X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   PayPal 2016-2017 Merchant Security Roadmap (https://forum.x-cart.com/showthread.php?t=75252)

Anna_Shvetsova 04-25-2017 05:35 AM

PayPal 2016-2017 Merchant Security Roadmap
 
Hi friends,

We get multiple requests from X-Cart Classic (4.x) users regarding PayPal security requirements that are coming into effect soon and may impact the ability to accept payments in your store. So we’ve prepared this quick summary of the requirements and actions you should take to make sure your X-Cart supports the changes.

TLS 1.2 – Act by June 30, 2017
Affected versions: 4.2.2 - 4.6.4
Impact: Inability to accept online payments in your store.
Solution: Get detailed instructions here. Most likely, you’ve already fixed the issue, as we announced the update back in 2014.

HTTP/1.1 Upgrade Microsite – Act by June 30, 2017
Affected versions: 4.5.4 and older
Impact: Inability to accept online payments in your store.
Solution: Get detailed instructions here. As in the previous point, we think you’re all set here, but if you’re not sure, we can help you to find it out.

IPN Verification Postback to HTTPS Microsite – Act by June 30, 2017
Affected versions: All versions
Impact: Payment processing in your store won’t break down after the update, however, PayPal recommends to apply the patch in order to increase the security of PayPal IPN requests.
Solution: Apply the patch paypal-https-IPN-2017-04-25_4.x.x.tgz to start accepting IPN requests from PayPal by an HTTPS secure endpoint.

Discontinue Use of GET Method for Classic APIs Microsite – Act by June 30, 2017
This requirement has no impact on your online store, so there is nothing to do about it.

Merchant API Certificate Credentials Upgrade Microsite – Act by January 1, 2018
Affected versions: All X-Cart versions, but only if it’s the API certificate that you use as PayPal authentication method.
Impact: Inability to accept online payments in your store.
Solution: Generate a new certificate following the instructions here. Or switch to the API signature authentication method in your PayPal account and update the PayPal settings in your store back-end.

Need help? We are happy to assist. Ask your questions here or create a ticket in your Help Desk account to request the patches application.

Ostrofpro 06-05-2017 11:09 AM

Re: PayPal 2016-2017 Merchant Security Roadmap
 
Do you have to have a SSL cert to complete transactions through PayPal now?

cflsystems 06-05-2017 11:11 AM

Re: PayPal 2016-2017 Merchant Security Roadmap
 
SSL has always been a requirement for operating ecommerce website. You simply cannot have any website running without SSL if you collect any time of customer personal and/or financial data.
So yes - it is a requirement

Ostrofpro 06-05-2017 12:06 PM

Re: PayPal 2016-2017 Merchant Security Roadmap
 
if you are using paypal as a payment terminal then you never had to have a ssl to complete a transaction because you were not directly collecting financial information, it is my understanding that on june 30th 2017 paypal is starting to REQUIRE a ssl to complete a payment. I also ask because of your comment above saying that 'Impact: Payment processing in your store won’t break down after the update'

cflsystems 06-05-2017 12:38 PM

Re: PayPal 2016-2017 Merchant Security Roadmap
 
Quote:

Originally Posted by Ostrofpro
if you are using paypal as a payment terminal then you never had to have a ssl to complete a transaction because you were not directly collecting financial information....


This is absolutely not true. Common misunderstanding what SSL does and why it is there.
It doesn't matter if you collect payment data on your site or somewhere else - all pages dealing with personal or financial data must be https. How is your customers going to login to store? Or create an account? Or checkout?
They provide personal data - name, address, phone, etc. not to mention username/password.
All these data must be protected.

And to add more to this - Google and I am sure other SE started to flag sites not using SSL for the whole site as insecure and this is visible to customers.

SSL is not an option. It is mandatory unless you have a blog site without asking customers to provide any info.


All times are GMT -8. The time now is 05:33 PM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.