log in to your PayPal account. Activate your security key here.

2. Data encryption. 
End-to-end encryption is an important element in helping keep your data and PayPal transactions secure. Our team of security and compliance experts is dedicated to educating customers on industry standards, and implementing methods like:
  • Secure HTTPS connections and strong TLS configurations. When you register or log into PayPal from your computer or mobile device, we make sure it’s a secure HTTPS connection (HSTS), and a strong TLS configuration*. Strong TLS configurations are the current industry standard for trusted communication channels and allow your information to transmit across the internet in a secure manner. And, only allowing HTTPS connections helps to reduce your susceptibility to some passive and active attacks.
  • Key pinning. We implement key pinning when you access PayPal via an IOS or Android app. When your mobile device establishes a TLS connection, key pinning ensures it connects to a true PayPal server, instead of someone posing us.  
  • Data protection compliance. We comply with stringent data protection requirements, while in transit and at rest, such as PCI-DSS. In addition to industry and regulatory encryption requirements, PayPal’s Information Security Policies and Controls are reviewed by independent third parties to the following industry standards and guidelines: American Institute of Certified Public Accountants SSAE16 SOC1, AT101 SOC2, Sarbanes-Oxley.
3. Email confirmations. 
Anytime you send or receive a PayPal payment, we'll send you an email to confirm the transaction. If you ever receive a confirmation email for a transaction you didn't make, let us know right away, and we'll launch an investigation.
 

Our security measures help protect your information, but you should also take some steps to beef up security. There are lots of ways you can be proactive about protecting yourself from the threat of malicious software.
 
You can access additional information about protecting your online security by reviewing our FAQs at the bottom of this page.
 

The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

*TLS 1.2 or higher by the end of June 2018.

Was this content helpful?

Frequently asked questions.

Yes. Your organization is responsible for ensuring that PCI standards are met for all electronic donations, regardless of dollar amount or number of transactions. However, if your organization uses PayPal Payments, the PCI burden is lessened to PayPal because all financial transactions take place on PayPal’s secure servers. For PayPal transactions, your organization won’t have access to or be responsible for sensitive transactional data.
PayPal Payments Standard is the easiest way to securely accept debit and credit cards, PayPal and PayPal Credit. It takes the hassle out of accepting payments online. You handle the sales. We handle everything from the checkout process to security and mobile compatibility. Plus:
  • No advanced programming is needed.
  • Your customers don’t need a PayPal account to pay you.
  • It’s optimized for customers on smartphones or tablets.
And unlike many full payment-processing solutions, PayPal Payments Standard has no application, setup or monthly fees, or long-term commitments. You start paying when you start selling.

What can I do with PayPal Payments Standard?

PayPal Payments Standard lets you accept credit and debit cards on your website or through an online marketplace such as eBay or Etsy. Buying is straightforward: We handle the checkout process and then send customers back to your site. Fees are a flat amount per transaction, so selling is just as simple. To see all discounts and fees, take a look at our fees page.

You can use PayPal Payments Standard to send invoices online too, so you can get paid sooner. For offline payments, you can add PayPal Here, a mobile payments solution, to your account to let you take payments on the go using your smartphone or tablet. (alternate rates apply).

With PayPal Payments Standard, you’re also eligible to apply for the free PayPal Business Debit MasterCard®.

As with all of our payment solutions, PayPal Payments Standard helps protect your business with our Automatic Fraud Screening, industry-leading data security and reliable customer service.

Get Started Now.
EMV is a global payment system that entails putting a microprocessor chip into debit and credit cards, making them less vulnerable to fraud for in-person transactions. Because EMV uses better data security, this standard is being adopted in the United States. 

The PayPal Chip Card Reader is now available for purchase and can be used to accept payments from chip cards, swipe cards with magnetic strips and contactless NFC.

Get the new PayPal Chip Card Reader  here.

 
Magento has announced that it is ending support for all versions of its Magento 1 ecommerce platform, including all future quality fixes and security patches, as of June 30, 2020.

You must migrate to Magento 2 or another platform before June 30, 2020, if you are currently integrated with Magento 1.
 
Consequences of not migrating:
  • Increased risk of data breaches, with possible damage to your brand and reputation.
  • Exposure of becoming a security target without any upgrade or security patches.
  • Falling out of compliance with Payment Card Industry Data Security Standards (PCI DSS). These global standards are set by card entities and apply to all merchants that process payments.
Requirement 6 of the PCI DSS requires merchants to "develop and maintain secure systems and applications by installing applicable vendor-supplied security patches." Without future security patches, Magento 1 merchants will no longer be able to meet this requirement, which could result in costly and time-consuming remediation.

This is not a PayPal-specific requirement. PCI DSS requirements apply to your integrations with card payment brands, such as Visa, MasterCard, American Express, Discover, JCB, and any other payment processor on the Magento 1 platform. Visa has stressed that urgent action is required for merchants to migrate from Magento 1 and advised merchants to be aware of their responsibilities in securing their environment to help prevent the loss of payment card data. 

