End of Transport Layer Security (TLS) 1.0 Support

The PCI Council has released a new update to the PCI Data Security Standard (version 3.1).

The main changes in version 3.1 are the deprecation of SSL 3.0 and TLS 1.0 as secure protocols. SSL and early TLS (TLS 1.0) are not anymore considered strong cryptography and therefore cannot be used as a security control.

To remain compliant with the PCI DSS standard, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or TLS 1.0 protocols.

What is TLS?

Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
What is the timeline?
- For inbound communications (entering the gateway), we already support TLS 1.2. Please note that the system is backward compatible and we do still support previous version of TLS for now. However it is strongly recommended that you upgrade to TLS 1.2 as soon as possible.
- For outbound communications (coming out of the gateway), TLS 1.2 will be available in our TEST and PROD environment as of April 2017. As of then you are encouraged to upgrade as soon as possible to TLS 1.2 and let us know if you encounter any issue.
Ingenico ePayments requires all merchants to upgrade their security protocol before the end of May.
I use e-Commerce Hosted Payment Page. Am I impacted?

If you use our e-Commerce Hosted Payment Page product, the transactions are initiated from this product. Therefore there is not impact for the gateway inbound communications. However if you have implemented any of the outbound communications (such as the post-sale or offline status changes), you need to upgrade to TLS 1.2.

I use DirectLink (server-to-server) or automatic Batch. Am I impacted?

If you use our DirectLink or automatic Batch server-to-server products, there is an impact on the inbound communications and you need to upgrade to TLS 1.2.
Moreover if you have implemented any of the outbound communications (such as the post-sale or offline status changes), you also need to upgrade to TLS 1.2.

The following is a list of operating systems and framework compatible with TLS 1.1/1.2, each containing a link explaining the configuration steps:

Windows OS

Windows OS	TLS 1.1/1.2
Windows Vista/Windows Server 2008 (and earlier)	Not supported
Windows Server 2008 (SP2)	Update in order to support https://support.microsoft.com/en-us/help/4019276/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows
Windows 7 (SP1)/Windows Server 2008 R2 (SP1)	Update in order to support https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in
Windows 8/Windows Server 2012	Enabled
Windows 8.1/Windows Server 2012 R2	Enabled
Windows 10/Windows Server 2016	Enabled

.NET Framework

.NET Framework	TLS 1.1/1.2
.NET Framework 3.5 and earlier	Not supported
.NET Framework 3.5 (SP1)	Workaround https://support.microsoft.com/en-ca/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework
.NET Framework 4.0	Workaround https://blogs.perficient.com/microsoft/2016/04/tsl-1-2-and-net-support/
.NET Framework 4.5	Supported https://blogs.perficient.com/microsoft/2016/04/tsl-1-2-and-net-support/
.NET Framework 4.6 and above	Enabled
Windows 10/Windows Server 2016	Enabled

OpenSSL
TLS 1.1/1.2 supported from version 1.0.1

Java

JDK	TLS 1.1	TLS 1.2
JDK 6 (update 111 and above)	Supported https://www.java.com/en/configure_crypto.html	Not Supported
JDK 7	Supported https://www.java.com/en/configure_crypto.html	Supported https://www.java.com/en/configure_crypto.html
JDK8	Supported	Enabled by default

PHP

TLS 1.1/1.2 supported from version 5.6 with openssl (http://php.net/manual/en/migration56.openssl.php)

Where can I find more information?
More information can be found in the following official publications:
- Important update from the PCI Security Standards Council regarding the extension of the deadline - https://www.pcisecuritystandards.org/pdfs/Migrating_from_SSL_and_Early_TLS_-v12.pdf
- PCI DSS version 3.1 - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
- PCI DSS version 3.1 - Summary of Changes: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf
- PCI DSS version 3.1 - Information Supplement: https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information_Supplement_v1.pdf
- Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (National Institute of Standards and Technology) -http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915295
What if the cardholder’s browser is still using TLS 1.0?

If the cardholder uses a deprecated browser, based on TLS 1.0, the payment page will not be displayed. There will be no specific warning on the issue. The cardholder will have to upgrade to a newer web browser.
What if I have or can only use TLS 1.1?

TLS 1.1 will not be deprecated in the near future and can therefore be used. However, for security reasons, we do recommend to always use the latest version of the protocols, and therefore advise to upgrade to TLS 1.2.
Are there external resources available to assess my current implementation of TLS?

In order to test your implementation you are welcome to use external tools such as https://www.howsmyssl.com.
Am I impacted by this change?
If you are using HTTP post-sales you might be impacted. The following steps will help you identify if you are compatible with TLS 1.2 or not.

Step 1: Find your post-sale url.

For static URL
1. Go to your Ingenico ePayments back office
2. Click on “Configuration”
3. Click on “Technical Configuration”
4. Click on “Transaction Feedback”
5. In this view, you will find the static URLs that are used in your post-sale
For Dynamic URL
Ask your integrator/webmaster to give it to you or ask him to review this guide.
Step 2: Test your URL
1. Go to the sslLabs website https://www.ssllabs.com/ssltest/
2. Enter your post-sale URLs
3. Click on Submit (You should get a summary after a few seconds)
4. Scroll down to Configuration/Protocols and ensure you support TLS1.2
5. Ensure you also support other ciphers than TLS_RSA_WITH_3DES_EDE_CBC_SHA
Step 3: Results are bad. What should I do?
- If you got a result where you don't support TLS 1.2
- If the only cipher suite supported is TLS_RSA_WITH_3DES_EDE_CBC_SHA
You should contact your integrator/webmaster/infrastructure engineer explaining the situation. They should be able to help you getting up-to-date.
What are the consequences of not being up to date with security protocols?

The PCI council requires Payment Service Providers like Ingenico ePayments to depreciate older protocols that are no longer considered secure. This means that post-sale exchanges using TLS 1.0 will be considered as not secure by our payment engines and will fail.
Are my shoppers impacted by this change?
If the cardholder uses a deprecated browser or old device that does not support the TLS 1.1 or TLS 1.2, security protocol, the payment page will not be displayed. There will be no specific warning on the issue. The cardholder will have to upgrade to a newer web browser.
As a merchant, you could mitigate the risk of lost transactions by advising users to upgrade their browsers.
The Wikipedia page on TLS provides a complete and comprehensive overview of which browser versions and devices support which security protocols. https://en.wikipedia.org/wiki/Transport_Layer_Security