James Barrese, CTO, PayPal
[12/2/2014]
We want to share an update about PayPal’s work to keep our customers’ accounts secure from the POODLE SSL v3 vulnerability.
Since our last post we have been hard at work to find and implement a short-term solution that will help certain businesses that depend on PayPal but have been unable to upgrade their integrations during the busy holiday season. On December 3, 2014 we will reduce our support of SSLv3 to only versions that are not currently vulnerable to POODLE. This will keep our customers’ accounts secure from the POODLE vulnerability while allowing the majority of our merchant customers to continue processing PayPal payments during their busiest sales season. Following this interim step we will fully disable support for SSL v3 on January 12, 2015.
Despite our mitigation efforts, a small number of merchants will not be able to process payments following December 3, 2014 because their integration is vulnerable to POODLE. These businesses will need to upgrade before this deadline. We are communicating directly with these merchants to help them prepare and to minimize disruption to their business.
If your business is still in the process of upgrading, we encourage you to make this change as quickly as possible. We always make the security of our customers our top priority and may have to suspend support for SSL v3 earlier than January 12, 2015 if a new vulnerability is discovered.
We have prepared detailed materials to help businesses understand how to upgrade their integration. You can find the online guide at the POODLE SSL v3 Microsite. We also encourage anyone with questions or requiring help to reach out to their web developer or to PayPal customer support.
Thank you for your understanding and your business.
[11/10/2014]
Since the SSL v3 issue (also known as POODLE) was identified on October 14, PayPal has been hard at work to mitigate any potential impact to our consumer and merchant customers.
In an earlier blog post we stated our intention has always been to disable SSL v3 as quickly as reasonably possible. We also promised to keep you up to date on our plans. We are now able to share that PayPal will be disabling support for SSL v3 on December 3, 2014. Any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before this date to avoid an interruption in their ability to accept payments with PayPal.
We recognize and regret that upgrading their PayPal integration may be challenging for some of our merchant customers at this busy time of year. The decision to extend our support of SSL v3 for a few more weeks was made with these merchants and the safety of our customers’ accounts in mind.
Keeping our customers’ accounts, data and money secure is PayPal’s top priority and a guiding principle when we make challenging decisions, like this one.
We could not have extended our support of SSL v3 if we hadn’t been able to take significant steps to mitigate the risk of this vulnerability for our customers. We have seen no evidence that the SSL v3 issue has led to any compromise of customers’ accounts at PayPal. We also want to remind everyone that we have account protections in place and will cover 100% of unauthorized transactions if their account is ever compromised.
We deeply value the relationship we have with our merchant customers and we are here to help them through this process. We have created an online guide with instructions on how merchants can upgrade their integration, which is available by typing “Poodle” or “SSL” in the search box of the PayPal Technical Support site. We also encourage anyone with questions or requiring help to reach out to their web developer or to PayPal customer support.