PayPal reminds users: TLS 1.2 and HTTP/1.1 are no longer optional

Insecure connections will break after June 30th. And it's acquired Hyperwallet, too

PayPal has reminded merchants that they must support TLS 1.2 and HTTP/1.1 by June 30.

The reason? That's the date the PCI Council mandated for those standards to come into effect.

In this notice, PayPal warns: “You will need to verify that your environment supports TLS 1.2 and HTTP/1.1 and if necessary make appropriate updates.”

For most, that means get a new browser, but the requirement also applies to systems connecting to PayPal's APIs. The PayPal Sandbox and Payflow Pilot both support the two standards now; Production endpoints will be ready by June 30; and subsidiary Braintree will also enforce compliance.

The changes would have come sooner, but back in 2015 the PCI Council extended the life of the now-unpopular and soon-to-be-deprecated TLS 1.0 and 1.1.

The council decided retailers wouldn't be able to meet its original June 2016 deadline. At that time, the council blamed smartphone makers for lagging in their browser implementations.

Lowering the boom on the old and vulnerable TLS versions won't break too many hearts. According to the IETF authors who this week proposed the formal deprecation of TLS 1.0 and 1.1, less than 1.1 per cent of Alexa top one million Websites still support those standards.

PayPal has been running tests since April to try and nudge merchant admins towards the upgrade.

The company also today announced it will spend US$400m to acquire Hyperwallet, a rival global payout platform. PayPal said the acquisition will bring it "localized, multi-currency payment distribution capabilities in more than 200 markets with numerous disbursement options, including prepaid card, bank account, debit card, cash pickup, check and PayPal." ®




Biting the hand that feeds IT © 1998–2018