Merchants who use PayPal on their websites need to take action, as PayPal will end support for SSL v3 on December 3, 2014. PayPal Chief Technology Officer James Barrese posted a message for sellers on the PayPal blog, letting them know of the deadline.
“In an earlier blog post we stated our intention has always been to disable SSL v3 as quickly as reasonably possible,” Barrese wrote. And he said any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before December 3rd “to avoid an interruption in their ability to accept payments with PayPal.”
PayPal initially expected to disable SSL v3 days after the vulnerability was exposed. Barrese had explained in an October 14th post that the vulnerability enabled cyber criminals to gain access to connections considered secure, and he said PayPal would completely remove support “in the coming days.”
But in Monday’s blog post, Barrese said PayPal had been hard at work to mitigate any potential impact to consumer and merchant customers. “We recognize and regret that upgrading their PayPal integration may be challenging for some of our merchant customers at this busy time of year. The decision to extend our support of SSL v3 for a few more weeks was made with these merchants and the safety of our customers’ accounts in mind.”
He also said PayPal had account protections in place and will cover 100% of unauthorized transactions if an account is ever compromised.
PayPal has published an online guide with instructions on how merchants can upgrade their integration – merchants can access the guide by typing “Poodle” or “SSL” in the search box of the PayPal Technical Support site.
The full announcement is found on the PayPal blog.