Upcoming Paypal Security Upgrades

Good day,

Is cs-cart ready for this ?


Coming soon.

We understand how busy this time of year is for you. In addition to preparing for the holiday shopping season, you’re probably looking ahead to 2016. As you plan for next year, we want to share with you some security upgrades PayPal is making in the New Year. More importantly, we want to let you know why we’re making the upgrades and what the changes mean to you.

Why are security upgrades necessary?

The Payment Card Industry (PCI) Security Standards Council recently made changes to their Data Security Standards. These standards affect millions of businesses that handle credit card details, information, accept electronic payments or provide services to those businesses who do. The PCI Security Standards Council is strongly encouraging hosting providers, such as PayPal, to retire versions of a security standard called Transport Layer Security (TLS) that are older than version 1.2. The security standard TLS and its predecessor Secure Sockets Layer (SSL) are encrypted code designed to secure communications over a computer network.

These changes do not imply that our systems are not secure today. You can feel safe when using PayPal. We monitor every transaction, 24/7 to try to protect against fraud and identity theft. The purpose behind these industry-wide changes is to help ensure businesses remain protected against future vulnerabilities. Due to our strong commitment in maintaining high security standards for our customers, we value the PCI Council’s recommendation and have also identified other security changes that we’re enhancing next year.

What changes are being made and when?

The following are technical changes that may require some upgrades to your system. Please share this information with your development team or hosting provider.


Test Sandbox endpoints and tlstest.paypal.com are live.

New SFTP IP addresses are live.

Sandbox is issuing API Credential Certificates with new standard (2048-bit, SHA-256).

Jan 14, 2016

After this date, Sandbox API endpoints only support new standard (HTTP/1.1, TLS 1.2 and SHA-256 certificates).

This includes www.sandbox.paypal.com only accepting HTTPS for IPN Postbacks.

Jan 31, 2016

Production starts issuing API Credential Certificates with new standard (2048-bit, SHA-256).

Feb 29, 2016

Test Sandbox endpoints will be removed.

Mar 17, 2016

New SFTP IP addresses add to DNS for reports.paypal.com.

Apr 14, 2016

Old SFTP IP addresses removed from DNS for reports.paypal.com.

May 12, 2016

Old SFTP IP addresses stop working.

Jun 17, 2016

After this date, Production API endpoints will start moving to the new standard (HTTP/1.1, TLS 1.2 and SHA-256 certificates)

Sep 30, 2016

IPN postbacks to www.paypal.com only allow HTTPS

Jan 1, 2018

All Certificate API Credentials must have been upgraded to the new standard.

To help you navigate through these technical changes, we created the 2016 Merchant Security Roadmap. The website offers detailed information about each of the upcoming changes, including dates when these changes are scheduled* and security best practices.

What do I need to do now?

While there’s still some time before these changes go into effect, here’s what you can do now. If you’re not using a hosted shopping cart or partner, please consider doing the following to prepare for these changes:

  1. Incorporate this work into your 2016 technology update plans by engaging with your technical or web development team.
  2. To see if you’re already compatible with these security upgrades, test your configuration in the PayPal Sandbox.

How do I know if I’m already compatible with these security upgrades?

You can test your system now! We’ve created new, temporary Sandbox endpoints that are configured with the latest security standards. Go to the PayPal 2016 Merchant Security Roadmap for easy-to-follow instructions on how to test endpoints in the Sandbox environment today.

If you’re not sure what upgrades your system may require, no worries – we’ve got that covered. We’ll write you again in January with more specific details about what these changes mean to your system. In the meantime, we encourage you to review the PayPal 2016 Merchant Security Roadmap. For questions, please go to the Contact page on PayPal.com.

Thank you for your support of our commitment to maintaining high security standards for all of our global customers.

* Scheduled change dates provided in this email and the PayPal 2016 Merchant Security Roadmap are subject to change. You’ll be notified immediately of any changes to these plans.

Duplicated here:


We are very sorry to say that Paypal is not available in Bangladesh. I don't mknow why. But hope it'll be available soon.

Is there any response to this?

Is it something we need to be concerned with?