PayPal has made everyone’s week a little crazier by sending out a very scary sounding email with the subject line “IMMEDIATE ATTENTION REQUIRED: PayPal service upgrades.

Relax. It’s not as scary as it sounds.

If you’re a customer, simply fill out a support request and rest easy: we’ve got you covered. If you need a new web developer, please let us know!

If you want to understand better what all this techno-speak means… I’ll try to break it down into “human” (with a bit of humor) for you.


Don’t ignore this email, but you have until the 30th to actually take action — if you need to at all. We’re sending this now so we can say we warned you if you freak out after 9/30.

PayPal service upgrades

We’re making things better, but may break some sites in the process.

As we have previously communicated to you, PayPal is upgrading the certificate for to SHA-256. 

We’re upgrading the SSL certificate on to make it more secure (SHA-256 is more secure than SHA-1). SSL certificates are what encrypts sensitive information when it’s sent over the internet — like payment details.

This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.

An endpoint is a URL (web address) computers use to talk to each other and exchange data.

IPN = Instant Payment Notification — it’s how your server and PayPal’s talk to verify payments have been made successfully.

This upgrade is scheduled for 9/30/2015; however, we may need to change this date on short notice to you to align to the industry security standard.

We’re going to do this on 9/30 unless a serious security issue or hacking attempt forces us to do so sooner.

You’re receiving this notification because you’ve been identified as a merchant who has used IPN endpoints within the past year.

You’ve accepted a PayPal payment on your website in the last year.

If you have not made the necessary changes, we urge you to do so right away to avoid a disruption of your service!

We don’t want to break your payment integration and have to deal with the fallout after the fact.

Because these changes are technical in nature, we advise that you consult with your individuals responsible for your PayPal integration.

This is not a user serviceable part — contact your web developer.

They will be able to identify what, if any, changes are needed. Please share this email and the hyperlinks below with your technical contact for evaluation.

They know about this stuff, your server, and your integration details. Don’t ask us about this stuff — we can’t help you.

Testing in the Sandbox is one of the best ways to make sure your integration works. Sandbox endpoints have been upgraded to accept secure connections by the SHA-256 Certificates.

Our test site (sandbox) is already upgraded.

If your server can connect to that, you’re all good. WordPress developers: here’s a plugin to easily test this on client sites.

If your server fails to connect… it’s time to contact your web host, sysadmin, etc.

Full technical details can be found in our Merchant Security System Upgrade Guide.

You thought this email was full of tencho-babble? This is even worse. Oh, and we have no choice: we have to upgrade this soon or we can’t process credit cards for you going forward.

In addition, our 2015-2016 SSL Certificate Change microsite contains a schedule of our service upgrade plan.

Have insomnia? This may help.

Thanks for your patience as we continue to improve our services.

You read this far before forwarding this with a panicked message to your web developer? Good for you.