How PayPal helps keep you secure.

Apr 30 2018 | Alice Wong, Small business - North Americas, PayPal

Learn how everything we do around security aims to live up to our commitment that PayPal is the "secure way to pay and be paid." 
As a strategic business priority, we work hard every day to fight cybercrime, and we also invest heavily in trying to keep our sites and services as secure as possible. Here are just a few ways we help you stay secure:
 
1. PayPal security key.
Using the PayPal security key is optional, but it’s a highly recommended way to keep your account secure. The PayPal security key is a two-step authentication that sends you a one-time personal identification number (PIN), which is unique for each login session. You use this temporary code, and your password, to log in to your PayPal account. Activate your security key here.

2. Data encryption. 
End-to-end encryption is an important element in helping keep your data and PayPal transactions secure. Our team of security and compliance experts is dedicated to educating customers on industry standards, and implementing methods like:
  • Secure HTTPS connections and strong TLS configurations. When you register or log into PayPal from your computer or mobile device, we make sure it’s a secure HTTPS connection (HSTS), and a strong TLS configuration*. Strong TLS configurations are the current industry standard for trusted communication channels and allow your information to transmit across the internet in a secure manner. And, only allowing HTTPS connections helps to reduce your susceptibility to some passive and active attacks.
  • Key pinning. We implement key pinning when you access PayPal via an IOS or Android app. When your mobile device establishes a TLS connection, key pinning ensures it connects to a true PayPal server, instead of someone posing us.  
  • Data protection compliance. We comply with stringent data protection requirements, while in transit and at rest, such as PCI-DSS. In addition to industry and regulatory encryption requirements, PayPal’s Information Security Policies and Controls are reviewed by independent third parties to the following industry standards and guidelines: American Institute of Certified Public Accountants SSAE16 SOC1, AT101 SOC2, Sarbanes-Oxley.
3. Email confirmations. 
Anytime you send or receive a PayPal payment, we'll send you an email to confirm the transaction. If you ever receive a confirmation email for a transaction you didn't make, let us know right away, and we'll launch an investigation.
 

Our security measures help protect your information, but you should also take some steps to beef up security. There are lots of ways you can be proactive about protecting yourself from the threat of malicious software.
 
You can access additional information about protecting your online security by reviewing our FAQs at the bottom of this page.
 

The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

*TLS 1.2 or higher by the end of June 2018.

Was this content helpful?

Frequently asked questions.

The PayPal Secure FTP Server is a secure File Transfer Protocol (SFTP) server, provided to enable business partners and large merchants to programmatically retrieve results of PayPal processing in the form of output data, such as PayPal reports. You can get programmatic access to the server through any SFTP client of your choice, such as WinSCP, Cyberduck, or FileZilla.

Customers must apply for access to PayPal's secure FTP server, and once they have it, must create a unique user account.
  • If you have an Account Manager - Contact your PayPal Account Manager to sign up for access to the secure FTP server. Your Account Manager will send a notice to your primary email address when access has been granted.
  • If you don't have an Account Manager - Contact Merchant Support. Agents are available from 6:00 A.M. Central Time to 11:00 P.M. Central Time Monday through Friday, and 8:00 A.M. to 10:00 P.M. Central Time Saturday and Sunday.
  • Outside of the US  - Contact PayPal Technical Support via your local PayPal phone numbers.

Creating a secure FTP server user account
Here's how to create a secure FTP server user account once your SFTP access has been approved:
  1. Click the Settings icon next to "Log out."
  2. Click Account access under "Account & Security" on the left of the page.
  3. Click Update next to "Secure FTP."
  4. On the Secure FTP Server Users page, click Add.
  5. On the Security Measures page, confirm your identity by re-entering the full bank account number associated with your PayPal account, then click Submit.
  6. On the Create Secure FTP Server User page, choose a Name, Access Type and Password for your account. Agree to the Terms of Use, then click Create User.
  7. The Secure FTP Server Users page displays the new user information.
  • It can take up to 48 hours to create a Secure FTP Server user.
  • Once the user has been created and the Secure FTP Server is ready for use, PayPal sends an email message to the business partner’s primary email address.

Accessing reports via SFTP

The hostname of PayPal's SFTP server is reports.paypal.com. The server uses the following directory structure: ppreports/outgoing (to hold report files).

