PayPal Users Must Discontinue Using SSL 3.0 By December 3, 2014

To address a vulnerability with the SSL 3.0 security protocol, PayPal and other payment gateways will be disabling SSL 3.0 support. Merchants must upgrade to Transport Layer Service (TLS) by December 3, 2014 to avoid PayPal payment operation failures.

Recently a vulnerability was published that affects a particular version of the Secure Sockets Layer (SSL) protocol, which is used to secure connections to websites. The vulnerability, which only exists in SSL 3.0, allows a cyber criminal to gain access to connections previously assumed secure. Fortunately, SSL 3.0 is not the only option available to secure these connections, and this vulnerability can be prevented by disabling support for SSL 3.0. PayPal will completely disable SSL 3.0 support, which will prevent this vulnerability from impacting users of PayPal, including those who may be using an integration via a merchant’s site.

Whilst disabling this protects users from harm, it may result in compatibility issues for some customers, particularly those merchant sites that rely on SSL 3.0. No need to worry though, updating your integration to be secure and compatible is quick and easy.

Ensuring you are secure is a simple process. If you are currently using SSL 3.0, update to use TLS, a more recent standard than SSL that provides a secure connection. Once you have done so, consider issuing new API credentials; this may not be necessary, but is recommended for security purposes.

If you are unsure whether you are using SSL 3.0 all you need to do is test your integration against the Sandbox. If you can make an API request, you are not using SSL 3.0, as this has already been disabled on the PayPal Sandbox, and you will experience no compatibility or security issues. If you are unsure how to test your integration against the Sandbox, please refer to the Merchant Response Guide for more details.

Read more at Poodle SSL 3.0 Vulnerability

For additional information about the POODLE vulnerability and PayPal’s response, please see this blog post from PayPal CTO, James Barrese.