Everest Software will not process credit cards after June 2018.

The PCI Security Standards Council is requiring all payment gateways to use the latest SSL standards by June 2018. PayPal and Payflow Pro are part of this upgrade and will be requiring all external connections to use the latest security ciphers. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal after June 30th, 2018. Organizations that have not upgraded to TLS1.2 will not be able to process credit cards.

Because of dependencies on Payflow Pro, companies using legacy versions of Everest Software (ERP) will be in this predicament whereby credit cards will not process.

The information that follows is of a highly technical nature, will have a significant impact on business operations and should be reviewed by one of the following ASAP:

The business owner, operations manager, IT director or in-house system admin/programmer

Who is Affected by this?

This is not about "Everest", this affects any merchant processing credit card payments on PayPal's older payment gateways / API's

Everest uses HTTPS to securely connect to PayPal’s servers for processing credit cards. This is handled by having the appropriate host in the processor detail screen - "payflowpro.paypal.com". When Everest communicates with the PayPal Payflowpro gateway it uses the TLS1.0 and/or SSL3.0 protocol to encrypt the data. The problem is that TLS1.0 and SSL3.0 both have vulnerabilities and are being phased out. To ensure the security of customers and merchants, credit card processing gateways must now adhere to industry best practices as set by the PCI Security Council; as a result, PayPal is updating its services to require TLS 1.2 for all connections.

security-affects

Is this for real? There have been security updates before ...

This is very real. On Tuesday, April 17th, 2018 at 8 am PT, PayPal conducted a test as part of their published schedule leading up to the April 30 and June 30 deadlines. Less than 10 minutes into the test, the support queue for MARTEC360 had 3 support tickets related to credit cards not processing. Below are screenshots of the Everest CC processing status window of the "before" and "after" tests applying the PayflowPayments.com solution by MARTEC360. In both test cases, all of the appropriate security setting changes had already been applied to the server. This means that by simply applying all of the security cryptography updates on servers alone will not solve the problem. 

everest_order133102

Everest Order #133102 Detail

The Everest Order detail screen.

everest-cc-failure-tls12

Payflowpro with no changes

11:09am ET: Simulation of "doing nothing" while only having security settings applied on the server.

everest-tls12-with-payflowpayments

PayflowPayments.com Solution

11:22am ET: This is during the test period by PalPal using the PayflowPayments.com solution in combination with the security settings.

What does PayPal recommend?

PayPal and other gateways assume merchant organizations are using software from vendors that are still in business, that they have proper maintenance/updates on the software or have access to the source code of the software so that developers may make updates such as TLS1.2.

Unfortunately, this is not a real-world scenario for thousands of merchants which need an alternative path forward to being compliant because they cannot make these updates. To be more specific, this is the case in the Everest community where there are hundreds of companies are using older versions of the software which do not have the means to update to TLS1.2.

Below is a diagram of what PayPal recommends organizations do. The "red path" represents the Everest community. Because of this, companies using Everest Software versions 3, 4, 5, or version 6 should take action NOW so that they have a seamless transition to TLS1.2 credit card processing.

everest-paypal-flow-diagram

What does the Payflow Payments Solution do?

The PayflowPayments.com Solution by MARTEC360 works in the background and handles the necessary TLS1.2 communication without Everest customers needing to update any lines of software code or deal with any of the network security layers themselves. All this results in your ability to seamlessly continue working on into the future uninterrupted.

how-payflowpayments-network-map

What Customers are Saying

Everest TLS1.2 Credit Card Processing FAQs

PCI is for the Payment Card Industry Security Standards Council. The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The security of cardholder data affects everybody. The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.

June 30th, 2018.

30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

As a leader in payments, PayPal continually invests in technology to protect our customers’ information. Security and safety are our top priorities, and we are in the process of implementing a series of security upgrades throughout 2016 - 2018. These upgrades ensure our security measures continue to be a model for best practice and incorporate industry standards, including those set by the Payment Card Industry (PCI) Security Standards Council.
PayPal is saying in notices to customers (notice 1 example and notice 2 example) that April 30th is the timeline. In PayPal's testing schedule and information guides, they also reference the June 30th cut-off by the PCI Standards Council. To be safe, it would be best to take action immediately to prevent any disruption in credit card processing.
The upgrades will affect any systems that communicate and process credit cards with payment gateways such as PayPal Payflow. This means all ERP Platforms, eCommerce Systems, Recurring Billing Systems, CRM Systems will be affected.
PayPal has extended the timelines in the past because the PCI council extended them. The last time the deadlines were extended they were set with the expectation that they would not be extended again. PayPal has been taking all the steps this time around so as to meet their deadlines. Organizations processing credit cards through PayPal should plan to have their systems in full compliance and tested before the deadline.
If you do nothing by June 30th, 2018, it is probable you will no longer be able to process credit cards at that time. During one of the scheduled tests at 8am PT on April 17th, 2018, customers accessing the payflowpro.paypal.com endpoint on one ERP system had their systems abruptly stop working. A screenshot of those errors can be seen below.