You'll find the file naming conventions for individual reports on the Secure FTP Server detailed in the Secure FTP Server Specification. This specification includes an excellent example of a UNIX shell script for retrieving reports.
What’s changing?
The Payment Card Industry Security Standards Council (PCI) issued a new security standard that must be implemented by June 26, 2018. By this date, all entities must stop using Secure Sockets Layer (SSL)/ early Transport Layer Security (TLS) as a security control in their systems and completely transition to a secure version of TLS encryption protocols, such as TLS 1.2. You can read more about the security standards on the PCI website.

When does the upgrade need to be completed by?
Action required by June 26, 2018.
If your PayPal integration uses an older encryption protocol, you must upgrade your PayPal integration(s) to the TLS 1.2 cryptographic protocol by June 26, 2018.

How do I upgrade to TLS 1.2?
Here's how to upgrade and test your system:
  1. Visit our security website to view the requirements.
  2. If your website is hosted by a third-party, work with your web hosting company or ecommerce software provider. *Otherwise, please contact your in-house web programmer or system administrator to make these updates.
  3. Use our testing environment to confirm that your servers support the latest security standards. The testing environment will present a ‘PayPal_Connection_OK’ message if you’ve completed the server update correctly. Note that you must test your API using your server, not your web browser.
*Note for merchants using a downloaded shopping cart: Whoever hosts the connection to PayPal is required to meet the PCI-DSS encryption requirements. We encourage you to contact your web host or a developer to evaluate your compliance with our encryption requirements, and then take the appropriate steps to address any potential vulnerabilities.

Testing periods
Before June 26, 2018, PayPal will conduct weekly test to emulate the upgraded security experience. The testing dates are published on our security website.

These tests will help you understand the areas of your integration that still require security protocol upgrades. If your systems have been upgraded to support TLS 1.2, you shouldn’t be impacted during the testing periods. However, if your system integrations aren’t upgraded, you may experience interruptions to PayPal services, such as payment processing and reporting. Please be advised that each testing period could last several hours.

Make the necessary security protocol upgrades now to make sure you’re ready before the June 26, 2018 deadline. If you need additional support, please contact your web hosting company, ecommerce software provider, in-house web programmer, or system administrator.

What happens if I don't upgrade to TLS 1.2?
If you don't upgrade your integration by June 26, 2018, you may not be able to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business Account.

 
PayPal Payments Standard is the easiest way to securely accept debit and credit cards, PayPal and PayPal Credit. It takes the hassle out of accepting payments online. You handle the sales. We handle everything from the checkout process to security and mobile compatibility. Plus:
  • No advanced programming is needed.
  • Your customers don’t need a PayPal account to pay you.
  • It’s optimized for customers on smartphones or tablets.
And unlike many full payment-processing solutions, PayPal Payments Standard has no application, setup or monthly fees, or long-term commitments. You start paying when you start selling.

What can I do with PayPal Payments Standard?

PayPal Payments Standard lets you accept credit and debit cards on your website or through an online marketplace such as eBay or Etsy. Buying is straightforward: We handle the checkout process and then send customers back to your site. Fees are a flat amount per transaction, so selling is just as simple. To see all discounts and fees, take a look at our fees page.

You can use PayPal Payments Standard to send invoices online too, so you can get paid sooner. For offline payments, you can add PayPal Here, a mobile payments solution, to your account to let you take payments on the go using your smartphone or tablet. (alternate rates apply).

With PayPal Payments Standard, you’re also eligible to apply for the free PayPal Business Debit MasterCard®.

As with all of our payment solutions, PayPal Payments Standard helps protect your business with our Automatic Fraud Screening, industry-leading data security and reliable customer service.

Get Started Now.
Connect to PayPal is the new PayPal data integration app for QuickBooks.  Built on Intuit’s staged transactions platform, Connect to PayPal brings in detailed PayPal transaction details into the QuickBooks banking experience.  The Connect to PayPal app is free for all QuickBooks customers, and can be found via the apps tab of QuickBooks Online or at apps.com.

Here’s how to get started.
  1. Click here to go to the Connect to PayPal app on Apps.com.
  2. Click Get App Now.
  3. You’ll go through the authorization process and be ready to go in a few clicks.  
You can conveniently transfer up to 18 months of PayPal transactions into QuickBooks. Connect to PayPal will also import your discounts, taxes, customer data, transfers, and PayPal expenses. And, with Connect to PayPal, you’ll see detailed sales information, including your PayPal fees, in your sales transactions.  



Want to learn more?  Go to the Connect to PayPal FAQ in the QuickBooks Learn and Support Center.