Find Answers

Find Answers

Specified Languages
British English
English

CyberSource Security Updates - Possible Production Impact - TLS 1.2


Doc ID:    C1743
Version:    28.0
Status:    Published
Published date:    02/06/2018
Updated:    02/06/2018
 

Answer


In an effort to ensure that merchant-secure communications to the CyberSource platform remain as secure as possible (both browser-based as well as server-to-server communications), CyberSource will be eliminating support for certain older and less-secure forms of Transport Layer Security (TLS) communication in the coming months.

 

2017

June CyberSource will start denying secure connections that attempt to utilize "Triple DES" security ciphers in their handshake attempts. Merchants will need to ensure that the servers and/or network appliances that are opening secure connections to CyberSource platforms use more modern and secure ciphers in those requests.
mid-June CyberSource will eliminate usage of RC4-based cipher suites in secure connection requests made explicitly to Batch Upload, Account Updater, or non-Akamai-enabled API endpoints. (CyberSource previously dropped support of these ciphers for other kinds of connections; this is a continuation of that effort.)
 

2018

mid-February CyberSource will begin mandating the use of TLS version 1.2 for all inbound connections to browser-based endpoints. This change is in line with the gathering momentum within the payments industry to eliminate usage of the older versions 1.0 and 1.1 of the TLS protocol.

Note:
TLS version 1.2 has been enabled in both CAS and Production environments since 2016.



 





















In order to review current infrastructure and configurations, most merchants will want to work either with their internal Networking/IT teams or those of their hosting provider if servers or network hardware initiating client-side secure connections are housed at a hosting provider.  CyberSource can detail our planned changes, but cannot, by and large, walk merchants through their own environments to find and change these network settings, as that will vary per merchant and per environment.

 

Current Schedule

CAS (Test)

 
End of life (EOL) of DES-based Ciphers (Web and API endpoints)
Endpoint URLs:

  - accountupdatertest.cybersource.com
  - api.accountupdatertest.cybersource.com
  - apitest.cybersource.com
  - authtest.ic3.com
  - batchtest.cybersource.com
  - businesscentertest.cybersource.com
  - downloadreportstest.cybersource.com
  - ebctest.cybersource.com
  - ics2wstest.ic3.com
  - ics2wstesta.ic3.com
  - mobiletest.ic3.com
  - testsecureacceptance.cybersource.com
  - ubctest.cybersource.com
  - umptest.cybersource.com
  - umptest.visa.com
 
June 6, 2017
EOL of RC4-based Ciphers (API, Batch Upload, Account Updater endpoints)
 
2016
EOL of TLS 1.0/1.1 for Web Portal Connections
Endpoint URLs:

  - businesscentertest.cybersource.com
  - ebctest.cybersource.com
  - umptest.cybersource.com
  - ubctest.cybersource.com
  - umptest.visa.com
 
June 13, 2017
EOL of TLS 1.0/1.1 for Secure Acceptance
 - testsecureacceptance.cybersource.com
 
June 27, 2017
EOL of TLS 1.0/1.1 for Server/API Connections
Endpoint URLs:
  - api.accountupdatertest.cybersource.com
  - authtest.ic3.com
  - mobiletest.ic3.com
  - paypaltest.ic3.com
  - ebc2test.cybersource.com
  - gdftest.cybersource.com
  - pnrtest.ic3.com
  - batchtest.cybersource.com
 
June 27, 2017
EOL of TLS 1.0/1.1 for API Connections
Endpoint URLs:
  - apitest.cybersource.com
  - ics2wstesta.ic3.com
  - downloadreportstest.cybersource.com
 
January 16, 2018
EOL of TLS 1.0/1.1 for API Connections
Endpoint URLs:
  - ics2wstest.ic3.com
 
January 22, 2018
EOL of HTTP (non-secure) URL and TLS 1.0/1.1 for Secure Acceptance:
  - Merchant Back Office POST URL
  - Customer Response Page URL
 
January 23, 2018
 

Production

 
EOL of DES-based Ciphers (Web and API endpoints)
Endpoint URLs:

  - accountupdater.cybersource.com
  - api.cybersource.com
  - apply.cybersource.com
  - auth.ic3.com
  - batch.cybersource.com
  - businesscenter.cybersource.com
  - downloadreports.cybersource.com
  - ebc.cybersource.com
  - ics2ws.ic3.com
  - ics2wsa.ic3.com
  - mobile.ic3.com
  - paypal.ic3.com
  - secureacceptance.cybersource.com
  - ubc.cybersource.com
  - ump.cybersource.com
  - wfgateway.cybersource.com
 
January 9, 2018
EOL of RC4-based Ciphers (API, Batch Upload, Account Updater endpoints)
Endpoint URLs:

  - accountupdater.cybersource.com
  - batch.cybersource.com
  - ics2ws.ic3.com
 
June 13, 2017
EOL of TLS 1.0/1.1 for Web Portal Connections
Endpoint URLs:

  - accountupdater.cybersource.com
  - batch.cybersource.com
  - businesscenter.cybersource.com
  - ebc.cybersource.com
  - ubc.cybersource.com
  - ump.cybersource.com
  - wfgateway.cybersource.com
 
