Article topics

PayPal to change SSL requirements for website payments

Mark Tomkins

As we write this newsletter, we have become aware of significant changes that PayPal-integrated websites will need to be configured in order to continue to work.

The change is huge and something that will affect every single website that has PayPal as its payment gateway method where the pages on the website are SSL certificate protected or do not have an SSL at all, such as the page where the user completes their personal or delivery details.

So what’s the problem?

Until very recently, a website that took payments on its website that had the pages protected by an SSL certificate was able to use any SSL certificate – from a low cost rapid SSL through to a top-end fully verified SSL – the encryption level and type of certificate was irrelevant.

As long as the certificate was SHA-1 with 1024 bit encryption (G2) or greater, this was enough.

Paypal’s recent announcement states that in light of the rise of computing power, Google Chrome’s deprecation of SHA-1 SSL certificate acceptance and industry’s best practice guidelines, PayPal will be moving towards requiring all websites that integrate with its payment pages and API to have a a minimum SSL certificate level of SHA-2 (256) G5 encryption level algorithm and the server support TLS 1.2.

What does this mean to most websites?

Let’s take a simple example of a website that sells lightbulbs on its website and uses PayPal as the payment gateway. If the website owner (and its developer) has developed the website so that when the user gets to the cart or the page they enter their personal it’s protected by an SSL certificate (and of course, this is best practice), the SSL certificate that has been purchased from the host (or SSL-issuer) must now conform to these new standards.

From June 2016, Paypal will no longer support any website that integrates with its payment pages that do not conform to the new SSL standard and the online purchase will fail.

What needs to be done to fix it?

Whilst there will be differences from one website to another, the website owner (or more accurately, its developer) will need to have a new SHA-2 (256) G5 SSL installed on the site by the hosts or issuers and ensure that the host supports TLS 1.2.

An added complication is that doing this is also likely change the IP address of the website as each SSL comes with its own unique IP address and so may have an impact on a website’s function, administration and security.

Obviously testing the new SHA-2 (256) G5 SSL certificate is vital before going live but the support from Paypal won’t be too forthcoming. PayPal’s official statement about the new requirements claim that their sandbox environment (and simulator) will assist in the testing of the new SSL standard. In addition, we have also developed a few sample code snippets for you to use for free. View our article How do I check my PayPal IPN for SSL G5 compatibility?


Although difficult to be 100% accurate, our estimate is that it is going to affect more than 5 million websites – most likely more and so the winners in this scenario are the web hosts and SSL certificate issuers that benefit from the annual renewal income and firmly put the cost of PayPal increasing its security on the small business website owner.

You can read more on the original PayPal press release here.

If you sell online and use PayPal as your payment gateway call us today on 01525 373020 for a FREE CONSULTATION and we’ll tell you whether your website is affected or not and the best course of action.