MARTEC360, an industry leader in the marketing and technology solutions and services space, developed the solution and process behind PayflowPayments.com in order to solve the problem for a cluster of customers they work with. These organizations all run Everest Software, an ERP platform.

While working on the solution it became clear this challenge had far-reaching implications not just limited to the Everest community.

The following versions of Everest are all affected by this change. Version 7 may also be affected however Payflow Payments and MARTEC360 have not yet tested it.

Everest version 3.x
Everest version 4.x
Everest version 5.x
Everest version 6.x

Customers on version 7.x should contact Everest Support directly to start with to see if there is a patch/update as part of your maintenance. If you should run into any problems then our solution will work with version 7.x as well.

Updated May 26, 2018: If your environment is not on Windows 2008R2 and SQL2008R2 we may run into problems implementing the solution. In those cases, MARTEC360 does offer a fully managed private cloud service/solution with rates comparable to or better than an AWS environment. 

In short, you will not be able to process credit cards.

On April 17th, at 8am PT//11am ET, PayPal ran test as part of their technical testing windows. Within minutes, multiple customers had reached out to MARTEC360 for support on why their credit cards were not working. During this same test, MARTEC360 populated the payment settings into the File > Setup > Accounting > Processors details window for our beta environment. While the live server was failing with an error "Denied:Failed to connect to host Input Server Uri=https://payflowpro.paypal.com", our server was providing "approvals".

Updated June 26, 2018: PayPal is now sending out notices to merchants communicating that they will not be able to process in some cases starting June 27th. 

If you would like to test it on your own ahead of time, follow the steps below.

1. File > Setup > Accounting > Processors
2. Select your process for payflowpro
3. temporarily change the processor from "payflowpro.paypal.com" to "pilot-payflowpro.paypal.com". 
4. process a test transaction with a credit card connected to the processor

The result will be a URI error. You will not be able to process credit cards without the PayflowPayments.com solution. 

Make sure to change your processor back to the "payflowpro.paypal.com" after this test so that in the meantime you are processing credit cards. 

Update June 26, 2018: PayPal still references pilot-payflowpro.paypal.com in some documentation however they have since deprecated the DNS entries for the test URI. Any tests against this URI will actually fail and not verify that you are in "good shape". The new URI is tlstest.paypal.com.

For customers of PayflowPayments.com by MARTEC360 the test URI is now tlstest.payflowpayments.com. Anyone that is a subscribing member of PayflowPayments will be unable to access this URI. 

PayPal has extended the timelines in the past because the PCI council extended them. The last time the deadlines were extended they were set with the expectation that they would not be extended again. PayPal has been taking all the steps this time around so as to meet their deadlines. Organizations processing credit cards through PayPal should plan to have their systems in full compliance and tested before the deadline.

Updated June 26, 2018: PayPal will not be extending the date. Merchants not in compliance after June 30 will not process credit cards.

1. The team here at Payflow Payments by MARTEC360 will send you a quick questionnaire to better understand your environment.

2. Based on that, we may provide recommendations on changes to your network/hardware.

3. You'll receive a NDA followed by a proposal which can be executed digitally.

4. Once NDA's and proposal/contracts are executed you'll get the instructions on the necessary changes you will need to make to grant payflowpayments API access in your manager.paypal.com account as well as how to grant our teams access to your network to verify and make the appropriate changes for the solution to work. 

5. We will then get connected and correct problems with cryptography ciphers before updating your payment processors to use our gateway/solution.

6. We run a test against tlstest.payflowpayments.com once your account is authorized with us. We look for a "success result" whereby the gateway responds with "PayPal_Connection_OK". Once we have "success" then we cut you over to the production payflowpayments and paypal URI. 

7. You're all set for processing with TLS1.2 and HTTP1.1 as well as future-proofed for TLS1.3 which is already in testing.   

 

Once we receive the questionnaire the process takes 1-2 business days. The process can go faster depending on how quickly documents can get executed and your IT teams can get the teams access to your environment.

NOW! Why risk your business and wait any longer than you have to. By getting your spot confirmed in the implementation queue you can guarantee yourself a seamless transition into secure TLS1.2 processing.

The short version is "no". It means that the PayflowPayments.com solution is PCI compliant. PCI Compliance is a much bigger process and is not simply "software" based. It consists of going through the appropriate questionnaire with a certifying authority, setting up scans against all outside servers/devices that may contain or touch cardholder data and ensuring all are results are passing. The PayflowPayments and MARTEC360 team has taken many organizations through PCI compliance certification. The process most often takes between 40 and 60 hours to complete depending on a variety of factors.