Please review the Magento Commerce Software End of Support FAQ here.
 
Migrate now to Magento 2 or another Partner.
 

What do I need to do?

If you are currently using Magento 1, you must do one of the following by June 30, 2020:
 

Migrate to the Magento 2 platform

Or migrate to another platform

  • See our Partners page for a list of system integrators and e-commerce solution providers.

FAQs

Q: Which versions of Magento 1 are impacted?

A: All versions of Magento 1 are impacted, including Magento Commerce 1 (formerly known as Enterprise Edition) and Magento Open Source 1 (formerly known as Community Edition).

Q: What happens if I continue using Magento 1 after June 30, 2020?

A: On July 1, 2020, your Magento 1.x platform will no longer be supported by Magento, which includes providing security patches critical to maintaining compliance with the Payment Card Industry Data Security Standards (PCI DSS). The global PCI DSS standards require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” Because Magento is no longer providing security patches, your integration may become more vulnerable to attacks, potentially resulting in impacts on your brand reputation, as well as potential financial impact. 

This is not a PayPal-specific requirement. PCI DSS requirements apply to your integrations with card payment brands, such as Visa, MasterCard, American Express, Discover, JCB, and any other payment processor on the Magento 1 platform. Visa has stressed that urgent action is required for merchants to migrate from Magento 1 and advised merchants to be aware of their responsibilities in securing their environment to help prevent the loss of payment card data.  
 
Magento Association, a separate entity from Magento, has published the following links providing merchants additional information and resources around the call to action for the upcoming June 30th deadline.   
  1. Magento 1 EOL Blog Post 
  2. Magento 1 Post-EOL resources 

Please review the Magento Commerce Software End of Support FAQ here.

Q: If I get the security patches, does that mean I’m compliant? 

A:  The security patches are one step towards ensuring meeting PCI compliance but do not necessarily equal PCI compliance.We strongly encourage migration from Magento 1 before July 1.

Steps you can take to ensure business continuity and no risk to your business or cardholders include migrating off Magento 1 or to ensure applying the security patches, and other actions such as passing PCI reviews with a Qualified Security Assessor (QSA).


Q: What is the cost of migrating to Magento 2?  

A: It depends on the size of your site and the complexity of the build.  We recommend reaching out to Magento. You may also contact System Integrators to discuss pricing options. 

 
Q: How long does it take to migrate to Magento 2 or a new platform?  

A: This is dependent on the requirements of your site, and the ecommerce platform you’re choosing to move to migration can take a matter of weeks, to several months.  We recommend kicking off your migration project as soon as possible.   
 

Q: What is the cost of the other platforms?  

A: It depends on the size of your site and the complexity of the functionality you want to develop.  You will need to contact the one that is the right fit for your business.  


Q: Does this only affect PayPal merchants?

A. No, all payment processing companies, including Visa, are following the same guidance and urgently advising their Magento 1 merchants to migrate to Magento 2 or another platform.

Q: How do I validate my PCI compliance?

A: The PCI Security Standards site provides a Self-Assessment Questionnaire (SAQ) that you can complete to validate your PCI compliance. One of the requirements of the SAQ form is to install vendor-supplied security patches within one month of release. Because Magento is no longer providing security patches after June 30, 2020, you will no longer be able to comply with Requirement 6, stating that you "develop and maintain secure systems and applications by installing applicable vendor-supplied security patches".

Q: Is there a chance the date will extend beyond June 30, especially given the COVID-19 situation?

A: No, Magento has already extended the deadline 18 months from November 2018 to enable merchants time to upgrade. Magento has confirmed that they will stop all support for Magento 1 as of June 30, 2020.

Q: If PayPal processes my card data, do I still need to comply?

A: Yes, even if you outsource part of your PCI DSS compliance to PayPal, you are still required to install security patches within one month of release, which will no longer be possible after June 30, 2020. In addition to these patches, merchants are responsible for meeting all requirements of their PCI DSS compliance.

Q: What resources are available to help me maintain PCI compliance?

A: PayPal has engaged with select System Integrator Partners to help you migrate to Magento 2.

Q: What are the alternate ecommerce solutions?

A: If you’re looking for alternate solutions, you can review our list of Ecommerce Solution Partners.

Q: Is PayPal providing migration support?

A: If you are based in the United States, you can apply for help to finance the move to Magento 2 Commerce Cloud through the Magento Migration Loan, a type of LoanBuilder Loan*, made available through PayPal.
* The lender for LoanBuilder Loan is WebBank, Member FDIC. This is an invitation to apply and not an offer or commitment to provide capital. Applicants must satisfy certain requirements to be eligible. WebBank is not affiliated with the offer to receive a full credit on the cost of financing and the credit is not part of your credit agreement with WebBank.

Q: What other resources are available?

A: You may find additional information from Magento at:

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies