Everest Software will not process credit cards after June 2018.

The PCI Security Standards Council is requiring all payment gateways to use the latest SSL standards by June 2018. PayPal and Payflow Pro are part of this upgrade and will be requiring all external connections to use the latest security ciphers. Transport Layer Security version 1.2 (TLS 1.2) and Hypertext Transfer Protocol version 1.1 (HTTP/1.1) will become mandatory for communication with PayPal after April 30th, 2018. Organizations that have not upgraded will not be able to process credit cards.

The information that follows is of a highly technical nature, will have a significant impact on business operations and should be reviewed by one of the following ASAP:

  • The owner or operations manager
  • Your IT director or resource
  • Your in-house web programmer/system administrator

Who is Affected by this?

This is not about "Everest", this affects any merchant processing credit card payments on PayPal's older payment gateways / API's

Everest uses HTTPS to securely connect to PayPal’s servers for processing credit cards. This is handled by having the appropriate host in the processor detail screen - "payflowpro.paypal.com". When Everest communicates with the PayPal Payflowpro gateway it uses the TLS1.0 and/or SSL3.0 protocol to encrypt the data. The problem is that TLS1.0 and SSL3.0 both have vulnerabilities and are being phased out. To ensure the security of customers and merchants, credit card processing gateways must now adhere to industry best practices as set by the PCI Security Council; as a result, PayPal is updating its services to require TLS 1.2 for all connections.

secure

Is this for real? There have been security updates before ...

This is very real. On Tuesday, April 17th, 2018 at 8 am PT, PayPal conducted a test as part of their published schedule leading up to the April 30 and June 30 deadlines. Less than 10 minutes into the test, the support queue for MARTEC360 had 3 support tickets related to credit cards not processing. Below are screenshots of the Everest CC processing status window of the "before" and "after" tests applying the PayflowPayments.com solution by MARTEC360. In both test cases, all of the appropriate security setting changes had already been applied to the server. This means that by simply applying all of the security cryptography updates on servers alone will not solve the problem. 

everest_order133102

Everest Order #133102 Detail

The Everest Order detail screen.

everest-cc-failure-tls12

Payflowpro with no changes

11:09am ET: Simulation of "doing nothing" while only having security settings applied on the server.

everest-tls12-with-payflowpayments

PayflowPayments.com Solution

11:22am ET: This is during the test period by PalPal using the PayflowPayments.com solution in combination with the security settings.

What does PayPal recommend?

PayPal and other gateways assume merchant organizations are using software from vendors that are still in business, that they have proper maintenance/updates on the software or have access to the source code of the software so that developers may make updates such as TLS1.2.

Unfortunately, this is not a real-world scenario for thousands of merchants which need an alternative path forward to being compliant because they cannot make these updates. To be more specific, this is the case in the Everest community where there are hundreds of companies are using older versions of the software which do not have the means to update to TLS1.2.

Below is a diagram of what PayPal recommends organizations do. The "red path" represents the Everest community. Because of this, companies using Everest Software versions 3, 4, 5, or version 6 should take action NOW so that they have a seamless transition to TLS1.2 credit card processing.

everest-paypal-flow-diagram

What does the Payflow Payments Solution do?

The PayflowPayments.com Solution by MARTEC360 works in the background and handles the necessary TLS1.2 communication without Everest customers needing to update any lines of software code or deal with any of the network security layers themselves. All this results in your ability to seamlessly continue working on into the future uninterrupted.

how-payflowpayments-network-map

What Customers are Saying

Everest TLS1.2 Credit Card Processing FAQs

PCI is for the Payment Card Industry Security Standards Council. The PCI Security Standards Council is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.

The security of cardholder data affects everybody. The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected -- there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.

June 30th, 2018.

30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.

