Top 5 eCommerce Posts for April

Getting Reacquainted with LinkedIn Ads – Practical Ecommerce
To be sure, LinkedIn should not account for your entire ad budget. But it’s worth getting reacquainted.

5 Reasons People Shop at Your Small Business – Constant Contact
It’s time to celebrate your success and remember some of the most common reasons people choose do business with you

Understanding Local SEO – Pair Networks
A subset of search engine optimization (SEO), local SEO focuses on attracting and converting local audiences online.

Sales tax showdown: FAQ on the Supreme Court case that could shape the future of online shopping -GeekWire
The U.S. Supreme Court is set to hear its first state sales tax case in more than 25 years this week and the verdict could have sweeping implications for e-commerce companies

How Are Shoppers and Merchants affected by TLS? – Nethosting
Most of us understand to look for a secure URL (e.g. https://) on a web page before we enter sensitive information like a password or credit card number

What is TLS and How Does It Affect My Customers?

PayPal, like many payment vendors, is “updating its services to require TLS 1.2 for all HTTPS connections.” Even non-payment vendors such as UPS are making the switchover. What is TLS, does it affect me and my customers,  and who/what is driving this change?



What is TLS?
Most of us understand to look for a secure URL (e.g. https://) on a web page before we enter sensitive information like a password or credit card number. Having the ‘s’ indicates that the page will receive your data securely via an encrypted communication between your browser and the server hosting that page. The more techie folks may know that the secure communication protocol originally used was called SSL (Secure Sockets Layer) and more recently TLS (Transport Layer Security.) Most of us may not realize that behind the scenes the protocols used for encrypting have been steadily updated to be even more secure. The latest and greatest update is for TLS version 1.2.

We all want the best security possible so, yay! — browsers, web servers, payment gateways, let’s all use TLS 1.2!  Yes, that is a good idea and that is what is currently in process to happen.  However, every piece of software involved in your web surfing experience needs to be updated to support the latest protocol.  For a few years now the newest versions of your web browser as well as many web servers have supported TLS 1.2 (as well as earlier versions of TLS and even SSL.)

Am I Affected?
As a web surfer, there is nothing you need to do as long as you have updated your web browser in the past few years (it is always good to keep your browser updated!) Likewise, most hosting providers are running a web server that supports TLS 1.2. The sticky point for end-to-end TLS support has been the payment gateways. It is a lot of work to upgrade their payment software and to ensure all 3rd-parties that communicate with their software support TLS 1.2. This includes Shopping Cart vendors and others. You don’t want to turn off support for protocols earlier than TLS 1.2 and have shoppers and merchants running older software mad that they cannot make online payments! Fortunately, this transition has been expected for several years now. In fact, PayPal originally announced the switchover for June of 2016, now it is scheduled for June of 2018.

Why TLS by June 2018?
What is special about this June for the switchover date? June 2018 is the deadline mandated by the Payment Card Industry (PCI) Security Council. The PCI council is sponsored by Visa and the other credit card companies and sets the standards that payment vendors like PayPal must adhere to. Not only does what they say carry a lot of weight, but payment vendors could face fines if they do not follow the recommendations.

Will Online Shopping be Disrupted?
What can we expect to happen after June 2018? A few shoppers will probably encounter online shops running older software and therefore not be able to complete an order. This was the experience at some shops using payment vendors that have already made the switchover. While all your big sites like Amazon, Wal*Mart, and others will not have a problem, there will be smaller merchants that have not kept their Shopping Cart software up to date. Luckily, most merchants are already running up to date software. For example, our Shopping Cart software — ShopSite version 12 sp2 r4 — has supported TLS 1.2 for nearly 2 years. Plenty of time for a merchant to plan and complete an upgrade. Of course, as soon as any merchant realizes their orders have stopped they will quickly update their site, so most of us will not see any problems at all!

Unless you, as a user, are running a really old web browser there is nothing that you need to do. As a merchant, you should check with your shopping cart vendor to ensure that you are running a version that will support TLS 1.2.

Is PayPal Occasionally Failing because of TLS Testing?

PayPal has announced that they will require the secure communications protocol — TLS 1.2 — by June 2018.  However, they will be periodically testing on live stores starting in March* and continuing until the switch over.  Here’s part of the message they are sending to their merchants:

Please note, over the next few months, PayPal will conduct several rounds of testing to emulate the upgraded security experience so merchants can understand the areas of their integration that still requiring security protocol upgrades.  If you have already made the required upgrades as outlined on the 2017-2018 Merchant Security Microsite, your PayPal integrations will not be impacted.  If you have not made the required upgrades, we encourage you to do so as soon as possible to avoid service interruption that may occur during our security upgrade testing activities.

Dates for these tests and full deployment will be published on our Merchant Security Upgrade Testing page at least two weeks prior to implementation so please bookmark and return frequently for the most up to date information.

Typically the requirement to only accept TLS 1.2 will last for about an hour.  However, the timing of that hour can be during your busiest hours! 

Am I Affected?

If you are using ShopSite version 12 sp2 r4 or greater (12 sp3 for Windows Servers) you are good to go.

The current release of ShopSite at the time of this post is version 14.0.  Here’s what it looks like in version 12 at the bottom lower left of the screen.

This store would need to upgrade since it is running version 12 sp2 r2.3

In addition, PayPal is also emailing its merchants based on what their servers see when an order comes from your site.  The emails typically have this information:

Our records indicate that you still need to make some critical security upgrades to your systems as well. If you see a “YES” next to a security change, your integration must be updated to accept these new security measures by the date specified:

• TLS 1.2 and HTTP/1.1 Upgrade – Complete by June 2018
Update Needed: No

• IPN Verification Postback to HTTPS – Complete by June 2018
Update Needed: No

• Discontinue Use of GET Method for Classic NVP/SOAP API’s – Complete by June 2018
Update Needed: No

• Merchant API Certificate Credentials Upgrade – Complete by September 2018
• Please note that this may be completed earlier based on the expiration date of your certificate.
Update Needed: Yes

In the above message, everything is good except for the API Certificate Credentials.  The API Certificate is actually something that you need to do every 3 years (for PayPal Express or PayPal Payments Pro).  You generate your cert on PayPal’s site and then copy it into ShopSite’s configuration screen for PayPal.

Because they do expire, we recommend that you switch to the API Signature Credentials instead.  If you do switch you will need to delete the certificate on PayPal, generate the signature and then update the configuration in ShopSite.  Either method can be used for validating your account.

Other Services Affected by TLS 1.2?

Authorize.Net, First Data, and UPS have recently made the switch over.  View this kbase article to see what other service providers have announced switchover dates.  Since the PCI (Payment Card Industry) deadline is June 30, 2018, everyone will be requiring TLS 1.1 or 1.2 by then.

For more on TLS and why it is being required and by whom, see this blog post.

*PayPal now says that testing will begin in April.

ShopSite Online Shopping Cart Software On YouTubeShopSite Online Shopping Cart Software BlogShopSite Online Shopping Cart Software on Google+ShopSite Online Shopping Cart Software On TwitterShopSite Online Shopping Cart Software On FacebookQuestions?888-373-4347E-commerce Blog ShopSite's E-commerce Blog Author