James Barrese, CTO, PayPal
Since the SSL v3 issue (also known as POODLE) was identified on October 14, PayPal has been hard at work to mitigate any potential impact to our consumer and merchant customers.
In an earlier blog post we stated our intention has always been to disable SSL v3 as quickly as reasonably possible. We also promised to keep you up to date on our plans. We are now able to share that PayPal will be disabling support for SSL v3 on December 3, 2014. Any merchant customer whose integration with PayPal uses SSL v3 will need to update their integration before this date to avoid an interruption in their ability to accept payments with PayPal.
We recognize and regret that upgrading their PayPal integration may be challenging for some of our merchant customers at this busy time of year. The decision to extend our support of SSL v3 for a few more weeks was made with these merchants and the safety of our customers’ accounts in mind.
Keeping our customers’ accounts, data and money secure is PayPal’s top priority and a guiding principle when we make challenging decisions, like this one.
We could not have extended our support of SSL v3 if we hadn’t been able to take significant steps to mitigate the risk of this vulnerability for our customers. We have seen no evidence that the SSL v3 issue has led to any compromise of customers’ accounts at PayPal. We also want to remind everyone that we have account protections in place and will cover 100% of unauthorized transactions if their account is ever compromised.
We deeply value the relationship we have with our merchant customers and we are here to help them through this process. We have created an online guide with instructions on how merchants can upgrade their integration, which is available by typing “Poodle” or “SSL” in the search box of the PayPal Technical Support site. We also encourage anyone with questions or requiring help to reach out to their web developer or to PayPal customer support.