Page 1 of 1

PayPal IPN Verification Postback to HTTPS (Solved)

Posted: Sun Mar 13, 2016 7:03 am
by Cleo

I just received this email from Paypal and as they are saying I am really not sure what I need to do!
PayPal 2016 merchant security upgrades
(My name,)

We recently announced several security upgrades planned for this year, some of which may require you to make changes to your integration. You’re receiving this email because we’ve identified areas of your integration that may need to be upgraded.

What you’re about to read is very technical in nature – we understand that. Please contact the parties responsible for your PayPal integration, or your third party vendor (for example, shopping cart provider, and so on) to review this email. They’re best positioned to help you make the changes outlined in this email and in the 2016 Merchant Security Roadmap Microsite.

What do I need to do to as a merchant?

We’ve outlined the steps to take to ensure your integration is up to date. We’re letting you know about these changes now because we don’t want you to experience a disruption of service when they go into effect.

Step 1: Consult with someone who understands your integration. We encourage you to consult with the parties that set up your integration, which could be a consultant or third party shopping cart. You may also need to find someone who can assist with making your integration changes.

Step 2: Understand how these changes affect your integration. Based on our records, we’ve identified areas that require your attention. It’s not a complete list, but does provide changes we feel you need to make to be ready for the security upgrades.

If the chart shows “Yes”, it means our records indicate that you may require changes to be compatible with that security upgrade.
If you see a “No,” that means our data shows that you are already compliant or do not use that functionality.

We want to call out that the information provided in this email may not reflect all the changes you need to make. Please assess your integration with the emphasis being on the items we’ve identified below:

Change Do I need to make a change?
SSL Certificate Upgrade to SHA-256 No
TLS 1.2 and HTTP/1.1 Upgrade No
IPN Verification Postback to HTTPS Yes
IP Address Update for PayPal Secure FTP Servers No
Merchant API Certificate Credential Upgrade No
Discontinue Use of GET Method for Classic NVP/SOAP APIs No

Step 3: Get the technical details on these changes. Detailed information of each of the changes and a location to test your integration are available on our 2016 Merchant Security Roadmap Microsite. Select the hyperlinks in the chart for information about specific change events.

Step 4: Make the appropriate changes by each “Act by” date*. It’s important to have your changes in place by the “Act by” date for each change event.

Step 5: Future-proof your integration. We recommend that you go through the “Best Practices section on our 2016 Merchant Security Roadmap Microsite.

Why is PayPal making these changes?

Protecting customer information is PayPal’s top priority. We support industry standards, such as crypto-industry’s mandate to upgrade SSL certificates to SHA-256, and Payment Card Industry (PCI) Council’s TLS 1.2 mandate. We also surpass those standards by investing and building some of the finest protection available. By addressing these changes this year, we believe it helps future-proof your integration and reduce the need to invest in changing your integration in the near future.

If you have any questions, visit our Help Center by clicking Help on any PayPal page. If you require further assistance, please call us at (866) 445-3186.

Thank you for your support of our commitment to maintain the highest security standards for all of our global customers.

*Scheduled change dates, including “Act by” dates, provided in this email and the PayPal 2016 Merchant Security Roadmap are subject to change. You’ll be notified immediately of any changes to these plans.
Ok so there is only one thing that I need to change which is:

IPN Verification Postback to HTTPS

Does this mean that I will need a SSL certificate for my site?



Re: PayPal IPN Verification Postback to HTTPS

Posted: Sun Mar 13, 2016 2:56 pm
by munirasim
First Answer: NO!
You don't need SSL certificate if you don't use PayPal IPN service. By default, this service is disabled for everyone.

Second Answer: YES!
You need SSL certificate if you use PayPal IPN services. This service allows to automate accounting tasks etc. at the back-end of your store if any such solution implemented.

Now the question arises, how could I come to know whether my store is using IPN service or not?
The answer is:

1) Login to your PayPal account

Here you can see if IPN is enabled or disabled. If enabled, you need to install SSL and also update URL given here with HTTPS otherwise you don't need to install SSL.

Re: PayPal IPN Verification Postback to HTTPS

Posted: Mon Mar 14, 2016 10:23 am
by Cleo

Thank you very much for this complete explanation :) It couldn't be clearer!

It is disable, so no need for SSL, but...

One more question if you don't mind? Will I still be notified if I receive a paiement?

Kind regards


Re: PayPal IPN Verification Postback to HTTPS

Posted: Mon Mar 14, 2016 9:17 pm
by munirasim
Yes! Notification through email as you may used to get before.

Re: PayPal IPN Verification Postback to HTTPS

Posted: Tue Mar 15, 2016 6:10 am
by Cleo

Thank you again for taking the time to reply :)



Re: PayPal IPN Verification Postback to HTTPS (Solved)

Posted: Thu Sep 08, 2016 8:02 pm
by mrcraz
I'm not sure I understand correctly or not.

PayPal IPN send pack payment status to store then the store send email to us. Without IPN, after paid we don't have any email from our store, isn't it?

Re: PayPal IPN Verification Postback to HTTPS (Solved)

Posted: Fri Feb 17, 2017 4:32 am
by supak111
Yes PayPal IPN sends a notification to OpenCart when payment is successful, so if you don't upgrade to HTTPS your website will NOT know if the payment was made therefore OpenCart will NOT send you an order email.

HOWEVER you will still get an email from PayPal for the payment, so you can still MANUALLY change the missing order TO order successful inside your OpenCart if you don't feel like upgrading to HTTPS.

In other words upgrading to HTTPS keeps PayPals IPN working to automates the process so you don't have to change missing order to successful order each time you receive an email form PayPal about a payment received.

PS. now does anyone know what PayPal IPN callback URL looks like?

I can probably make something that everytime I get a PayPal email for payment receive send that same URL back to my OpenCart and still have the same custom IPN system work without upgrading to HTTPS.