March 1, 2018
EOL of TLS 1.0/1.1 for Secure Acceptance
 
- secureacceptance.cybersource.com
 
March 1, 2018
EOL of TLS 1.0/1.1 for Server/API Connections
Endpoint URLs:
  - apply.cybersource.com
  - auth.ic3.com
  - mobile.ic3.com
  - paypal.ic3.com
  - processorcallback.ic3.com
  - ebc2.cybersource.com
  - gdf.cybersource.com
  - pnr.ic3.com
  - api.accountupdater.cybersource.com
  - downloadreports.cybersource.com
 
March 1, 2018
EOL of TLS 1.0/1.1 for API Connections
Endpoint URLs:
  - api.cybersource.com
  - ics2ws.ic3.com
February 28, 2018
EOL of HTTP (non-secure) URL and TLS 1.0/1.1 for Secure Acceptance:
  - Merchant Back Office POST URL
  - Customer Response Page URL
 
March 25, 2018
EOL of TLS 1.0/1.1 for API Connections
Endpoint URLs:
  - ics2wsa.ic3.com
May 1, 2018
 

FAQ

The following FAQ is aimed to help answer some basic questions about these upcoming changes, the reasoning for them, as well as potential merchant actions required for those that need to make changes.
 

When are these various changes targeted to be rolled out to the Production CyberSource environment?

Please see the dates above for each change.
 

As a merchant, how can I ensure that my systems are using the appropriate protocol versions and cipher types to ensure uninterrupted communications with CyberSource?

There are two pieces to this answer: How to 'monitor' your current connections to see what is happening, and how to 'set' the connection characteristics that your client side server or application is requesting when contacting CyberSource.

In order to monitor connections and/or transaction request activity when making connections to CyberSource, you would need to set up a network monitor that can track the outbound connections from your server and/or network device to track which protocols and/or ciphers are being used to secure that connection.  Real-time logging of this network-level traffic, using WireShark or some similar network monitoring tool, should show which protocols and ciphers are in use for a given connection.  You will want to ensure that TLS 1.2 is the protocol, and that no "DES" or "RC4" ciphers are in use.

Should you find that a lesser version of TLS (v1.0 or 1.1) is in use, or that your systems are opening connections with either a "DES" or "RC4" cipher suite in use, you will want to look at the server and/or network appliance that is creating the connection request, and attempt to update its configuration to use more modern settings.  TLS v1.2 should be the protocol, and any number of more modern and secure ciphers will be acceptable.  Please see the item below on Best Practices for specifics on this topic.

The exact location of where you need to set these configurations will vary, depending on your particular infrastructure and/or hosted environment.  The server and/or network device initiating the outbound call to CyberSource endpoints is the one that will normally control the characteristics of that TLS ‘handshake’, and is where those configurations should normally be addressed.
 

What are the current Best Practices that should be noted when setting using a modern browser and/or setting up a new server-to-server connection to CyberSource that relies on TLS to secure the connection?

Only TLS version 1.2 should be used.  Earlier versions are about to be End-of-Life'd.  Within the TLS 1.2 protocol, any of many modern ciphers suites may be used to initiate the secure handshake, but here are some preferred characteristics:

  • ECDHE and AESGCM ciphers are preferred.
  • Perfect Forward Secrecy (PFS) cipher suites are preferred but not required.
  • Keyed hash functions must be used with either SHA-2 or SHA-3. SHA-1-based functions are not allowed.
  • Authenticated encryption modes (e.g. AES GCM, ChaCha20-Poly 1305) modes must be preferred first over other AES modes (e.g. AES-CBC).

What is Transport Layer Security (TLS)?

Transport Layer Security (also known as TLS) is a cryptographic protocol used to secure the communication of data across a network. Within the overall protocol, specific cipher sets may be used to do the actual encryption.  More information can be found here:  https://en.wikipedia.org/wiki/Transport_Layer_Security
 

What are Data Encryption Standard (DES) ciphers?

DES ciphers are instances of a block cipher used as part of an encryption protocol for the securing of data passed across networks. More information can be found here:  https://en.wikipedia.org/wiki/Data_Encryption_Standard
 

What are RC4 ciphers?

RC4 ciphers are instances of a stream cipher used as part of an encryption protocol for the securing of data passed across networks. More information can be found here:  https://en.wikipedia.org/wiki/RC4


Do I need to upgrade my Windows operating system to comply with TLS 1.2 communications for Simple Order API with ASP clients?

Merchants using Simple Order API for ASP client on Windows, may need to upgrade their operating system (OS) or apply a patch. Please review the below versions and apply all necessary changes to be compatible with TLS1.2 secure connections:

  •  If your system is using OS version NT 6.2 (Windows 8) or later – no action required
  •  If your system is using OS version NT 6.1 (Windows 7) – take the following steps:
    1. Review and follow the instruction listed in this Knoweldge Base Article C1766

    2. Restart IIS
  • If your system is using an OS version older than NT 6.1 (Windows 7) – Update to a newer version of Windows.

What TLS Cipher Suites are supported for CyberSource API endpoints with TLSv1.2?

A full list of TLSv1.2 supported cipher suites for CyberSource API endpoints can be found in What TLS Cipher Suites are supported for CyberSource API endpoints with TLSv1.2?


Rate This Item