Thursday, December 7, 2017

June 30, 2017 Update to Poodle Remediation Plan 2017 and 2018

Dear Subscriber,

We are changing our dates when our test/certification systems will be edited for protocols will be turned off.  Please see edits to those dates below.

During the week of October 13, 2014, researchers from Google discovered a vulnerability in Secure Sockets Layer version 3.0 (SSL 3.0) (CVE-2014-3566) called POODLE (Padding Oracle On Downgraded Legacy Encryption). The SSL 3.0 vulnerability could allow an attacker to extract data from secure connections.

What TSYS Business Solutions products are affected?
This communication is specific to Transaction Express, Transaction Central Classic and Transaction Central ePay Gateways.

What will TSYS Business Solutions be doing?
On the following dates, TSYS Business Solutions will disable the support of SSLv3 and TLS 1.0 on the test / certification environments for Transaction Express, Transaction Central Classic and Transaction Central ePay.  This means if a website, shopping cart or integrated software solution uses SSLv3 or TLS 1.0 to send transactions to a TSYS Business Solutions gateway; it would no longer be able to process transactions after these changes are implemented.  This is being done in preparation for these changes to be rolled out to TSYS Business Solutions production environments.  See Production Date Rollout Below.

Dates when SSLv3 and TLS 1.0 will be turned off in the test/certification environments:
June 6 – June 20, 2017
July 5 – July 19, 2017  These dates have been cancelled.
August 1 - August 15, 2017
September 6th permanently disabled.

Turning off support for SSLv3 and TLS 1.0 during these dates will give our integrated merchants and partners at least 2 weeks during each timeslot to test their payment application to make sure it can connect and process transactions.  It is in the best interest of all integrated merchants and partners to test their system so they know if there are issues they must address.  If merchants or partners do not test during one of these timeslots it is possible that when these security protocols are deprecated from the production gateways these merchant and partner applications will no longer be able to process payments.

What has been done for the POODLE remediation process?
TSYS Business Solutions has added support for TLS 1.1 and TLS 1.2 with Perfect Forward Secrecy (PFS) to the Transaction Express, Transaction Central Classic and Transaction Central ePay test / certification platforms.  NOTE: We did NOT remove SSLv3 or TLS 1.0 support from the platforms.

When will the TSYS Business Solutions test/certification Gateway platforms deprecate support for SSLv3 and TLS 1.0?
On August 1, 2017 SSLv3 and TLS 1.0 will be permanently deprecated on the TSYS Business Solutions certification environments.

When will the TransFirst Production Gateways deprecate support for SSLv3 and TLS 1.0?
Dates when SSLv3 and TLS 1.0 will be turned off in the Production environments:
<![if !supportLists]>·         <![endif]>February 5, 2018 – Transaction Central ePay (ePay)
<![if !supportLists]>·         <![endif]>March 5, 2018 – Transaction Express (TXP)
<![if !supportLists]>·         <![endif]>May 7, 2018 – Transaction Central Classic (TC)

What should I do to make sure my transaction processing is not affected?
We encourage all sales partners and merchants to attempt to connect and process transactions on our test / certification environments using TLS 1.2 as the chosen cryptographic protocol.  The reason we encourage our sales partners and merchant to move to TLS 1.2 with Perfect Forward Secrecy (PFS) is because there are known security vulnerabilities with TLS 1.1 and we know that at some point in the future the PCI council will force the deprecation of TLS 1.1.

By starting to test now, this will assist you in determining if an upgrade to your solution is required or not. If you are able to connect to our test/certification environment during the timeslots listed above your software is not at risk of SSLv3 or TLS 1.0 vulnerabilities. If you do experience issues connecting to our test environment, you should contact your web developer, solution developer or internal development group to determine if you are using SSLv3 or TLS 1.0 to submit transactions.  We strongly encourage you to migrate to TLS 1.2 with Perfect Forward Secrecy (PFS) as part of your testing effort; it is not required and TLS 1.1 will work, but as mentioned above, there are known security vulnerabilities with TLS 1.1.

TSYS Business Solutions does not control how a particular site or solution sends transactions to us and cannot determine if you are using SSLv3 or TLS 1.0.

If a merchant or sales partner does not have a test account, please send an email to integrationsupport@transfirst.com requesting that a test account be created.  A merchant or sales partner can also validate test credentials by emailing integrationsupport@transfirst.com should they have questions about their test account information.

What if I use the Virtual Terminal from one of the Platforms?
Browser Note for Virtual Terminal access: Modern browsers are not at risk. If a merchant or partner is using a version of Internet Explorer older than 7.0, they should visit Microsoft’s website to update their browser.  Users of current versions of Firefox, Chrome and Safari should not be affected by the change.
Software and API Note: Older solutions that use older code or software frameworks that do not support TLS 1.1 or that have disabled TLS, forcing a downgrade to SSLv3, will be affected after these changes are implemented.

Please contact integrationsupport@transfirst.com with questions.

1 comment:

  1. It is therefore essential that you know your code employer before visiting the Securitas ePay portal. https://securitas-epay.us

    ReplyDelete