As a leader in payments, PayPal continually invests in technology to protect our customers’ information. Security and safety are our top priorities, and we are in the process of implementing a series of security upgrades throughout 2016 - 2018. These upgrades ensure our security measures continue to be a model for best practice and incorporate industry standards, including those set by the Payment Card Industry (PCI) Security Standards Council.
PayPal is saying in notices to customers (notice 1 example and notice 2 example) that April 30th is the timeline. In PayPal's testing schedule and information guides, they also reference the June 30th cut-off by the PCI Standards Council. To be safe, it would be best to take action immediately to prevent any disruption in credit card processing.
The upgrades will affect any systems that communicate and process credit cards with payment gateways such as PayPal Payflow. This means all ERP Platforms, eCommerce Systems, Recurring Billing Systems, CRM Systems will be affected.
PayPal has extended the timelines in the past because the PCI council extended them. The last time the deadlines were extended they were set with the expectation that they would not be extended again. PayPal has been taking all the steps this time around so as to meet their deadlines. Organizations processing credit cards through PayPal should plan to have their systems in full compliance and tested before the deadline.
If you do nothing by June 30th, 2018, it is probable you will no longer be able to process credit cards at that time. During one of the scheduled tests at 8am PT on April 17th, 2018, customers accessing the payflowpro.paypal.com endpoint on one ERP system had their systems abruptly stop working. A screenshot of those errors can be seen below.

MARTEC360, an industry leader in the marketing and technology solutions and services space, developed the solution and process behind PayflowPayments.com in order to solve the problem for a cluster of customers they work with. These organizations all run Everest Software, an ERP platform.

While working on the solution it became clear this challenge had far-reaching implications not just limited to the Everest community.

The following versions of Everest are all affected by this change. Version 7 may also be affected however Payflow Payments and MARTEC360 have not yet tested it.

Everest version 3.x
Everest version 4.x
Everest version 5.x
Everest version 6.x

Customers on version 7.x should contact Everest Support directly to start with to see if there is a patch/update as part of your maintenance. If you should run into any problems then our solution will work with version 7.x as well.

In short, you will not be able to process credit cards.

On April 17th, at 8am PT//11am ET, PayPal ran test as part of their technical testing windows. Within minutes, multiple customers had reached out to MARTEC360 for support on why their credit cards were not working. During this same test, MARTEC360 populated the payment settings into the File > Setup > Accounting > Processors details window for our beta environment. While the live server was failing with an error "Denied:Failed to connect to host Input Server Uri=https://payflowpro.paypal.com", our server was providing "approvals".

If you would like to test it on your own ahead of time, follow the steps below.

1. File > Setup > Accounting > Processors
2. Select your process for payflowpro
3. temporarily change the processor from "payflowpro.paypal.com" to "pilot-payflowpro.paypal.com". 
4. process a test transaction with a credit card connected to the processor

The result will be a URI error. You will not be able to process credit cards without the PayflowPayments.com solution. 

Make sure to change your processor back to the "payflowpro.paypal.com" after this test so that in the meantime you are processing credit cards. 

PayPal has extended the timelines in the past because the PCI council extended them. The last time the deadlines were extended they were set with the expectation that they would not be extended again. PayPal has been taking all the steps this time around so as to meet their deadlines. Organizations processing credit cards through PayPal should plan to have their systems in full compliance and tested before the deadline.
The team here at Payflow Payments by MARTEC360 will send you a questionaire to better understand your environment. Based on that, we may provide recommendations on changes to your hardware. We will then get connected and correct problems with cryptography ciphers before updating your payment processors to use our gateway / solution.
Once we receive the questionnaire the process takes 1-2 business days.

The solution for Everest has a setup fee associated with each application server. The first application server has a $2500 setup fee. The remaining application servers will be charged at a reduced rate per server. Each application server must have these setup steps because each application server communicates directly with the processing gateways.

Additionally, because the MARTEC360 solution operates as an intermediary service, there is also a yearly subscription fee of $1200. The processing subscription is per "Everest company" processing credit cards.

NOW! Why risk your business and wait any longer than you have to. By getting your spot confirmed in the implementation queue you can guarantee yourself a seamless transition into secure TLS1.2 processing.

We are offering the following promotions in order to help you beat the rush on the deadlines.

April: $500 off the setup fee
May: $250 off the setup fee
before June 15: $150 off the setup fee
after June 15: no further promotions