The information that follows is of a highly technical nature, will have a significant impact on business operations and should be reviewed by one of the following ASAP:
The business owner, operations manager, IT director or in-house system admin/programmer
Who is Affected by this?
This is not about "Everest", this affects any merchant processing credit card payments on PayPal's older payment gateways / API's
Everest uses HTTPS to securely connect to PayPal’s servers for processing credit cards. This is handled by having the appropriate host in the processor detail screen - "payflowpro.paypal.com". When Everest communicates with the PayPal Payflowpro gateway it uses the TLS1.0 and/or SSL3.0 protocol to encrypt the data. The problem is that TLS1.0 and SSL3.0 both have vulnerabilities and are being phased out. To ensure the security of customers and merchants, credit card processing gateways must now adhere to industry best practices as set by the PCI Security Council; as a result, PayPal is updating its services to require TLS 1.2 for all connections.
Is this for real? There have been security updates before ...
This is very real. On Tuesday, April 17th, 2018 at 8 am PT, PayPal conducted a test as part of their published schedule leading up to the April 30 and June 30 deadlines. Less than 10 minutes into the test, the support queue for MARTEC360 had 3 support tickets related to credit cards not processing. Below are screenshots of the Everest CC processing status window of the "before" and "after" tests applying the PayflowPayments.com solution by MARTEC360. In both test cases, all of the appropriate security setting changes had already been applied to the server. This means that by simply applying all of the security cryptography updates on servers alone will not solve the problem.
Everest Order #133102 Detail
The Everest Order detail screen.
Payflowpro with no changes
11:09am ET: Simulation of "doing nothing" while only having security settings applied on the server.
PayflowPayments.com Solution
11:22am ET: This is during the test period by PalPal using the PayflowPayments.com solution in combination with the security settings.
What does PayPal recommend?
PayPal and other gateways assume merchant organizations are using software from vendors that are still in business, that they have proper maintenance/updates on the software or have access to the source code of the software so that developers may make updates such as TLS1.2.
Unfortunately, this is not a real-world scenario for thousands of merchants which need an alternative path forward to being compliant because they cannot make these updates. To be more specific, this is the case in the Everest community where there are hundreds of companies are using older versions of the software which do not have the means to update to TLS1.2.
Below is a diagram of what PayPal recommends organizations do. The "red path" represents the Everest community. Because of this, companies using Everest Software versions 3, 4, 5, or version 6 should take action NOW so that they have a seamless transition to TLS1.2 credit card processing.
What does the Payflow Payments Solution do?
The PayflowPayments.com Solution by MARTEC360 works in the background and handles the necessary TLS1.2 communication without Everest customers needing to update any lines of software code or deal with any of the network security layers themselves. All this results in your ability to seamlessly continue working on into the future uninterrupted.
What Customers are Saying
Everest TLS1.2 Credit Card Processing FAQs
PCI is for the Payment Card Industry Security Standards Council. The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.
June 30th, 2018.
30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
MARTEC360, an industry leader in the marketing and technology solutions and services space, developed the solution and process behind PayflowPayments.com in order to solve the problem for a cluster of customers they work with. These organizations all run Everest Software, an ERP platform.
While working on the solution it became clear this challenge had far-reaching implications not just limited to the Everest community.
The following versions of Everest are all affected by this change. Version 7 may also be affected however Payflow Payments and MARTEC360 have not yet tested it.
Everest version 3.x
Everest version 4.x
Everest version 5.x
Everest version 6.x
Customers on version 7.x should contact Everest Support directly to start with to see if there is a patch/update as part of your maintenance. If you should run into any problems then our solution will work with version 7.x as well.
Updated May 26, 2018: If your environment is not on Windows 2008R2 and SQL2008R2 we may run into problems implementing the solution. In those cases, MARTEC360 does offer a fully managed private cloud service/solution with rates comparable to or better than an AWS environment.
In short, you will not be able to process credit cards.
On April 17th, at 8am PT//11am ET, PayPal ran test as part of their technical testing windows. Within minutes, multiple customers had reached out to MARTEC360 for support on why their credit cards were not working. During this same test, MARTEC360 populated the payment settings into the File > Setup > Accounting > Processors details window for our beta environment. While the live server was failing with an error "Denied:Failed to connect to host Input Server Uri=https://payflowpro.paypal.com", our server was providing "approvals".
Updated June 26, 2018: PayPal is now sending out notices to merchants communicating that they will not be able to process in some cases starting June 27th.
If you would like to test it on your own ahead of time, follow the steps below.
1. File > Setup > Accounting > Processors
2. Select your process for payflowpro
3. temporarily change the processor from "payflowpro.paypal.com" to "pilot-payflowpro.paypal.com".
4. process a test transaction with a credit card connected to the processor
The result will be a URI error. You will not be able to process credit cards without the PayflowPayments.com solution.
Make sure to change your processor back to the "payflowpro.paypal.com" after this test so that in the meantime you are processing credit cards.
Update June 26, 2018: PayPal still references pilot-payflowpro.paypal.com in some documentation however they have since deprecated the DNS entries for the test URI. Any tests against this URI will actually fail and not verify that you are in "good shape". The new URI is tlstest.paypal.com.
For customers of PayflowPayments.com by MARTEC360 the test URI is now tlstest.payflowpayments.com. Anyone that is a subscribing member of PayflowPayments will be unable to access this URI.
PayPal has extended the timelines in the past because the PCI council extended them. The last time the deadlines were extended they were set with the expectation that they would not be extended again. PayPal has been taking all the steps this time around so as to meet their deadlines. Organizations processing credit cards through PayPal should plan to have their systems in full compliance and tested before the deadline.
Updated June 26, 2018: PayPal will not be extending the date. Merchants not in compliance after June 30 will not process credit cards.
1. The team here at Payflow Payments by MARTEC360 will send you a quick questionnaire to better understand your environment.
2. Based on that, we may provide recommendations on changes to your network/hardware.
3. You'll receive a NDA followed by a proposal which can be executed digitally.
4. Once NDA's and proposal/contracts are executed you'll get the instructions on the necessary changes you will need to make to grant payflowpayments API access in your manager.paypal.com account as well as how to grant our teams access to your network to verify and make the appropriate changes for the solution to work.
5. We will then get connected and correct problems with cryptography ciphers before updating your payment processors to use our gateway/solution.
6. We run a test against tlstest.payflowpayments.com once your account is authorized with us. We look for a "success result" whereby the gateway responds with "PayPal_Connection_OK". Once we have "success" then we cut you over to the production payflowpayments and paypal URI.
7. You're all set for processing with TLS1.2 and HTTP1.1 as well as future-proofed for TLS1.3 which is already in testing.
NOW! Why risk your business and wait any longer than you have to. By getting your spot confirmed in the implementation queue you can guarantee yourself a seamless transition into secure TLS1.2 processing.
The short version is "no". It means that the PayflowPayments.com solution is PCI compliant. PCI Compliance is a much bigger process and is not simply "software" based. It consists of going through the appropriate questionnaire with a certifying authority, setting up scans against all outside servers/devices that may contain or touch cardholder data and ensuring all are results are passing. The PayflowPayments and MARTEC360 team has taken many organizations through PCI compliance certification. The process most often takes between 40 and 60 hours to complete depending on a variety of factors.