Merchants and End Users Will Need To Support TLS 1.2.
In 2017, PayPal endpoints and APIs will require connections use TLS 1.2 and HTTP/1.1 for optimal security (this also applies to Braintree). The payment company originally publicized this earlier this year, but we wanted to spread the word again to make sure everyone is aware.
“On June 30, 2017, PayPal will begin the process of discontinuing support for TLS 1.0 and 1.1. This means all merchant API communications with PayPal will need to use TLS 1.2.”
While TLS 1.0 and 1.1 are not officially deprecated like SSL 3.0, they are known to have security vulnerabilities. Attacks like POODLE and CRIME affect those TLS versions, but not 1.2. In its background whitepaper, PayPal writes “the risk of breach with older versions of TLS is significant, and PayPal intends to pursue the most secure options available.”
This upgrade is coming “despite recent PCI Council recommendations to delay the mandate to upgrade to at least TLS 1.1 and preferably 1.2 until 2018.” We are very happy to see PayPal staying ahead of the curve here, given how many payments are processed with them per day.
The TLS 1.2 requirement will be site-wide, including the consumer-facing sites like “www.PayPal.com.” There are likely more everyday end users that will be impacted than merchants and sellers.
Most merchants likely support TLS 1.2 already and are ready to go. More are likely to not have TLS 1.2 enabled than not have the capability to support it, so this upgrade should affect a very small number of merchants. Probably the most notable client that does not support TLS 1.2 is Android 4.0.X and earlier, but those devices account for less than 3% of all Android devices.
For any merchants concerned about their compatibility, you can read about and test your configuration at PayPal’s dedicated microsite.