PayPal is in the process of making a series of security-related upgrades to its platform. Many of these changes won’t take effect until midway through 2017, but one important change is happening next month (October 2016).
Here’s what you need to know about PayPal’s SSL Certificate upgrade and how it might affect you.
How Charitable’s PayPal integration works
Before we unpack the implications of PayPal’s SSL Certificate upgrade, I’m going to tell you a little story about Joe.
Joe really loves the work that Awesome Charity is doing to support rural communities in northern Africa. He reads about their current fundraising campaign and decides to donate $50.
After filling out a donation form, Joe is directed to PayPal where he finishes making his donation.
Behind the scenes, PayPal sends a message to Awesome Charity’s website to advise that Joe has completed a payment for the donation (this message is called the Instant Payment Notification, or IPN). Now, Awesome Charity has to check that PayPal really sent that message, since there are nasty people out there that know how to fake these kinds of messages. PayPal responds and basically says: “Yeah, that was me.”
That’s the confirmation that Awesome Charity’s website needs to process Joe’s donation. It already recorded Joe’s donation when he first filled out the donation form, but now it marks it off as Paid.
All of that behind the scenes stuff happens without Joe or anyone from Awesome Charity doing anything. The back-and-forth conversation between Awesome Charity’s website and PayPal is usually finished within seconds.
How Will the SSL Upgrade Change This?
This basic process will remain the same after PayPal’s SSL Certificate upgrade takes place. As far as Joe is concerned, everything will work pretty much the same. He will still be able to make a donation, and Awesome Charity will still receive the money.
But if Awesome Charity’s website is running on a web server with some old libraries, that little behind the scenes conversation may stop working. Awesome Charity will still get PayPal’s original message to say the donation has been paid for, but when it asks PayPal to confirm, PayPal might send back a message like this:
cURL error 35: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
That’s basically PayPal’s way of giving the cold shoulder.
That turns out to be really annoying for Alice, who is the campaign manager for Awesome Charity. When she logs into their website and checks their latest donations, she sees Joe’s donation but it’s still listed as Pending. She now has to log into Awesome Charity’s PayPal account to check whether Joe’s donation is showing up there.
What You Can Do About It
If you’re like Alice, you don’t want to be stuck spending all day cross-referencing the donations you receive with your PayPal account records. Here is what you should do.
1. Check whether you’re affected
Hopefully, you won’t have any issues at all when PayPal’s SSL certificate is upgraded. If your web hosting company is responsible and cares about the security of its customers’ websites, they’ve probably already made sure this won’t be a problem for you. But you should still check, so here’s how:
- You’ll need to create a couple of PayPal sandbox accounts. Here’s a guide showing just how to do that.
- After you have done that, log into your WordPress dashboard and go to Charitable > Settings > Payment Gateways. Click on the “Gateway Settings” button for PayPal.
- Scroll down to the “Run a Test Donation” section (if you don’t see it, make sure you have updated Charitable to version 1.4.3):
- In the “Sandbox Seller Email Address” field, enter the email address of the Merchant account you created a moment ago in PayPal’s sandbox.
- Click on “Make a Test Donation”.
- You will be redirected to PayPal, where you should complete the donation using the Buyer account you created in step 1.
- When done, click on the PayPal link to return back to your website, where you should see a message telling you whether your site can communicate with PayPal. You will also receive an email from Charitable.
2. Contact your hosting company
If the communication process between PayPal and your website fails, your website is running on a server with outdated software. You should get in touch with your host immediately and refer them to the upgrade information provided by PayPal. You should also provide them with the error message that was listed in the email sent to you from Charitable.
It’s important to note that this isn’t just about making sure your integration with PayPal works. You’re also making sure that your website isn’t powered by a server with unsupported and insecure software.
If your host is unable or unwilling to move you to a modern server with secure software, you should seriously consider migrating to a new hosting company. There are plenty of good hosting companies out there, and many of them offer tools to help you migrate your website to their platform.
3. Disable IPN verification – a temporary workaround
If for some reason you can’t switch (or can’t switch yet), we have added a way for you to skip the IPN verification process in Charitable. You should not rely on this permanently, since it makes your PayPal integration less secure, but it can help you temporarily avoid having all your donations stuck as Pending.
In your WordPress dashboard, go to Charitable > Settings > Payment Gateways. Click on the “Gateway Settings” button for PayPal. Tick the box for “Disable IPN Verification” and save the changes.
Again, this is a temporary workaround. Don’t rely on it. Make sure your host is upgrading its system or switch to a better host.
If you run into any problems along the way, please post your comments below or get in touch with us via our support form.