Paypal TLS1.2 / Http1.1 Upgrade - HTML Form Basics for PayPal Payments Standard

Question

So i'm trying to take action on paypals PCI requirements https://www.paypal-notice.com/en/TLS-1.2-and-HTTP1.1-Upgrade/

They have informed me that I need to update to using TLS 1.2 and HTTP/1.1 Upgrade

So Im using just the basic Basics html PayPal Payments Standard and have a basic checkout option to allow clients to pay for their stuff. My web application is running .Net4.5 and using https.

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
//Stuff
<input type="hidden" name="notify_url" value="https://example.net/Paypal" />
<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_subscribeCC_LG.gif" border="0" name="submit" alt="PayPal – The safer, easier way to pay online." class="subscription" id="btngo">
</form>

So as far as I can tell, I'm doing everything correct? Has anyone else gone through this upgrade and tell me what I'm missing? Perhaps I need to do something on my notify_url?

Answer 1

It seems to be asking you if your Webserver configuration is in order. You can use a few external tools to ensure you are PCI compliant in that regard but I believe it's just ensuring you've got TLS 1.2 and HTTP 1.1 enabled.

You can test TLS 1.2 is configured correctly using Qualsys SSL Labs

Otherwise if you want your server to disable ciphers and protocols that may not be secure then you can use a tool like IIS Crypto which is a streight forward way to do it.

If you don't want your site to be hit externally at the moment you can check your server using openssl on a Linux box it can give you some great diagnostic info. For ease of use however I'd stick with SSL Labs.

Word of warning however, if your web server is running older versions of Windows Server 2008 R2, SQL Server or other software be careful disabling older cipher suits (Like some of the TLS protocols) as they often rely upon those cipher suites for connectivity (including remote desktop). There are fixes out there but take time to plan it out.

Other from that if SSL Labs gives you a green light then your compliant.

UPDATE

If you can see https://tlstest.paypal.com from your webserver and it shows that the TLS check is ok then that should be all you need to do. As you are using PayPal Basics they'll automatically upgrade their endpoints to TLS 1.2 for your code. The HTTPS part in your form is the important bit.

I imagine for older web servers establishing a TLS 1.2 connection between PayPal and the server might fail and that's what they want you to check.

Answer 2

If you're targeting 4.5 framework TLS1.2 is enabled but not the default. 4.6.2+ target does default TLS1.2 I believe you can add this to force it:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;