PayPal sent a notice to merchants who use its service on their websites and storefronts informing them they might have to take action as it works to upgrade various SSL certificates. It explained that over the course of 2015 and 2016, it would be taking steps towards strengthening its SSL certificates across all of its sites.
“The changes include upgrading the signing algorithm and version of the root certificate we support. This effort will allow PayPal to further protect our valued customers from current and future security threats.”
To guard against current and future threats, it’s advising merchants to make the following upgrades to their PayPal integrations:
- Discontinue use of the VeriSign G2 Root Certificate.
- Update your integration to support certificates using the SHA-256 algorithm.
PayPal advised merchants to get up to speed and to test in its Sandbox environment to make sure their integration works. It provided information on this page, and it also provides this guide that includes advice on how to securely connect using a supported VeriSign G5 Root Certificate.
Zen-Cart offered advice for its merchants, explaining how the change impacts them. Among its recommendations:
“Even if you don’t use SSL on your storefront, to communicate with any payment service DOES require that your server have a working SSL infrastructure in the back-end. This is almost always already present, but isn’t always up-to-date. So, you should still check your webserver for compatibility with the new SHA-256 certificate technology which will be required by most web services in 2015.”