Paypal Security Updates


Does anyone know if OJS 2.4.8.x’s paypal module is compliant with this notice we received from paypal?

At PayPal, one of our top priorities is to ensure our customers and yours have a safe, secure experience when managing and moving money online or on a mobile device. We are committed to providing the highest level of security to protect customer and transactional data and have been upgrading our systems to ensure we are processing on the latest and most secure protocols. This year, we are requiring all of our merchants to implement some important security upgrades, as well.

Our records indicate that you still need to make some critical security upgrades to your systems as well. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures by the date specified:

• TLS 1.2 and HTTP/1.1 Upgrade - Complete by June 2018

  • Update Needed: Yes

• IPN Verification Postback to HTTPS - Complete by June 2018

  • Update Needed: No

• Discontinue Use of GET Method for Classic NVP/SOAP API’s - Complete by June 2018

  • Update Needed: No

• Merchant API Certificate Credentials Upgrade - Complete by September 2018
• Please note that this may be completed earlier based on the expiration date of your certificate.

  • Update Needed: No

Rich D.

Hi @radjr,

As far as I’m aware none of this will affect OJS’s PayPal implementation. If you have an old PHP and/or SSL library, you may need to upgrade those.

Alec Smecher
Public Knowledge Project Tema


We’re working with a society journal whose PayPal plug-in feature in OJS 2.4.8 is not working due to PayPal’s new security measures. The change is effective this week. Our host server will need to implement a server upgrade to support TLS 1.2 and HTTP/1.1.

I hope we won’t have similar issues when we upgrade to OJS 3.x. Is anyone using OJS 3.x with PayPal plug in having similar problems with PayPal’s new security measures?

Suzanne S.

Hi @sstapleton,

TLS and HTTP are supported by the underlying platform (PHP, libssl, etc) and are below the level of OJS’s code. There should be no changes needed to OJS itself.

Alec Smecher
Public Knowledge Project Team