Paypal Payflow gateway problem today, SHA-2 upgrade
We had problem with our credit card processing app. It was developed 5 years ago, running on Windows server 2003.
Today, it can't connect to https://payflowpro.paypal.com. I called Paypal, they're upgrading their card processing server from SHA-1 to SHA2. He suggested me to wait until the upgrade finishes and try again. If it doesn't, I have to follow the below documentation to make change to our card processing app connecting to their server.
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en
Going through that, it seems, I just have to move the app from Windows 2003 to Windows 2012 in order to send authorization and charge with updated encryption? It doesn't say the app has to use new SDK, so I guess just moving the app from old Windows to new Windows OS would fix.
I'm not a developer, if it can be done in system job wise, I would do that.
Today, it can't connect to https://payflowpro.paypal.com. I called Paypal, they're upgrading their card processing server from SHA-1 to SHA2. He suggested me to wait until the upgrade finishes and try again. If it doesn't, I have to follow the below documentation to make change to our card processing app connecting to their server.
https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1766&viewlocale=en_US&direct=en
Going through that, it seems, I just have to move the app from Windows 2003 to Windows 2012 in order to send authorization and charge with updated encryption? It doesn't say the app has to use new SDK, so I guess just moving the app from old Windows to new Windows OS would fix.
I'm not a developer, if it can be done in system job wise, I would do that.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nobody has any way of fully checking your PCI status in that manner. That was a bit of a side note related to your original question.
What they can do, should do, and it appears they did, is reconfigure their systems so that systems and protocols that have been recently identified as insecure are removed from use. There has been a flood of new vulnerabilities discovered lately involving encryption, certificates, and SSL/TLS protocols so it makes sense that they'd be turning off some of these. They'd have probably done it sooner except for the fact that many of their customers also need time to adjust.
What they can do, should do, and it appears they did, is reconfigure their systems so that systems and protocols that have been recently identified as insecure are removed from use. There has been a flood of new vulnerabilities discovered lately involving encryption, certificates, and SSL/TLS protocols so it makes sense that they'd be turning off some of these. They'd have probably done it sooner except for the fact that many of their customers also need time to adjust.
ASKER
I agree.
Our card processing app is not a website, but a desktop applicaition running on Windows 2003. I like to make this server so that it connects to Payflow and get back to business.
I found the following article which enables Windows 2003 to handle SHA-2, Does it sound like it will do the job according to the Paypal documentation above?
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
Our card processing app is not a website, but a desktop applicaition running on Windows 2003. I like to make this server so that it connects to Payflow and get back to business.
I found the following article which enables Windows 2003 to handle SHA-2, Does it sound like it will do the job according to the Paypal documentation above?
http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
ASKER
I applied two patches to enable SHA-2, it works.
ref: http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
But if anyone see this, make note, SHA-3 coming. lol. Windows 2003 should retire. Damn, I was in the edge of the timing.
It's ultimate coincidence that Paypal migrated their hash encryption from SHA-1 to SHA-2 today as their maintenance schedule is specified above.
ref: http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
But if anyone see this, make note, SHA-3 coming. lol. Windows 2003 should retire. Damn, I was in the edge of the timing.
It's ultimate coincidence that Paypal migrated their hash encryption from SHA-1 to SHA-2 today as their maintenance schedule is specified above.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 500 points for Russ_Suter's comment #a40982397
Assisted answer: 0 points for crcsupport's comment #a40982421
for the following reason:
Russ made a good point as long as we stay in PCI Compliance, the problem won't happen. I believe the link I posted above should resolve this specific problem.
Accepted answer: 500 points for Russ_Suter's comment #a40982397
Assisted answer: 0 points for crcsupport's comment #a40982421
for the following reason:
Russ made a good point as long as we stay in PCI Compliance, the problem won't happen. I believe the link I posted above should resolve this specific problem.
Good work. You are correct that this wouldn't have been an issue at all if you were using a newer version of Windows Server since SHA-2 support is built in to every currently supported version. You've worked around the issue but you should still upgrade your server as soon as you can.
ASKER
I finished working on migrating websites from windows 2003 to windows 2012 and waiting for the scan kicks in. But I didn't know that Paypal is checking the connecting merchant's card processing app's PCI compliance status. I thought it's related to another, Windows 2003 can't handle connecting to SHA-2 server.
Today, until 1PM Pacific time, Paypal is in outage due to their certificate upgrade.