1) Changes to PayPal security for HTTP/1.1 and TLS 1.2
2) IPN Verification Postback to HTTPS
PayPal say their target for these is June 2018
You may have seen an article from PayPal which talks about HTTP and TLS. This is a server issue
which is the responsibility of your web host. Essentially there is an upgrade by PayPal to ensure that
all their servers meet the latest standards and hence your web server will also require to operate
in that way. You should contact your host about this if you are unsure, although most servers will already
meet these standards.
The second update is using HTTPS for IPN verification.
“If you are using PayPal’s instant Payment Notification (IPN) service, you will need to ensure
that HTTPS is used when posting the message back to PayPal for verification. HTTP PostBacks
will no longer be supported.”
“Merchants and partners use Instant Payment Notification (IPN) to receive notifications of
events related to PayPal transactions. The IPN message service requires that you acknowledge
receipt of these messages and validate them. This process includes posting the messages back
to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these
PostBacks . For increased security going forward, only HTTPS will be allowed for PostBacks to
PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal
to the merchant’s IPN listener.”
In practice this means that you need https on your web server to send https to PayPal and
then you need to change the set up of you PHP-KeyCodes, PHP-eSeller or PHP-SecureArea
application to identify the URL of the site as https rather than http.
Note: if a customer tried to make a purchase it would still succeed, but your store would
not be notified of that fact, and your records will not reflect the sale properly. Nor
will the PHP application automatically send the information to the customer by email.
Refer to PayPal documentation:
So do I need SSL on my Web Server when using PayPal IPN? Yes, the PostBack from PayPal will not work
and SSL will give better security for your site.