TLS FAQ

TLS FAQ

What is TLS?

Transport Layer Security (TLS) is an encryption protocol used to communicate between systems, which superseded the Secure Sockets Layer (SSL) protocol in 2000. TLS v1.0 has in turn been superseded by TLS v1.1 and TLS v1.2.

Per PCI DSS v3.1 and v3.2, SSL and early TLS (TLS v1.0) are no longer considered strong encryption protocols, due to vulnerabilities in these protocols to which there are no fixes. While TLS v1.1 and above are currently PCI compliant, the recommendation is to move to TLS v1.2 as soon as possible.

The PCI Security Standards Council has mandated that all instances of SSL and early TLS must be upgraded to a secure version of TLS by June 2018. ACI has established a timeline to be compliant by March 31, 2018. The background on this migration can be found on the PCI Security Standards Council web site by clicking here.

How does it impact me?

Customers will be required to support TLS v1.2 for their connection to the PAY.ON Payments Gateway prior to March 31, 2018. After March 31, 2018, ACI will disable TLS v1.0 and v1.1 protocols for the PAY.ON Payments Gateway. Customers who do not support TLS v1.2 will no longer be able to connect to the service. The list of ciphers that will be supported after this date is available here. Customers will need to support one of the available ciphers from this list to continue connecting to the PAY.ON Payments Gateway.

TLS v1.0 and TLS v1.1 will also be disabled for all online business tools, and TLS v1.0 will be disabled for the eSupport portal. Users will be required to use a TLS v1.2 compatible browser (list here) to ensure they can continue to access ACI online tools. ACI will disable TLS v1.0 and v1.1 in the UAT environment in January 2018 to allow for customer testing.

If my organization’s connection does not support TLS v1.2, what do I need to do next?

If your connection to the PAY.ON Payments Gateway uses TLS v1.1 or earlier, you will need to update your own systems to ensure that you are connecting using TLS v1.2. Due to the vulnerabilities in older protocols, it is suggested that these changes are made as soon as possible. Below is a list of ciphers that will be supported after March 31, 2018. Your organization will need to verify that your systems support one of the available ciphers from this list to continue connecting to the PAY.ON Payments Gateway.

The SSL ciphers available for TLS 1.2 are:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

If your organization is not able to upgrade to TLS v1.2 prior to March 31, 2018, the service will no longer be able to connect to the PAY.ON Payments Gateway after this date. It is suggested that your organization test transactions in the UAT environment following the disabling of older protocols in January 2018. Testing will ensure that your connection will not be impacted by this change when it is made to the production environment.

As a separate deadline, while this will not impact your connection to the PAY.ON Payments Gateway, all PCI-certified entities are required to disable TLS v1.0 and all instances of SSL by June 30, 2018.

How will I know if I already support TLS v1.2?

In January 2018, ACI Worldwide will disable TLS v1.1 and all older protocols in the UAT environment. Once this change has been made, your organization will be able to validate the supporting of TLS v1.2. If your organization can test successfully after the disabling of older protocols (and your organizations test environment uses the same protocols as your production environment), then you should not experience any issues when the change is made in production on March 31, 2018.

If I am already using TLS v1.2, do I need to do anything?

If your organization is already connecting to the PAY.ON Payments Gateway using TLS v1.2, and already using a TLS v1.2 compatible browser, no action should be required in advance of the March 31, 2018 deadline.

However, while it will not impact your connection to the PAY.ON Payments Gateway, all PCI-certified entities are required to disable TLS v1.0 and all instances of SSL by June 30, 2018.

What online interfaces are impacted as part of this change?

Please see below for a list of online interfaces that will have early TLS protocols disabled on March 31, 2018.

  • BIP
  • Developer Portal, REST OPP
  • XML
  • WPF (Web Payment Form), PIPE, ASYNC POST Payment
  • eTerminal, VT (Virtual Terminal)
  • Paypipe XML
  • Scheduler
  • Batch Processing
  • mPOS - mobile POS
  • Payworks Mobile SDK
  • Backchannel

In addition, TLS v1.0 will be disabled for the eSupport portal.