TLS FAQ
What is TLS?
Transport Layer Security (TLS) is an encryption protocol used to communicate between systems, which superseded the Secure Sockets Layer (SSL) protocol in 2000. TLS v1.0 has in turn been superseded by TLS v1.1, TLS v1.2 and TLS v1.3.
Per PCI DSS v3.1 and v3.2, SSL and early TLS (TLS v1.0 or TLS v1.1) are no longer considered strong encryption protocols, due to vulnerabilities in these protocols to which there are no fixes. TLS v1.2 and TLS v1.3 are currently PCI compliant.
How does it impact me?
Customers are required to support at least TLS v1.2 for their connection to the Open Payment Platform. TLS v1.0 and v1.1 are disabled since 2018. Customers who do not support at least TLS v1.2 will no longer be able to connect to the service. The list of ciphers that are supported is available below. Customers need to support one of the available ciphers from this list to continue connecting to the Open Payment Platform.
TLS v1.0 and TLS v1.1 are disabled for all online business tools, and for the eSupport portal. Customers are required to use a TLS v1.2 or TLS v1.3 compatible browser to ensure they can continue to access our online tools. It is recommended to choose TLS v1.3 as tests have shown that this can be up to 15% faster on the TLS Handshake.
If my organization’s connection does not support TLS v1.2, what do I need to do next?
If your connection to the Open Payment Platform uses TLS v1.1 or earlier, you will need to update your own systems to ensure that you are connecting using TLS v1.2 or TLS v1.3. Due to the vulnerabilities in older protocols, it is suggested that these changes are made as soon as possible. Below is a list of ciphers that are supported. Your organization will need to verify that your systems support one of the available ciphers from this list to continue connecting to the Open Payment Platform.
TLS v1.3 (suites in server-preferred order)
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
TLS v1.2 (suites in server-preferred order)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
If your organization is not able to upgrade to TLS v1.2 or TLS v1.3 the service will no longer be able to connect to the Open Payment Platform . It is suggested that your organization test transactions in the UAT environment. Testing will ensure that your connection is successful or not.
If I am already using TLS v1.2 or TLS v1.3, do I need to do anything?
If you are using TLS v1.2 for communication, the cipher suite compatibility needs to be verified, see above. If your organization is already connecting to the Open Payment Platform using TLS v1.3, and already using a TLS v1.3 compatible browser, no action should be required.
Compatibilities
Every application implements ciphers and TLS versions differently.
List of not supported server to server connection (merchant configuration):
- Java 6u45 and anything before
- Java 7u25
- OpenSSL 0.9.8y
Recommended action: test from your test system (the call needs to come from the library/software you use on your system to connect to the Open Payment Platform)
In case you do not have a test system, please integrate a test call in your Production system towards https://eu-test.westpay.io/ (Open Payment Platform UAT Environment) and see if it is successful.
In case you can connect fine, the next step is to update the Production systems domain to https://eu-prod.westpay.io/
List of not supported browser configuration (shopper):
- IE 11 / Win Phone 8.1 R
- Safari 6 / iOS 6.0.1
- Safari 7 / iOS 7.1
- Safari 7 / OS X 10.9
- Safari 8 / iOS 8.4
- Safari 8 / OS X 10.10
- Android 2.3.7
- Android 4.0.4
- Android 4.1.1
- Android 4.2.2
- Android 4.3
- Baidu Jan 2015
- IE 6 / XP
- IE 7 / Vista
- IE 8 / XP
- IE 8-10 / Win 7
- IE 10 / Win Phone 8.0
- Safari 5.1.9 / OS X 10.6.8
- Safari 6.0.4 / OS X 10.8.4