TLS 1.2

What is TLS?

Transport Layer Security (TLS) is an encryption protocol used to communicate between systems, which superseded the Secure Sockets Layer (SSL) protocol in 2000. TLS v1.0 has in turn been superseded by TLS v1.1 and TLS v1.2.

Per PCI DSS v3.1 and v3.2, SSL and early TLS (TLS v1.0) are no longer considered strong encryption protocols, due to vulnerabilities in these protocols to which there are no fixes. While TLS v1.1 and above are currently PCI compliant, the recommendation is to move to TLS v1.2 as soon as possible.

The PCI Security Standards Council has mandated that all instances of SSL and early TLS must be upgraded to a secure version of TLS by June 2018. We have established a timeline to be compliant by May 14, 2018. The background on this migration can be found on the PCI Security Standards Council web site by clicking here.

How does it impact me?

Customers will be required to support TLS v1.2 for their connection to the Open Payment Platform prior to May 14, 2018. After May 14, 2018, we will disable TLS v1.0 and v1.1 protocols for the Open Payment Platform. Customers who do not support TLS v1.2 will no longer be able to connect to the service. The list of ciphers that will be supported after this date is available below. Customers will need to support one of the available ciphers from this list to continue connecting to the Open Payment Platform.

TLS v1.0 and TLS v1.1 will also be disabled for all online business tools, and TLS v1.0 will be disabled for the eSupport portal. Users will be required to use a TLS v1.2 compatible browser to ensure they can continue to access our online tools. We will disable TLS v1.0 and v1.1 in the UAT environment on 10th January 2018 to allow for customer testing.

If my organization’s connection does not support TLS v1.2, what do I need to do next?

If your connection to the Open Payment Platform uses TLS v1.1 or earlier, you will need to update your own systems to ensure that you are connecting using TLS v1.2. Due to the vulnerabilities in older protocols, it is suggested that these changes are made as soon as possible. Below is a list of ciphers that will be supported after May 14, 2018. Your organization will need to verify that your systems support one of the available ciphers from this list to continue connecting to the Open Payment Platform.

The SSL ciphers available for TLS 1.2 are:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

If your organization is not able to upgrade to TLS v1.2 prior to May 14, 2018, the service will no longer be able to connect to the Open Payment Platform after this date. It is suggested that your organization test transactions in the UAT environment following the disabling of older protocols in January 2018. Testing will ensure that your connection will not be impacted by this change when it is made to the production environment.

As a separate deadline, while this will not impact your connection to the Open Payment Platform, all PCI-certified entities are required to disable TLS v1.0 and all instances of SSL by June 30, 2018.

How will I know if I already support TLS v1.2?

In January 2018, we will disable TLS v1.1 and all older protocols in the UAT environment. Once this change has been made, your organization will be able to validate the supporting of TLS v1.2. If your organization can test successfully after the disabling of older protocols (and your organizations test environment uses the same protocols as your production environment), then you should not experience any issues when the change is made in production on May 14, 2018.

If I am already using TLS v1.2, do I need to do anything?

If your organization is already connecting to the Open Payment Platform using TLS v1.2, and already using a TLS v1.2 compatible browser, no action should be required in advance of the May 14, 2018 deadline.

However, while it will not impact your connection to the Open Payment Platform, all PCI-certified entities are required to disable TLS v1.0 and all instances of SSL by June 30, 2018.

PreviousPCI DSS

Last updated