Do I need SSL If I Use PayPal?

When your Easy Digital Downloads store conducts a transaction with PayPal, PayPal attempts to communicate with your store to send information about that transaction. This process is called Instant Payment Notification, or IPN.

IPN verification works using a normal web request, meaning that PayPal simply visits a page on your site.

As of September 30, 2016, PayPal IPN will ONLY work over SSL. Read more general information about SSL with EDD here.

What is PayPal changing and when

PayPal is changing the protocol it uses to communicate with your site. Previously it was plain HTTP, but now it will require SSL and use HTTPS. This began on September 30, 2016. If your site is not compatible by this date, IPN verification will not work, and your site will not be updated when transactions are made.

Note: if a customer tried to make a purchase it would still succeed, but your store would not be notified of that fact, and your records will not reflect the sale properly.

What does it mean for store owners

Before September 30, 2016, store owners should ensure that their server supports:

  • HTTP 1.1 or newer
  • HTTPS Requests
  • TLS 1.2 or newer
  • only 2048-bit, SHA-256 certificates signed with VeriSign’s G5 root

How do store owners know if they need to update?

Much of this information can be found by clicking the little lock symbol in your browser's location bar, but some cannot, so the easiest way to find out about all of it is to simply ask your hosting provider or system administrator.

How can I test myself to see if my server is compliant?

PayPal has already made these changes in their Sandbox accounts.  You can temporarily switch your site to use your Sandbox account to run some tests. Full documentation on making a PayPal Sandbox account is here.

How do store owners update their sites to comply with the new rules?

Typically this kind of configuration is done by your hosting provider or system administrator. You may refer them to this document as well as PayPal's Knowledgebase article containing more specific details.

What are alternatives if I do not wish to add an SSL certificate?

The best alternative within PayPal is PayPal Express. PayPal Express still requires HTTP 1.1 and TLS 1.2, but does not require the 2048-bit certificate. You can purchase the PayPal Express extension in the Easy Digital Downloads store and read the PayPal Express documentation here.