PayPal Responds To Security Concerns

PayPal will cut off support for aging security protocol SSL 3.0 on Dec. 3, and that may cause problems for some of its merchants, the online payments giant announced on Monday (Nov. 10).

The move will block an attack known as POODLE (for Padding Oracle On Downgraded Legacy Encryption), which tricks software into using the compromised SSL 3.0 security, which dates from 1996, if it is available. By disabling SSL 3.0, that hole is closed and software is forced to use a more secure protocol known as TLS. Google publicly identified the attack in mid-October.

In a post on the PayPal Forward blog, PayPal CTO James Barrese wrote that all PayPal use of SSL 3.0 will end on Dec. 3, 2014.

“Any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before this date to avoid an interruption in their ability to accept payments with PayPal,” Barrese wrote. “We recognize and regret that upgrading their PayPal integration may be challenging for some of our merchant customers at this busy time of year. The decision to extend our support of SSL v3 for a few more weeks was made with these merchants and the safety of our customers’ accounts in mind.”

Barrese added that PayPal has also acted to mitigate the risk of keeping SSL 3.0 working for the payments service through November, and that the company has “seen no evidence that the SSL v3 issue has led to any compromise of customers’ accounts at PayPal.”


Exclusive PYMNTS Study: 

The Future Of Unattended Retail Report: Vending As The New Contextual Commerce, a PYMNTS and USA Technologies collaboration, details the findings from a survey of 2,325 U.S. consumers about their experiences with shopping via unattended retail channels and their interest in using them going forward.

Click to comment