Magento Patch SUPEE-8167 for PayPal Instant Payment Notifications
For increased security, merchants will only be able to use HTTPS when posting messages back to PayPal via their Instant Payment Notification (IPN) service. In the past, PayPal has allowed the use of HTTP for these postbacks.
Merchants and partners use Instant Payment Notification (IPN) to receive notifications of events related to PayPal transactions. The IPN message service requires that you acknowledge receipt of these messages and validate them. This process includes posting the messages back to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these postbacks. For increased security going forward, only HTTPS will be allowed for postbacks to PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.
Why is PayPal making this change?
PayPal is upgrading all external endpoints used by merchants and partners to make programmatic connections. One of these changes is only allowing the use of HTTPS when connecting with PayPal systems to ensure that all information is securely transmitted. IPN messages contain sensitive information about your customers and their transactions that should only be passed securely.
What are the upgraded security standards that PayPal is moving to for all external endpoints?
PayPal is upgrading all of its external endpoints to the latest industry standards:
- HTTP 1.1 or newer
- HTTPS only
- TLS 1.2 or newer only
- 2048-bit, SHA-256 certificates signed with VeriSign’s G5 root
Magento Security Patch SUPEE-8167
As of June 30, 2017, PayPal Instant Payment Notifications will no longer allow HTTP to post messages back to PayPal for verification. To comply with these changes, all Magento merchants using PayPal must upgrade to:
- Enterprise Edition 220.127.116.11 or apply the SUPEE-8167 patch
- Community Edition 18.104.22.168 or apply the SUPEE-8187 patch
All Magento 2.1.x versions already support this change, so no update is required.
Merchants must upgrade or apply a patch by June 30, 2017, to avoid any potential service disruptions.