PayPal Change Affecting IPN: SHA-256 Compliance and Your Membership Website

If you’re using PayPal as a gateway on your membership site, below is some information about a September 2015 update to require SHA-256 Compliance. This affects all sites using PayPal for Instant Payment Notification (IPN) on a non SHA-256 compliant server.

It is very likely that your hosting company or server has already been updated to support these new security requirements. However, if you are using an SSL certificate on your site (and especially if it was installed more than a few months ago), you may need to have your certificate reissued.

Read on for more details on how to test your SSL certificate and server and what to do.


What should you do?

  1. If you have an SSL certificate on your site, make sure that it is SHA-256 encoded.

    You can use a tool like SSL Labs to test your SSL certificate. The “encoding algorithm” must be SHA-256 or higher. If your SSL certificate is out of date, you will need to have your SSL certificate “reissued” and “reinstalled”. Both your SSL provider and host should do this for you free of charge.

  2. If you aren’t currently using an SSL on your site, it appears that the PayPal IPN requests will still be sent over a non-SSL/HTTPS URL and this update wouldn’t apply.

    If you don’t have an SSL certificate on your site, you should be able to use PayPal Standard and Express without and SSL certificate just as you were before. No update is required.

  3. If you manage your own dedicated or virtual private server, upgrade your SSL software.

    If your server’s SSL software is out of date, it may be vulnerable to certain attacks that have been discovered in the past year. The instructions for updating your software will be different depending on your specific hosting environment and operating system. Follow up with the company you are leasing your server from or find documentation for your specific setup.


No update to the Paid Memberships Pro software or settings is required.

Any action required by these changes in PayPal’s infrastructure will need to be done at the hosting level.


NOTE: These updates are in response to an industry-wide security upgrade and are not unique to PayPal. They will help secure your website’s interaction with the PayPal website and Application Programming Interface (API). Not all merchants are required to make these changes. Please ensure you are prepared for this event by consulting with your technology team, website vendor or the individual(s) responsible for your PayPal integration.
PayPal

 


Read more about this update on the PayPal 2015-2016 SSL Certificate Change Microsite